1 /* 2 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/pkcs12.h> 13 #include "p12_local.h" 14 15 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, 16 PKCS12_SAFEBAG *bag); 17 18 static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) 19 { 20 int idx; 21 X509_ATTRIBUTE *attr; 22 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1); 23 if (idx < 0) 24 return 1; 25 attr = EVP_PKEY_get_attr(pkey, idx); 26 if (!X509at_add1_attr(&bag->attrib, attr)) 27 return 0; 28 return 1; 29 } 30 31 PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, 32 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, 33 int mac_iter, int keytype) 34 { 35 PKCS12 *p12 = NULL; 36 STACK_OF(PKCS7) *safes = NULL; 37 STACK_OF(PKCS12_SAFEBAG) *bags = NULL; 38 PKCS12_SAFEBAG *bag = NULL; 39 int i; 40 unsigned char keyid[EVP_MAX_MD_SIZE]; 41 unsigned int keyidlen = 0; 42 43 /* Set defaults */ 44 if (!nid_cert) 45 #ifdef OPENSSL_NO_RC2 46 nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 47 #else 48 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 49 #endif 50 if (!nid_key) 51 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 52 if (!iter) 53 iter = PKCS12_DEFAULT_ITER; 54 if (!mac_iter) 55 mac_iter = 1; 56 57 if (!pkey && !cert && !ca) { 58 PKCS12err(PKCS12_F_PKCS12_CREATE, PKCS12_R_INVALID_NULL_ARGUMENT); 59 return NULL; 60 } 61 62 if (pkey && cert) { 63 if (!X509_check_private_key(cert, pkey)) 64 return NULL; 65 if (!X509_digest(cert, EVP_sha1(), keyid, &keyidlen)) 66 return NULL; 67 } 68 69 if (cert) { 70 bag = PKCS12_add_cert(&bags, cert); 71 if (name && !PKCS12_add_friendlyname(bag, name, -1)) 72 goto err; 73 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 74 goto err; 75 } 76 77 /* Add all other certificates */ 78 for (i = 0; i < sk_X509_num(ca); i++) { 79 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i))) 80 goto err; 81 } 82 83 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass)) 84 goto err; 85 86 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 87 bags = NULL; 88 89 if (pkey) { 90 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass); 91 92 if (!bag) 93 goto err; 94 95 if (!copy_bag_attr(bag, pkey, NID_ms_csp_name)) 96 goto err; 97 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet)) 98 goto err; 99 100 if (name && !PKCS12_add_friendlyname(bag, name, -1)) 101 goto err; 102 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 103 goto err; 104 } 105 106 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL)) 107 goto err; 108 109 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 110 bags = NULL; 111 112 p12 = PKCS12_add_safes(safes, 0); 113 114 if (!p12) 115 goto err; 116 117 sk_PKCS7_pop_free(safes, PKCS7_free); 118 119 safes = NULL; 120 121 if ((mac_iter != -1) && 122 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL)) 123 goto err; 124 125 return p12; 126 127 err: 128 PKCS12_free(p12); 129 sk_PKCS7_pop_free(safes, PKCS7_free); 130 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 131 return NULL; 132 133 } 134 135 PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) 136 { 137 PKCS12_SAFEBAG *bag = NULL; 138 char *name; 139 int namelen = -1; 140 unsigned char *keyid; 141 int keyidlen = -1; 142 143 /* Add user certificate */ 144 if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) 145 goto err; 146 147 /* 148 * Use friendlyName and localKeyID in certificate. (if present) 149 */ 150 151 name = (char *)X509_alias_get0(cert, &namelen); 152 153 if (name && !PKCS12_add_friendlyname(bag, name, namelen)) 154 goto err; 155 156 keyid = X509_keyid_get0(cert, &keyidlen); 157 158 if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 159 goto err; 160 161 if (!pkcs12_add_bag(pbags, bag)) 162 goto err; 163 164 return bag; 165 166 err: 167 PKCS12_SAFEBAG_free(bag); 168 return NULL; 169 170 } 171 172 PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, 173 EVP_PKEY *key, int key_usage, int iter, 174 int nid_key, const char *pass) 175 { 176 177 PKCS12_SAFEBAG *bag = NULL; 178 PKCS8_PRIV_KEY_INFO *p8 = NULL; 179 180 /* Make a PKCS#8 structure */ 181 if ((p8 = EVP_PKEY2PKCS8(key)) == NULL) 182 goto err; 183 if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) 184 goto err; 185 if (nid_key != -1) { 186 bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1, NULL, 0, 187 iter, p8); 188 PKCS8_PRIV_KEY_INFO_free(p8); 189 } else 190 bag = PKCS12_SAFEBAG_create0_p8inf(p8); 191 192 if (!bag) 193 goto err; 194 195 if (!pkcs12_add_bag(pbags, bag)) 196 goto err; 197 198 return bag; 199 200 err: 201 PKCS12_SAFEBAG_free(bag); 202 return NULL; 203 204 } 205 206 int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 207 int nid_safe, int iter, const char *pass) 208 { 209 PKCS7 *p7 = NULL; 210 int free_safes = 0; 211 212 if (!*psafes) { 213 *psafes = sk_PKCS7_new_null(); 214 if (!*psafes) 215 return 0; 216 free_safes = 1; 217 } else 218 free_safes = 0; 219 220 if (nid_safe == 0) 221 #ifdef OPENSSL_NO_RC2 222 nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 223 #else 224 nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC; 225 #endif 226 227 if (nid_safe == -1) 228 p7 = PKCS12_pack_p7data(bags); 229 else 230 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, iter, bags); 231 if (!p7) 232 goto err; 233 234 if (!sk_PKCS7_push(*psafes, p7)) 235 goto err; 236 237 return 1; 238 239 err: 240 if (free_safes) { 241 sk_PKCS7_free(*psafes); 242 *psafes = NULL; 243 } 244 PKCS7_free(p7); 245 return 0; 246 247 } 248 249 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, 250 PKCS12_SAFEBAG *bag) 251 { 252 int free_bags; 253 if (!pbags) 254 return 1; 255 if (!*pbags) { 256 *pbags = sk_PKCS12_SAFEBAG_new_null(); 257 if (!*pbags) 258 return 0; 259 free_bags = 1; 260 } else 261 free_bags = 0; 262 263 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) { 264 if (free_bags) { 265 sk_PKCS12_SAFEBAG_free(*pbags); 266 *pbags = NULL; 267 } 268 return 0; 269 } 270 271 return 1; 272 273 } 274 275 PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) 276 { 277 PKCS12 *p12; 278 if (nid_p7 <= 0) 279 nid_p7 = NID_pkcs7_data; 280 p12 = PKCS12_init(nid_p7); 281 282 if (!p12) 283 return NULL; 284 285 if (!PKCS12_pack_authsafes(p12, safes)) { 286 PKCS12_free(p12); 287 return NULL; 288 } 289 290 return p12; 291 292 } 293