1 /* 2 * Copyright (c) 2004 - 2007 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "hx_locl.h" 35 RCSID("$Id: ks_p12.c 21146 2007-06-18 21:37:25Z lha $"); 36 37 struct ks_pkcs12 { 38 hx509_certs certs; 39 char *fn; 40 }; 41 42 typedef int (*collector_func)(hx509_context, 43 struct hx509_collector *, 44 const void *, size_t, 45 const PKCS12_Attributes *); 46 47 struct type { 48 const heim_oid * (*oid)(void); 49 collector_func func; 50 }; 51 52 static void 53 parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *, 54 const void *, size_t, const PKCS12_Attributes *); 55 56 57 static const PKCS12_Attribute * 58 find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid) 59 { 60 int i; 61 if (attrs == NULL) 62 return NULL; 63 for (i = 0; i < attrs->len; i++) 64 if (der_heim_oid_cmp(oid, &attrs->val[i].attrId) == 0) 65 return &attrs->val[i]; 66 return NULL; 67 } 68 69 static int 70 keyBag_parser(hx509_context context, 71 struct hx509_collector *c, 72 const void *data, size_t length, 73 const PKCS12_Attributes *attrs) 74 { 75 const PKCS12_Attribute *attr; 76 PKCS8PrivateKeyInfo ki; 77 const heim_octet_string *os = NULL; 78 int ret; 79 80 attr = find_attribute(attrs, oid_id_pkcs_9_at_localKeyId()); 81 if (attr) 82 os = &attr->attrValues; 83 84 ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL); 85 if (ret) 86 return ret; 87 88 _hx509_collector_private_key_add(context, 89 c, 90 &ki.privateKeyAlgorithm, 91 NULL, 92 &ki.privateKey, 93 os); 94 free_PKCS8PrivateKeyInfo(&ki); 95 return 0; 96 } 97 98 static int 99 ShroudedKeyBag_parser(hx509_context context, 100 struct hx509_collector *c, 101 const void *data, size_t length, 102 const PKCS12_Attributes *attrs) 103 { 104 PKCS8EncryptedPrivateKeyInfo pk; 105 heim_octet_string content; 106 int ret; 107 108 memset(&pk, 0, sizeof(pk)); 109 110 ret = decode_PKCS8EncryptedPrivateKeyInfo(data, length, &pk, NULL); 111 if (ret) 112 return ret; 113 114 ret = _hx509_pbe_decrypt(context, 115 _hx509_collector_get_lock(c), 116 &pk.encryptionAlgorithm, 117 &pk.encryptedData, 118 &content); 119 free_PKCS8EncryptedPrivateKeyInfo(&pk); 120 if (ret) 121 return ret; 122 123 ret = keyBag_parser(context, c, content.data, content.length, attrs); 124 der_free_octet_string(&content); 125 return ret; 126 } 127 128 static int 129 certBag_parser(hx509_context context, 130 struct hx509_collector *c, 131 const void *data, size_t length, 132 const PKCS12_Attributes *attrs) 133 { 134 heim_octet_string os; 135 hx509_cert cert; 136 PKCS12_CertBag cb; 137 int ret; 138 139 ret = decode_PKCS12_CertBag(data, length, &cb, NULL); 140 if (ret) 141 return ret; 142 143 if (der_heim_oid_cmp(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType)) { 144 free_PKCS12_CertBag(&cb); 145 return 0; 146 } 147 148 ret = decode_PKCS12_OctetString(cb.certValue.data, 149 cb.certValue.length, 150 &os, 151 NULL); 152 free_PKCS12_CertBag(&cb); 153 if (ret) 154 return ret; 155 156 ret = hx509_cert_init_data(context, os.data, os.length, &cert); 157 der_free_octet_string(&os); 158 if (ret) 159 return ret; 160 161 ret = _hx509_collector_certs_add(context, c, cert); 162 if (ret) { 163 hx509_cert_free(cert); 164 return ret; 165 } 166 167 { 168 const PKCS12_Attribute *attr; 169 const heim_oid * (*oids[])(void) = { 170 oid_id_pkcs_9_at_localKeyId, oid_id_pkcs_9_at_friendlyName 171 }; 172 int i; 173 174 for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) { 175 const heim_oid *oid = (*(oids[i]))(); 176 attr = find_attribute(attrs, oid); 177 if (attr) 178 _hx509_set_cert_attribute(context, cert, oid, 179 &attr->attrValues); 180 } 181 } 182 183 hx509_cert_free(cert); 184 185 return 0; 186 } 187 188 static int 189 parse_safe_content(hx509_context context, 190 struct hx509_collector *c, 191 const unsigned char *p, size_t len) 192 { 193 PKCS12_SafeContents sc; 194 int ret, i; 195 196 memset(&sc, 0, sizeof(sc)); 197 198 ret = decode_PKCS12_SafeContents(p, len, &sc, NULL); 199 if (ret) 200 return ret; 201 202 for (i = 0; i < sc.len ; i++) 203 parse_pkcs12_type(context, 204 c, 205 &sc.val[i].bagId, 206 sc.val[i].bagValue.data, 207 sc.val[i].bagValue.length, 208 sc.val[i].bagAttributes); 209 210 free_PKCS12_SafeContents(&sc); 211 return 0; 212 } 213 214 static int 215 safeContent_parser(hx509_context context, 216 struct hx509_collector *c, 217 const void *data, size_t length, 218 const PKCS12_Attributes *attrs) 219 { 220 heim_octet_string os; 221 int ret; 222 223 ret = decode_PKCS12_OctetString(data, length, &os, NULL); 224 if (ret) 225 return ret; 226 ret = parse_safe_content(context, c, os.data, os.length); 227 der_free_octet_string(&os); 228 return ret; 229 } 230 231 static int 232 encryptedData_parser(hx509_context context, 233 struct hx509_collector *c, 234 const void *data, size_t length, 235 const PKCS12_Attributes *attrs) 236 { 237 heim_octet_string content; 238 heim_oid contentType; 239 int ret; 240 241 memset(&contentType, 0, sizeof(contentType)); 242 243 ret = hx509_cms_decrypt_encrypted(context, 244 _hx509_collector_get_lock(c), 245 data, length, 246 &contentType, 247 &content); 248 if (ret) 249 return ret; 250 251 if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0) 252 ret = parse_safe_content(context, c, content.data, content.length); 253 254 der_free_octet_string(&content); 255 der_free_oid(&contentType); 256 return ret; 257 } 258 259 static int 260 envelopedData_parser(hx509_context context, 261 struct hx509_collector *c, 262 const void *data, size_t length, 263 const PKCS12_Attributes *attrs) 264 { 265 heim_octet_string content; 266 heim_oid contentType; 267 hx509_lock lock; 268 int ret; 269 270 memset(&contentType, 0, sizeof(contentType)); 271 272 lock = _hx509_collector_get_lock(c); 273 274 ret = hx509_cms_unenvelope(context, 275 _hx509_lock_unlock_certs(lock), 276 0, 277 data, length, 278 NULL, 279 &contentType, 280 &content); 281 if (ret) { 282 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 283 "PKCS12 failed to unenvelope"); 284 return ret; 285 } 286 287 if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0) 288 ret = parse_safe_content(context, c, content.data, content.length); 289 290 der_free_octet_string(&content); 291 der_free_oid(&contentType); 292 293 return ret; 294 } 295 296 297 struct type bagtypes[] = { 298 { oid_id_pkcs12_keyBag, keyBag_parser }, 299 { oid_id_pkcs12_pkcs8ShroudedKeyBag, ShroudedKeyBag_parser }, 300 { oid_id_pkcs12_certBag, certBag_parser }, 301 { oid_id_pkcs7_data, safeContent_parser }, 302 { oid_id_pkcs7_encryptedData, encryptedData_parser }, 303 { oid_id_pkcs7_envelopedData, envelopedData_parser } 304 }; 305 306 static void 307 parse_pkcs12_type(hx509_context context, 308 struct hx509_collector *c, 309 const heim_oid *oid, 310 const void *data, size_t length, 311 const PKCS12_Attributes *attrs) 312 { 313 int i; 314 315 for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++) 316 if (der_heim_oid_cmp((*bagtypes[i].oid)(), oid) == 0) 317 (*bagtypes[i].func)(context, c, data, length, attrs); 318 } 319 320 static int 321 p12_init(hx509_context context, 322 hx509_certs certs, void **data, int flags, 323 const char *residue, hx509_lock lock) 324 { 325 struct ks_pkcs12 *p12; 326 size_t len; 327 void *buf; 328 PKCS12_PFX pfx; 329 PKCS12_AuthenticatedSafe as; 330 int ret, i; 331 struct hx509_collector *c; 332 333 *data = NULL; 334 335 if (lock == NULL) 336 lock = _hx509_empty_lock; 337 338 ret = _hx509_collector_alloc(context, lock, &c); 339 if (ret) 340 return ret; 341 342 p12 = calloc(1, sizeof(*p12)); 343 if (p12 == NULL) { 344 ret = ENOMEM; 345 hx509_set_error_string(context, 0, ret, "out of memory"); 346 goto out; 347 } 348 349 p12->fn = strdup(residue); 350 if (p12->fn == NULL) { 351 ret = ENOMEM; 352 hx509_set_error_string(context, 0, ret, "out of memory"); 353 goto out; 354 } 355 356 if (flags & HX509_CERTS_CREATE) { 357 ret = hx509_certs_init(context, "MEMORY:ks-file-create", 358 0, lock, &p12->certs); 359 if (ret == 0) 360 *data = p12; 361 goto out; 362 } 363 364 ret = _hx509_map_file(residue, &buf, &len, NULL); 365 if (ret) { 366 hx509_clear_error_string(context); 367 goto out; 368 } 369 370 ret = decode_PKCS12_PFX(buf, len, &pfx, NULL); 371 _hx509_unmap_file(buf, len); 372 if (ret) { 373 hx509_set_error_string(context, 0, ret, 374 "Failed to decode the PFX in %s", residue); 375 goto out; 376 } 377 378 if (der_heim_oid_cmp(&pfx.authSafe.contentType, oid_id_pkcs7_data()) != 0) { 379 free_PKCS12_PFX(&pfx); 380 ret = EINVAL; 381 hx509_set_error_string(context, 0, ret, 382 "PKCS PFX isn't a pkcs7-data container"); 383 goto out; 384 } 385 386 if (pfx.authSafe.content == NULL) { 387 free_PKCS12_PFX(&pfx); 388 ret = EINVAL; 389 hx509_set_error_string(context, 0, ret, 390 "PKCS PFX missing data"); 391 goto out; 392 } 393 394 { 395 heim_octet_string asdata; 396 397 ret = decode_PKCS12_OctetString(pfx.authSafe.content->data, 398 pfx.authSafe.content->length, 399 &asdata, 400 NULL); 401 free_PKCS12_PFX(&pfx); 402 if (ret) { 403 hx509_clear_error_string(context); 404 goto out; 405 } 406 ret = decode_PKCS12_AuthenticatedSafe(asdata.data, 407 asdata.length, 408 &as, 409 NULL); 410 der_free_octet_string(&asdata); 411 if (ret) { 412 hx509_clear_error_string(context); 413 goto out; 414 } 415 } 416 417 for (i = 0; i < as.len; i++) 418 parse_pkcs12_type(context, 419 c, 420 &as.val[i].contentType, 421 as.val[i].content->data, 422 as.val[i].content->length, 423 NULL); 424 425 free_PKCS12_AuthenticatedSafe(&as); 426 427 ret = _hx509_collector_collect_certs(context, c, &p12->certs); 428 if (ret == 0) 429 *data = p12; 430 431 out: 432 _hx509_collector_free(c); 433 434 if (ret && p12) { 435 if (p12->fn) 436 free(p12->fn); 437 if (p12->certs) 438 hx509_certs_free(&p12->certs); 439 free(p12); 440 } 441 442 return ret; 443 } 444 445 static int 446 addBag(hx509_context context, 447 PKCS12_AuthenticatedSafe *as, 448 const heim_oid *oid, 449 void *data, 450 size_t length) 451 { 452 void *ptr; 453 int ret; 454 455 ptr = realloc(as->val, sizeof(as->val[0]) * (as->len + 1)); 456 if (ptr == NULL) { 457 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 458 return ENOMEM; 459 } 460 as->val = ptr; 461 462 ret = der_copy_oid(oid, &as->val[as->len].contentType); 463 if (ret) { 464 hx509_set_error_string(context, 0, ret, "out of memory"); 465 return ret; 466 } 467 468 as->val[as->len].content = calloc(1, sizeof(*as->val[0].content)); 469 if (as->val[as->len].content == NULL) { 470 der_free_oid(&as->val[as->len].contentType); 471 hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory"); 472 return ENOMEM; 473 } 474 475 as->val[as->len].content->data = data; 476 as->val[as->len].content->length = length; 477 478 as->len++; 479 480 return 0; 481 } 482 483 static int 484 store_func(hx509_context context, void *ctx, hx509_cert c) 485 { 486 PKCS12_AuthenticatedSafe *as = ctx; 487 PKCS12_OctetString os; 488 PKCS12_CertBag cb; 489 size_t size; 490 int ret; 491 492 memset(&os, 0, sizeof(os)); 493 memset(&cb, 0, sizeof(cb)); 494 495 os.data = NULL; 496 os.length = 0; 497 498 ret = hx509_cert_binary(context, c, &os); 499 if (ret) 500 return ret; 501 502 ASN1_MALLOC_ENCODE(PKCS12_OctetString, 503 cb.certValue.data,cb.certValue.length, 504 &os, &size, ret); 505 free(os.data); 506 if (ret) 507 goto out; 508 ret = der_copy_oid(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType); 509 if (ret) { 510 free_PKCS12_CertBag(&cb); 511 goto out; 512 } 513 ASN1_MALLOC_ENCODE(PKCS12_CertBag, os.data, os.length, 514 &cb, &size, ret); 515 free_PKCS12_CertBag(&cb); 516 if (ret) 517 goto out; 518 519 ret = addBag(context, as, oid_id_pkcs12_certBag(), os.data, os.length); 520 521 if (_hx509_cert_private_key_exportable(c)) { 522 hx509_private_key key = _hx509_cert_private_key(c); 523 PKCS8PrivateKeyInfo pki; 524 525 memset(&pki, 0, sizeof(pki)); 526 527 ret = der_parse_hex_heim_integer("00", &pki.version); 528 if (ret) 529 return ret; 530 ret = _hx509_private_key_oid(context, key, 531 &pki.privateKeyAlgorithm.algorithm); 532 if (ret) { 533 free_PKCS8PrivateKeyInfo(&pki); 534 return ret; 535 } 536 ret = _hx509_private_key_export(context, 537 _hx509_cert_private_key(c), 538 &pki.privateKey); 539 if (ret) { 540 free_PKCS8PrivateKeyInfo(&pki); 541 return ret; 542 } 543 /* set attribute, oid_id_pkcs_9_at_localKeyId() */ 544 545 ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, os.data, os.length, 546 &pki, &size, ret); 547 free_PKCS8PrivateKeyInfo(&pki); 548 if (ret) 549 return ret; 550 551 ret = addBag(context, as, oid_id_pkcs12_keyBag(), os.data, os.length); 552 if (ret) 553 return ret; 554 } 555 556 out: 557 return ret; 558 } 559 560 static int 561 p12_store(hx509_context context, 562 hx509_certs certs, void *data, int flags, hx509_lock lock) 563 { 564 struct ks_pkcs12 *p12 = data; 565 PKCS12_PFX pfx; 566 PKCS12_AuthenticatedSafe as; 567 PKCS12_OctetString asdata; 568 size_t size; 569 int ret; 570 571 memset(&as, 0, sizeof(as)); 572 memset(&pfx, 0, sizeof(pfx)); 573 574 ret = hx509_certs_iter(context, p12->certs, store_func, &as); 575 if (ret) 576 goto out; 577 578 ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length, 579 &as, &size, ret); 580 free_PKCS12_AuthenticatedSafe(&as); 581 if (ret) 582 return ret; 583 584 ret = der_parse_hex_heim_integer("03", &pfx.version); 585 if (ret) { 586 free(asdata.data); 587 goto out; 588 } 589 590 pfx.authSafe.content = calloc(1, sizeof(*pfx.authSafe.content)); 591 592 ASN1_MALLOC_ENCODE(PKCS12_OctetString, 593 pfx.authSafe.content->data, 594 pfx.authSafe.content->length, 595 &asdata, &size, ret); 596 free(asdata.data); 597 if (ret) 598 goto out; 599 600 ret = der_copy_oid(oid_id_pkcs7_data(), &pfx.authSafe.contentType); 601 if (ret) 602 goto out; 603 604 ASN1_MALLOC_ENCODE(PKCS12_PFX, asdata.data, asdata.length, 605 &pfx, &size, ret); 606 if (ret) 607 goto out; 608 609 #if 0 610 const struct _hx509_password *pw; 611 612 pw = _hx509_lock_get_passwords(lock); 613 if (pw != NULL) { 614 pfx.macData = calloc(1, sizeof(*pfx.macData)); 615 if (pfx.macData == NULL) { 616 ret = ENOMEM; 617 hx509_set_error_string(context, 0, ret, "malloc out of memory"); 618 return ret; 619 } 620 if (pfx.macData == NULL) { 621 free(asdata.data); 622 goto out; 623 } 624 } 625 ret = calculate_hash(&aspath, pw, pfx.macData); 626 #endif 627 628 rk_dumpdata(p12->fn, asdata.data, asdata.length); 629 free(asdata.data); 630 631 out: 632 free_PKCS12_AuthenticatedSafe(&as); 633 free_PKCS12_PFX(&pfx); 634 635 return ret; 636 } 637 638 639 static int 640 p12_free(hx509_certs certs, void *data) 641 { 642 struct ks_pkcs12 *p12 = data; 643 hx509_certs_free(&p12->certs); 644 free(p12->fn); 645 free(p12); 646 return 0; 647 } 648 649 static int 650 p12_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c) 651 { 652 struct ks_pkcs12 *p12 = data; 653 return hx509_certs_add(context, p12->certs, c); 654 } 655 656 static int 657 p12_iter_start(hx509_context context, 658 hx509_certs certs, 659 void *data, 660 void **cursor) 661 { 662 struct ks_pkcs12 *p12 = data; 663 return hx509_certs_start_seq(context, p12->certs, cursor); 664 } 665 666 static int 667 p12_iter(hx509_context context, 668 hx509_certs certs, 669 void *data, 670 void *cursor, 671 hx509_cert *cert) 672 { 673 struct ks_pkcs12 *p12 = data; 674 return hx509_certs_next_cert(context, p12->certs, cursor, cert); 675 } 676 677 static int 678 p12_iter_end(hx509_context context, 679 hx509_certs certs, 680 void *data, 681 void *cursor) 682 { 683 struct ks_pkcs12 *p12 = data; 684 return hx509_certs_end_seq(context, p12->certs, cursor); 685 } 686 687 static struct hx509_keyset_ops keyset_pkcs12 = { 688 "PKCS12", 689 0, 690 p12_init, 691 p12_store, 692 p12_free, 693 p12_add, 694 NULL, 695 p12_iter_start, 696 p12_iter, 697 p12_iter_end 698 }; 699 700 void 701 _hx509_ks_pkcs12_register(hx509_context context) 702 { 703 _hx509_ks_register(context, &keyset_pkcs12); 704 } 705