Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 953a1665e2
Branches Tags
openssl
/
crypto
/
pkcs12
/
p12_crt.c

p12_crt.c 9.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358 
  1. /* p12_crt.c */
    2. 

  2. /*
    3. 

  3.  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
    4. 

  4.  * project.
    5. 

  5.  */
    6. 

  6. /* ====================================================================
    7. 

  7.  * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
    8. 

  8.  *
    9. 

  9.  * Redistribution and use in source and binary forms, with or without
    10. 

  10.  * modification, are permitted provided that the following conditions
    11. 

  11.  * are met:
    12. 

  12.  *
    13. 

  13.  * 1. Redistributions of source code must retain the above copyright
    14. 

  14.  *    notice, this list of conditions and the following disclaimer.
    15. 

  15.  *
    16. 

  16.  * 2. Redistributions in binary form must reproduce the above copyright
    17. 

  17.  *    notice, this list of conditions and the following disclaimer in
    18. 

  18.  *    the documentation and/or other materials provided with the
    19. 

  19.  *    distribution.
    20. 

  20.  *
    21. 

  21.  * 3. All advertising materials mentioning features or use of this
    22. 

  22.  *    software must display the following acknowledgment:
    23. 

  23.  *    "This product includes software developed by the OpenSSL Project
    24. 

  24.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
    25. 

  25.  *
    26. 

  26.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    27. 

  27.  *    endorse or promote products derived from this software without
    28. 

  28.  *    prior written permission. For written permission, please contact
    29. 

  29.  *    licensing@OpenSSL.org.
    30. 

  30.  *
    31. 

  31.  * 5. Products derived from this software may not be called "OpenSSL"
    32. 

  32.  *    nor may "OpenSSL" appear in their names without prior written
    33. 

  33.  *    permission of the OpenSSL Project.
    34. 

  34.  *
    35. 

  35.  * 6. Redistributions of any form whatsoever must retain the following
    36. 

  36.  *    acknowledgment:
    37. 

  37.  *    "This product includes software developed by the OpenSSL Project
    38. 

  38.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
    39. 

  39.  *
    40. 

  40.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    41. 

  41.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    42. 

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    43. 

  43.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    44. 

  44.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    45. 

  45.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    46. 

  46.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    47. 

  47.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    48. 

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    49. 

  49.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    50. 

  50.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    51. 

  51.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    52. 

  52.  * ====================================================================
    53. 

  53.  *
    54. 

  54.  * This product includes cryptographic software written by Eric Young
    55. 

  55.  * (eay@cryptsoft.com).  This product includes software written by Tim
    56. 

  56.  * Hudson (tjh@cryptsoft.com).
    57. 

  57.  *
    58. 

  58.  */
    59. 

  59. 

  60. #include <stdio.h>
    61. 

  61. #include "cryptlib.h"
    62. 

  62. #include <openssl/pkcs12.h>
    63. 

  63. 

  64. static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
    65. 

  65.                           PKCS12_SAFEBAG *bag);
    66. 

  66. 

  67. static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
    68. 

  68. {
    69. 

  69.     int idx;
    70. 

  70.     X509_ATTRIBUTE *attr;
    71. 

  71.     idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
    72. 

  72.     if (idx < 0)
    73. 

  73.         return 1;
    74. 

  74.     attr = EVP_PKEY_get_attr(pkey, idx);
    75. 

  75.     if (!X509at_add1_attr(&bag->attrib, attr))
    76. 

  76.         return 0;
    77. 

  77.     return 1;
    78. 

  78. }
    79. 

  79. 

  80. PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
    81. 

  81.                       STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
    82. 

  82.                       int mac_iter, int keytype)
    83. 

  83. {
    84. 

  84.     PKCS12 *p12 = NULL;
    85. 

  85.     STACK_OF(PKCS7) *safes = NULL;
    86. 

  86.     STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
    87. 

  87.     PKCS12_SAFEBAG *bag = NULL;
    88. 

  88.     int i;
    89. 

  89.     unsigned char keyid[EVP_MAX_MD_SIZE];
    90. 

  90.     unsigned int keyidlen = 0;
    91. 

  91. 

  92.     /* Set defaults */
    93. 

  93.     if (!nid_cert) {
    94. 

  94. #ifdef OPENSSL_FIPS
    95. 

  95.         if (FIPS_mode())
    96. 

  96.             nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    97. 

  97.         else
    98. 

  98. #endif
    99. 

  99. #ifdef OPENSSL_NO_RC2
    100. 

  100.             nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    101. 

  101. #else
    102. 

  102.             nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
    103. 

  103. #endif
    104. 

  104.     }
    105. 

  105.     if (!nid_key)
    106. 

  106.         nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    107. 

  107.     if (!iter)
    108. 

  108.         iter = PKCS12_DEFAULT_ITER;
    109. 

  109.     if (!mac_iter)
    110. 

  110.         mac_iter = 1;
    111. 

  111. 

  112.     if (!pkey && !cert && !ca) {
    113. 

  113.         PKCS12err(PKCS12_F_PKCS12_CREATE, PKCS12_R_INVALID_NULL_ARGUMENT);
    114. 

  114.         return NULL;
    115. 

  115.     }
    116. 

  116. 

  117.     if (pkey && cert) {
    118. 

  118.         if (!X509_check_private_key(cert, pkey))
    119. 

  119.             return NULL;
    120. 

  120.         X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
    121. 

  121.     }
    122. 

  122. 

  123.     if (cert) {
    124. 

  124.         bag = PKCS12_add_cert(&bags, cert);
    125. 

  125.         if (name && !PKCS12_add_friendlyname(bag, name, -1))
    126. 

  126.             goto err;
    127. 

  127.         if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
    128. 

  128.             goto err;
    129. 

  129.     }
    130. 

  130. 

  131.     /* Add all other certificates */
    132. 

  132.     for (i = 0; i < sk_X509_num(ca); i++) {
    133. 

  133.         if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
    134. 

  134.             goto err;
    135. 

  135.     }
    136. 

  136. 

  137.     if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
    138. 

  138.         goto err;
    139. 

  139. 

  140.     sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
    141. 

  141.     bags = NULL;
    142. 

  142. 

  143.     if (pkey) {
    144. 

  144.         bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
    145. 

  145. 

  146.         if (!bag)
    147. 

  147.             goto err;
    148. 

  148. 

  149.         if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
    150. 

  150.             goto err;
    151. 

  151.         if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
    152. 

  152.             goto err;
    153. 

  153. 

  154.         if (name && !PKCS12_add_friendlyname(bag, name, -1))
    155. 

  155.             goto err;
    156. 

  156.         if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
    157. 

  157.             goto err;
    158. 

  158.     }
    159. 

  159. 

  160.     if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
    161. 

  161.         goto err;
    162. 

  162. 

  163.     sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
    164. 

  164.     bags = NULL;
    165. 

  165. 

  166.     p12 = PKCS12_add_safes(safes, 0);
    167. 

  167. 

  168.     if (!p12)
    169. 

  169.         goto err;
    170. 

  170. 

  171.     sk_PKCS7_pop_free(safes, PKCS7_free);
    172. 

  172. 

  173.     safes = NULL;
    174. 

  174. 

  175.     if ((mac_iter != -1) &&
    176. 

  176.         !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
    177. 

  177.         goto err;
    178. 

  178. 

  179.     return p12;
    180. 

  180. 

  181.  err:
    182. 

  182. 

  183.     if (p12)
    184. 

  184.         PKCS12_free(p12);
    185. 

  185.     if (safes)
    186. 

  186.         sk_PKCS7_pop_free(safes, PKCS7_free);
    187. 

  187.     if (bags)
    188. 

  188.         sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
    189. 

  189.     return NULL;
    190. 

  190. 

  191. }
    192. 

  192. 

  193. PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
    194. 

  194. {
    195. 

  195.     PKCS12_SAFEBAG *bag = NULL;
    196. 

  196.     char *name;
    197. 

  197.     int namelen = -1;
    198. 

  198.     unsigned char *keyid;
    199. 

  199.     int keyidlen = -1;
    200. 

  200. 

  201.     /* Add user certificate */
    202. 

  202.     if (!(bag = PKCS12_x5092certbag(cert)))
    203. 

  203.         goto err;
    204. 

  204. 

  205.     /*
    206. 

  206.      * Use friendlyName and localKeyID in certificate. (if present)
    207. 

  207.      */
    208. 

  208. 

  209.     name = (char *)X509_alias_get0(cert, &namelen);
    210. 

  210. 

  211.     if (name && !PKCS12_add_friendlyname(bag, name, namelen))
    212. 

  212.         goto err;
    213. 

  213. 

  214.     keyid = X509_keyid_get0(cert, &keyidlen);
    215. 

  215. 

  216.     if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
    217. 

  217.         goto err;
    218. 

  218. 

  219.     if (!pkcs12_add_bag(pbags, bag))
    220. 

  220.         goto err;
    221. 

  221. 

  222.     return bag;
    223. 

  223. 

  224.  err:
    225. 

  225. 

  226.     if (bag)
    227. 

  227.         PKCS12_SAFEBAG_free(bag);
    228. 

  228. 

  229.     return NULL;
    230. 

  230. 

  231. }
    232. 

  232. 

  233. PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
    234. 

  234.                                EVP_PKEY *key, int key_usage, int iter,
    235. 

  235.                                int nid_key, char *pass)
    236. 

  236. {
    237. 

  237. 

  238.     PKCS12_SAFEBAG *bag = NULL;
    239. 

  239.     PKCS8_PRIV_KEY_INFO *p8 = NULL;
    240. 

  240. 

  241.     /* Make a PKCS#8 structure */
    242. 

  242.     if (!(p8 = EVP_PKEY2PKCS8(key)))
    243. 

  243.         goto err;
    244. 

  244.     if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
    245. 

  245.         goto err;
    246. 

  246.     if (nid_key != -1) {
    247. 

  247.         bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
    248. 

  248.         PKCS8_PRIV_KEY_INFO_free(p8);
    249. 

  249.     } else
    250. 

  250.         bag = PKCS12_MAKE_KEYBAG(p8);
    251. 

  251. 

  252.     if (!bag)
    253. 

  253.         goto err;
    254. 

  254. 

  255.     if (!pkcs12_add_bag(pbags, bag))
    256. 

  256.         goto err;
    257. 

  257. 

  258.     return bag;
    259. 

  259. 

  260.  err:
    261. 

  261. 

  262.     if (bag)
    263. 

  263.         PKCS12_SAFEBAG_free(bag);
    264. 

  264. 

  265.     return NULL;
    266. 

  266. 

  267. }
    268. 

  268. 

  269. int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
    270. 

  270.                     int nid_safe, int iter, char *pass)
    271. 

  271. {
    272. 

  272.     PKCS7 *p7 = NULL;
    273. 

  273.     int free_safes = 0;
    274. 

  274. 

  275.     if (!*psafes) {
    276. 

  276.         *psafes = sk_PKCS7_new_null();
    277. 

  277.         if (!*psafes)
    278. 

  278.             return 0;
    279. 

  279.         free_safes = 1;
    280. 

  280.     } else
    281. 

  281.         free_safes = 0;
    282. 

  282. 

  283.     if (nid_safe == 0)
    284. 

  284. #ifdef OPENSSL_NO_RC2
    285. 

  285.         nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    286. 

  286. #else
    287. 

  287.         nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
    288. 

  288. #endif
    289. 

  289. 

  290.     if (nid_safe == -1)
    291. 

  291.         p7 = PKCS12_pack_p7data(bags);
    292. 

  292.     else
    293. 

  293.         p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, iter, bags);
    294. 

  294.     if (!p7)
    295. 

  295.         goto err;
    296. 

  296. 

  297.     if (!sk_PKCS7_push(*psafes, p7))
    298. 

  298.         goto err;
    299. 

  299. 

  300.     return 1;
    301. 

  301. 

  302.  err:
    303. 

  303.     if (free_safes) {
    304. 

  304.         sk_PKCS7_free(*psafes);
    305. 

  305.         *psafes = NULL;
    306. 

  306.     }
    307. 

  307. 

  308.     if (p7)
    309. 

  309.         PKCS7_free(p7);
    310. 

  310. 

  311.     return 0;
    312. 

  312. 

  313. }
    314. 

  314. 

  315. static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
    316. 

  316.                           PKCS12_SAFEBAG *bag)
    317. 

  317. {
    318. 

  318.     int free_bags;
    319. 

  319.     if (!pbags)
    320. 

  320.         return 1;
    321. 

  321.     if (!*pbags) {
    322. 

  322.         *pbags = sk_PKCS12_SAFEBAG_new_null();
    323. 

  323.         if (!*pbags)
    324. 

  324.             return 0;
    325. 

  325.         free_bags = 1;
    326. 

  326.     } else
    327. 

  327.         free_bags = 0;
    328. 

  328. 

  329.     if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) {
    330. 

  330.         if (free_bags) {
    331. 

  331.             sk_PKCS12_SAFEBAG_free(*pbags);
    332. 

  332.             *pbags = NULL;
    333. 

  333.         }
    334. 

  334.         return 0;
    335. 

  335.     }
    336. 

  336. 

  337.     return 1;
    338. 

  338. 

  339. }
    340. 

  340. 

  341. PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
    342. 

  342. {
    343. 

  343.     PKCS12 *p12;
    344. 

  344.     if (nid_p7 <= 0)
    345. 

  345.         nid_p7 = NID_pkcs7_data;
    346. 

  346.     p12 = PKCS12_init(nid_p7);
    347. 

  347. 

  348.     if (!p12)
    349. 

  349.         return NULL;
    350. 

  350. 

  351.     if (!PKCS12_pack_authsafes(p12, safes)) {
    352. 

  352.         PKCS12_free(p12);
    353. 

  353.         return NULL;
    354. 

  354.     }
    355. 

  355. 

  356.     return p12;
    357. 

  357. 

  358. }
    359.