p12_sbag.c 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285
  1. /*
  2. * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/pkcs12.h>
  12. #include "p12_local.h"
  13. #include "crypto/x509.h"
  14. #ifndef OPENSSL_NO_DEPRECATED_1_1_0
  15. ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
  16. {
  17. return PKCS12_get_attr_gen(bag->attrib, attr_nid);
  18. }
  19. #endif
  20. const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
  21. int attr_nid)
  22. {
  23. return PKCS12_get_attr_gen(bag->attrib, attr_nid);
  24. }
  25. ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
  26. {
  27. return PKCS12_get_attr_gen(PKCS8_pkey_get0_attrs(p8), attr_nid);
  28. }
  29. const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag)
  30. {
  31. if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag)
  32. return NULL;
  33. return bag->value.keybag;
  34. }
  35. const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag)
  36. {
  37. if (OBJ_obj2nid(bag->type) != NID_pkcs8ShroudedKeyBag)
  38. return NULL;
  39. return bag->value.shkeybag;
  40. }
  41. const STACK_OF(PKCS12_SAFEBAG) *
  42. PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag)
  43. {
  44. if (OBJ_obj2nid(bag->type) != NID_safeContentsBag)
  45. return NULL;
  46. return bag->value.safes;
  47. }
  48. const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag)
  49. {
  50. return bag->type;
  51. }
  52. int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag)
  53. {
  54. return OBJ_obj2nid(bag->type);
  55. }
  56. int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
  57. {
  58. int btype = PKCS12_SAFEBAG_get_nid(bag);
  59. if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
  60. return -1;
  61. return OBJ_obj2nid(bag->value.bag->type);
  62. }
  63. const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
  64. {
  65. return bag->value.bag->type;
  66. }
  67. const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
  68. {
  69. return bag->value.bag->value.other;
  70. }
  71. X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
  72. {
  73. if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
  74. return NULL;
  75. if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
  76. return NULL;
  77. return ASN1_item_unpack(bag->value.bag->value.octet,
  78. ASN1_ITEM_rptr(X509));
  79. }
  80. X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag)
  81. {
  82. if (PKCS12_SAFEBAG_get_nid(bag) != NID_crlBag)
  83. return NULL;
  84. if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
  85. return NULL;
  86. return ASN1_item_unpack(bag->value.bag->value.octet,
  87. ASN1_ITEM_rptr(X509_CRL));
  88. }
  89. X509 *PKCS12_SAFEBAG_get1_cert_ex(const PKCS12_SAFEBAG *bag,
  90. OSSL_LIB_CTX *libctx, const char *propq)
  91. {
  92. X509 *ret = NULL;
  93. if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
  94. return NULL;
  95. if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
  96. return NULL;
  97. ret = ASN1_item_unpack_ex(bag->value.bag->value.octet,
  98. ASN1_ITEM_rptr(X509), libctx, propq);
  99. if (!ossl_x509_set0_libctx(ret, libctx, propq)) {
  100. X509_free(ret);
  101. return NULL;
  102. }
  103. return ret;
  104. }
  105. X509_CRL *PKCS12_SAFEBAG_get1_crl_ex(const PKCS12_SAFEBAG *bag,
  106. OSSL_LIB_CTX *libctx, const char *propq)
  107. {
  108. X509_CRL *ret = NULL;
  109. if (PKCS12_SAFEBAG_get_nid(bag) != NID_crlBag)
  110. return NULL;
  111. if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
  112. return NULL;
  113. ret = ASN1_item_unpack_ex(bag->value.bag->value.octet,
  114. ASN1_ITEM_rptr(X509_CRL), libctx, propq);
  115. if (!ossl_x509_crl_set0_libctx(ret, libctx, propq)) {
  116. X509_CRL_free(ret);
  117. return NULL;
  118. }
  119. return ret;
  120. }
  121. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509)
  122. {
  123. return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
  124. NID_x509Certificate, NID_certBag);
  125. }
  126. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
  127. {
  128. return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
  129. NID_x509Crl, NID_crlBag);
  130. }
  131. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len)
  132. {
  133. PKCS12_BAGS *bag;
  134. PKCS12_SAFEBAG *safebag;
  135. if ((bag = PKCS12_BAGS_new()) == NULL) {
  136. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  137. return NULL;
  138. }
  139. bag->type = OBJ_nid2obj(type);
  140. switch (vtype) {
  141. case V_ASN1_OCTET_STRING:
  142. {
  143. ASN1_OCTET_STRING *strtmp = ASN1_OCTET_STRING_new();
  144. if (strtmp == NULL) {
  145. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  146. goto err;
  147. }
  148. /* Pack data into an octet string */
  149. if (!ASN1_OCTET_STRING_set(strtmp, value, len)) {
  150. ASN1_OCTET_STRING_free(strtmp);
  151. ERR_raise(ERR_LIB_PKCS12, PKCS12_R_ENCODE_ERROR);
  152. goto err;
  153. }
  154. bag->value.other = ASN1_TYPE_new();
  155. if (bag->value.other == NULL) {
  156. ASN1_OCTET_STRING_free(strtmp);
  157. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  158. goto err;
  159. }
  160. ASN1_TYPE_set(bag->value.other, vtype, strtmp);
  161. }
  162. break;
  163. default:
  164. ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_TYPE);
  165. goto err;
  166. }
  167. if ((safebag = PKCS12_SAFEBAG_new()) == NULL) {
  168. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  169. goto err;
  170. }
  171. safebag->value.bag = bag;
  172. safebag->type = OBJ_nid2obj(NID_secretBag);
  173. return safebag;
  174. err:
  175. PKCS12_BAGS_free(bag);
  176. return NULL;
  177. }
  178. /* Turn PKCS8 object into a keybag */
  179. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
  180. {
  181. PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
  182. if (bag == NULL) {
  183. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  184. return NULL;
  185. }
  186. bag->type = OBJ_nid2obj(NID_keyBag);
  187. bag->value.keybag = p8;
  188. return bag;
  189. }
  190. /* Turn PKCS8 object into a shrouded keybag */
  191. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8)
  192. {
  193. PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
  194. /* Set up the safe bag */
  195. if (bag == NULL) {
  196. ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
  197. return NULL;
  198. }
  199. bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
  200. bag->value.shkeybag = p8;
  201. return bag;
  202. }
  203. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid,
  204. const char *pass,
  205. int passlen,
  206. unsigned char *salt,
  207. int saltlen, int iter,
  208. PKCS8_PRIV_KEY_INFO *p8inf,
  209. OSSL_LIB_CTX *ctx,
  210. const char *propq)
  211. {
  212. PKCS12_SAFEBAG *bag = NULL;
  213. const EVP_CIPHER *pbe_ciph = NULL;
  214. EVP_CIPHER *pbe_ciph_fetch = NULL;
  215. X509_SIG *p8;
  216. ERR_set_mark();
  217. pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq);
  218. if (pbe_ciph == NULL)
  219. pbe_ciph = EVP_get_cipherbynid(pbe_nid);
  220. ERR_pop_to_mark();
  221. if (pbe_ciph != NULL)
  222. pbe_nid = -1;
  223. p8 = PKCS8_encrypt_ex(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
  224. p8inf, ctx, propq);
  225. if (p8 == NULL)
  226. goto err;
  227. bag = PKCS12_SAFEBAG_create0_pkcs8(p8);
  228. if (bag == NULL)
  229. X509_SIG_free(p8);
  230. err:
  231. EVP_CIPHER_free(pbe_ciph_fetch);
  232. return bag;
  233. }
  234. PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
  235. const char *pass,
  236. int passlen,
  237. unsigned char *salt,
  238. int saltlen, int iter,
  239. PKCS8_PRIV_KEY_INFO *p8inf)
  240. {
  241. return PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(pbe_nid, pass, passlen,
  242. salt, saltlen, iter, p8inf,
  243. NULL, NULL);
  244. }