openssl/crypto/pkcs12/p12_kiss.c - Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with.

Side by Side Diff: openssl/crypto/pkcs12/p12_kiss.c

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/

Patch Set: '' Created 8 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /* p12_kiss.c */	1 /* p12_kiss.c */

2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

3 * project 1999.	3 * project 1999.

4 */	4 */

5 /* ====================================================================	5 /* ====================================================================

6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.	6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.

7 *	7 *

8 * Redistribution and use in source and binary forms, with or without	8 * Redistribution and use in source and binary forms, with or without

9 * modification, are permitted provided that the following conditions	9 * modification, are permitted provided that the following conditions

10 * are met:	10 * are met:

(...skipping 45 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
56 *	56 *

57 */	57 */

58	58

59 #include <stdio.h>	59 #include <stdio.h>

60 #include "cryptlib.h"	60 #include "cryptlib.h"

61 #include <openssl/pkcs12.h>	61 #include <openssl/pkcs12.h>

62	62

63 /* Simplified PKCS#12 routines */	63 /* Simplified PKCS#12 routines */

64	64

65 static int parse_pk12( PKCS12 p12, const char pass, int passlen,	65 static int parse_pk12( PKCS12 p12, const char pass, int passlen,

66 » » EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca);	66 » » EVP_PKEY *pkey, STACK_OF(X509) ocerts);

67	67

68 static int parse_bags( STACK_OF(PKCS12_SAFEBAG) bags, const char pass,	68 static int parse_bags( STACK_OF(PKCS12_SAFEBAG) bags, const char pass,

69 » » int passlen, EVP_PKEY pkey, X509 cert,	69 » » int passlen, EVP_PKEY *pkey, STACK_OF(X509) ocerts);

70 » » STACK_OF(X509) ca, ASN1_OCTET_STRING keyid,

71 » » char *keymatch);

72	70

73 static int parse_bag( PKCS12_SAFEBAG bag, const char pass, int passlen,	71 static int parse_bag( PKCS12_SAFEBAG bag, const char pass, int passlen,

74 » » » EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca,	72 » » » EVP_PKEY *pkey, STACK_OF(X509) ocerts);

75 » » » ASN1_OCTET_STRING *keyid, char keymatch);

76	73

77 /* Parse and decrypt a PKCS#12 structure returning user key, user cert	74 /* Parse and decrypt a PKCS#12 structure returning user key, user cert

78 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,	75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,

79 * or it should point to a valid STACK structure. pkey and cert can be	76 * or it should point to a valid STACK structure. pkey and cert can be

80 * passed unitialised.	77 * passed unitialised.

81 */	78 */

82	79

83 int PKCS12_parse(PKCS12 p12, const char pass, EVP_PKEY pkey, X509 cert,	80 int PKCS12_parse(PKCS12 p12, const char pass, EVP_PKEY pkey, X509 cert,

84 STACK_OF(X509) **ca)	81 STACK_OF(X509) **ca)

85 {	82 {

86	83 » STACK_OF(X509) *ocerts = NULL;

	84 » X509 *x = NULL;

87 /* Check for NULL PKCS12 structure */	85 /* Check for NULL PKCS12 structure */

88	86

89 » if(!p12) {	87 » if(!p12)

	88 » » {

90 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POI NTER);	89 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POI NTER);

91 return 0;	90 return 0;

92 » }	91 » » }

93	92

94 » /* Allocate stack for ca certificates if needed */	93 » if(pkey)

95 » if ((ca != NULL) && (*ca == NULL)) {	94 » » *pkey = NULL;

96 » » if (!(*ca = sk_X509_new_null())) {	95 » if(cert)

97 » » » PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);	96 » » *cert = NULL;

98 » » » return 0;

99 » » }

100 » }

101

102 » if(pkey) *pkey = NULL;

103 » if(cert) *cert = NULL;

104	97

105 /* Check the mac */	98 /* Check the mac */

106	99

107 /* If password is zero length or NULL then try verifying both cases	100 /* If password is zero length or NULL then try verifying both cases

108 * to determine which password is correct. The reason for this is that	101 * to determine which password is correct. The reason for this is that

109 * under PKCS#12 password based encryption no password and a zero length	102 * under PKCS#12 password based encryption no password and a zero length

110 * password are two different things...	103 * password are two different things...

111 */	104 */

112	105

113 if(!pass \|\| !*pass) {	106 if(!pass \|\| !*pass) {

114 if(PKCS12_verify_mac(p12, NULL, 0)) pass = NULL;	107 if(PKCS12_verify_mac(p12, NULL, 0)) pass = NULL;

115 else if(PKCS12_verify_mac(p12, "", 0)) pass = "";	108 else if(PKCS12_verify_mac(p12, "", 0)) pass = "";

116 else {	109 else {

117 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAIL URE);	110 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAIL URE);

118 goto err;	111 goto err;

119 }	112 }

120 } else if (!PKCS12_verify_mac(p12, pass, -1)) {	113 } else if (!PKCS12_verify_mac(p12, pass, -1)) {

121 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE);	114 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE);

122 goto err;	115 goto err;

123 }	116 }

124	117

125 » if (!parse_pk12 (p12, pass, -1, pkey, cert, ca))	118 » /* Allocate stack for other certificates */

	119 » ocerts = sk_X509_new_null();

	120

	121 » if (!ocerts)

	122 » » {

	123 » » PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);

	124 » » return 0;

	125 » » }

	126

	127 » if (!parse_pk12 (p12, pass, -1, pkey, ocerts))

126 {	128 {

127 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);	129 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);

128 goto err;	130 goto err;

129 }	131 }

130	132

	133 while ((x = sk_X509_pop(ocerts)))

	134 {

	135 if (pkey && pkey && cert && !cert)

	136 {

	137 if (X509_check_private_key(x, *pkey))

	138 {

	139 *cert = x;

	140 x = NULL;

	141 }

	142 }

	143

	144 if (ca && x)

	145 {

	146 if (!*ca)

	147 *ca = sk_X509_new_null();

	148 if (!*ca)

	149 goto err;

	150 if (!sk_X509_push(*ca, x))

	151 goto err;

	152 x = NULL;

	153 }

	154 if (x)

	155 X509_free(x);

	156 }

	157

	158 if (ocerts)

	159 sk_X509_pop_free(ocerts, X509_free);

	160

131 return 1;	161 return 1;

132	162

133 err:	163 err:

134	164

135 » if (pkey && pkey) EVP_PKEY_free(pkey);	165 » if (pkey && *pkey)

136 » if (cert && cert) X509_free(cert);	166 » » EVP_PKEY_free(*pkey);

137 » if (ca) sk_X509_pop_free(*ca, X509_free);	167 » if (cert && *cert)

	168 » » X509_free(*cert);

	169 » if (x)

	170 » » X509_free(*cert);

	171 » if (ocerts)

	172 » » sk_X509_pop_free(ocerts, X509_free);

138 return 0;	173 return 0;

139	174

140 }	175 }

141	176

142 /* Parse the outer PKCS#12 structure */	177 /* Parse the outer PKCS#12 structure */

143	178

144 static int parse_pk12(PKCS12 p12, const char pass, int passlen,	179 static int parse_pk12(PKCS12 p12, const char pass, int passlen,

145 » EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca)	180 » EVP_PKEY *pkey, STACK_OF(X509) ocerts)

146 {	181 {

147 STACK_OF(PKCS7) *asafes;	182 STACK_OF(PKCS7) *asafes;

148 STACK_OF(PKCS12_SAFEBAG) *bags;	183 STACK_OF(PKCS12_SAFEBAG) *bags;

149 int i, bagnid;	184 int i, bagnid;

150 PKCS7 *p7;	185 PKCS7 *p7;

151 ASN1_OCTET_STRING *keyid = NULL;

152	186

153 char keymatch = 0;

154 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;	187 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;

155 for (i = 0; i < sk_PKCS7_num (asafes); i++) {	188 for (i = 0; i < sk_PKCS7_num (asafes); i++) {

156 p7 = sk_PKCS7_value (asafes, i);	189 p7 = sk_PKCS7_value (asafes, i);

157 bagnid = OBJ_obj2nid (p7->type);	190 bagnid = OBJ_obj2nid (p7->type);

158 if (bagnid == NID_pkcs7_data) {	191 if (bagnid == NID_pkcs7_data) {

159 bags = PKCS12_unpack_p7data(p7);	192 bags = PKCS12_unpack_p7data(p7);

160 } else if (bagnid == NID_pkcs7_encrypted) {	193 } else if (bagnid == NID_pkcs7_encrypted) {

161 bags = PKCS12_unpack_p7encdata(p7, pass, passlen);	194 bags = PKCS12_unpack_p7encdata(p7, pass, passlen);

162 } else continue;	195 } else continue;

163 if (!bags) {	196 if (!bags) {

164 sk_PKCS7_pop_free(asafes, PKCS7_free);	197 sk_PKCS7_pop_free(asafes, PKCS7_free);

165 return 0;	198 return 0;

166 }	199 }

167 » » if (!parse_bags(bags, pass, passlen, pkey, cert, ca,	200 » » if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {

168 » » » » » » » &keyid, &keymatch)) {

169 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);	201 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);

170 sk_PKCS7_pop_free(asafes, PKCS7_free);	202 sk_PKCS7_pop_free(asafes, PKCS7_free);

171 return 0;	203 return 0;

172 }	204 }

173 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);	205 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);

174 }	206 }

175 sk_PKCS7_pop_free(asafes, PKCS7_free);	207 sk_PKCS7_pop_free(asafes, PKCS7_free);

176 if (keyid) M_ASN1_OCTET_STRING_free(keyid);

177 return 1;	208 return 1;

178 }	209 }

179	210

180	211

181 static int parse_bags(STACK_OF(PKCS12_SAFEBAG) bags, const char pass,	212 static int parse_bags(STACK_OF(PKCS12_SAFEBAG) bags, const char pass,

182 » » int passlen, EVP_PKEY pkey, X509 cert,	213 » » int passlen, EVP_PKEY *pkey, STACK_OF(X509) ocerts)

183 » » STACK_OF(X509) ca, ASN1_OCTET_STRING keyid,

184 » » char *keymatch)

185 {	214 {

186 int i;	215 int i;

187 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {	216 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {

188 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i),	217 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i),

189 » » » pass, passlen, pkey, cert, ca, keyid,	218 » » » » pass, passlen, pkey, ocerts))

190 » » » » » » » keymatch)) return 0;	219 » » » return 0;

191 }	220 }

192 return 1;	221 return 1;

193 }	222 }

194	223

195 #define MATCH_KEY 0x1

196 #define MATCH_CERT 0x2

197 #define MATCH_ALL 0x3

198

199 static int parse_bag(PKCS12_SAFEBAG bag, const char pass, int passlen,	224 static int parse_bag(PKCS12_SAFEBAG bag, const char pass, int passlen,

200 » » EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca,	225 » » EVP_PKEY *pkey, STACK_OF(X509) ocerts)

201 » » ASN1_OCTET_STRING **keyid,

202 » » char *keymatch)

203 {	226 {

204 PKCS8_PRIV_KEY_INFO *p8;	227 PKCS8_PRIV_KEY_INFO *p8;

205 X509 *x509;	228 X509 *x509;

206 ASN1_OCTET_STRING lkey = NULL, ckid = NULL;

207 ASN1_TYPE *attrib;	229 ASN1_TYPE *attrib;

208 ASN1_BMPSTRING *fname = NULL;	230 ASN1_BMPSTRING *fname = NULL;

	231 ASN1_OCTET_STRING *lkid = NULL;

209	232

210 if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))	233 if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))

211 fname = attrib->value.bmpstring;	234 fname = attrib->value.bmpstring;

212	235

213 » if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) {	236 » if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))

214 » » lkey = attrib->value.octet_string;	237 » » lkid = attrib->value.octet_string;

215 » » ckid = lkey;

216 » }

217	238

218 /* Check for any local key id matching (if needed) */

219 if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {

220 if (*keyid) {

221 if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;

222 } else {

223 if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {

224 PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILUR E);

225 return 0;

226 }

227 }

228 }

229

230 switch (M_PKCS12_bag_type(bag))	239 switch (M_PKCS12_bag_type(bag))

231 {	240 {

232 case NID_keyBag:	241 case NID_keyBag:

233 » » if (!lkey \|\| !pkey) return 1;»	242 » » if (!pkey \|\| *pkey)

234 » » if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0;	243 » » » return 1;»

235 » » *keymatch \|= MATCH_KEY;	244 » » if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))

	245 » » » return 0;

236 break;	246 break;

237	247

238 case NID_pkcs8ShroudedKeyBag:	248 case NID_pkcs8ShroudedKeyBag:

239 » » if (!lkey \|\| !pkey) return 1;»	249 » » if (!pkey \|\| *pkey)

	250 » » » return 1;»

240 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))	251 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))

241 return 0;	252 return 0;

242 *pkey = EVP_PKCS82PKEY(p8);	253 *pkey = EVP_PKCS82PKEY(p8);

243 PKCS8_PRIV_KEY_INFO_free(p8);	254 PKCS8_PRIV_KEY_INFO_free(p8);

244 if (!(*pkey)) return 0;	255 if (!(*pkey)) return 0;

245 *keymatch \|= MATCH_KEY;

246 break;	256 break;

247	257

248 case NID_certBag:	258 case NID_certBag:

249 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )	259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )

250 » » » » » » » » return 1;	260 » » » return 1;

251 » » if (!(x509 = PKCS12_certbag2x509(bag))) return 0;	261 » » if (!(x509 = PKCS12_certbag2x509(bag)))

252 » » if(ckid)	262 » » » return 0;

	263 » » if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length))

253 {	264 {

254 » » » if (!X509_keyid_set1(x509, ckid->data, ckid->length))	265 » » » X509_free(x509);

255 » » » » {	266 » » » return 0;

256 » » » » X509_free(x509);

257 » » » » return 0;

258 » » » » }

259 }	267 }

260 if(fname) {	268 if(fname) {

261 int len, r;	269 int len, r;

262 unsigned char *data;	270 unsigned char *data;

263 len = ASN1_STRING_to_UTF8(&data, fname);	271 len = ASN1_STRING_to_UTF8(&data, fname);

264 if(len > 0) {	272 if(len > 0) {

265 r = X509_alias_set1(x509, data, len);	273 r = X509_alias_set1(x509, data, len);

266 OPENSSL_free(data);	274 OPENSSL_free(data);

267 if (!r)	275 if (!r)

268 {	276 {

269 X509_free(x509);	277 X509_free(x509);

270 return 0;	278 return 0;

271 }	279 }

272 }	280 }

273 }	281 }

274	282

	283 if(!sk_X509_push(ocerts, x509))

	284 {

	285 X509_free(x509);

	286 return 0;

	287 }

275	288

276 if (lkey) {

277 *keymatch \|= MATCH_CERT;

278 if (cert) *cert = x509;

279 else X509_free(x509);

280 } else {

281 if(ca) sk_X509_push (*ca, x509);

282 else X509_free(x509);

283 }

284 break;	289 break;

285	290

286 case NID_safeContentsBag:	291 case NID_safeContentsBag:

287 return parse_bags(bag->value.safes, pass, passlen,	292 return parse_bags(bag->value.safes, pass, passlen,

288 » » » » » pkey, cert, ca, keyid, keymatch);	293 » » » » » pkey, ocerts);

289 break;	294 break;

290	295

291 default:	296 default:

292 return 1;	297 return 1;

293 break;	298 break;

294 }	299 }

295 return 1;	300 return 1;

296 }	301 }

297	302

OLD	NEW

« no previous file with comments | « openssl/crypto/pkcs12/p12_key.c ('k') | openssl/crypto/pkcs12/p12_mutl.c » ('j') | no next file with comments »