123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703 |
- /*
- * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
- #include "internal/nelem.h"
- #include <openssl/pkcs12.h>
- #include <openssl/x509.h>
- #include <openssl/x509v3.h>
- #include <openssl/pem.h>
- #include "testutil.h"
- #include "pkcs12_helper.h"
- /* Set this to > 0 write test data to file */
- int write_files = 0;
- /* -------------------------------------------------------------------------
- * Local function declarations
- */
- static X509 *load_cert(const unsigned char *bytes, int len);
- static EVP_PKEY *load_pkey(const unsigned char *bytes, int len);
- static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs);
- static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
- static int write_p12(PKCS12 *p12, const char *outfile);
- static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac);
- static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac);
- static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac);
- static int check_asn1_string(const ASN1_TYPE *av, const char *txt);
- static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs);
- /* --------------------------------------------------------------------------
- * Test data load functions
- */
- static X509 *load_cert(const unsigned char *bytes, int len)
- {
- X509 *cert = NULL;
- cert = d2i_X509(NULL, &bytes, len);
- if (!TEST_ptr(cert))
- goto err;
- err:
- return cert;
- }
- static EVP_PKEY *load_pkey(const unsigned char *bytes, int len)
- {
- EVP_PKEY *pkey = NULL;
- pkey = d2i_AutoPrivateKey(NULL, &bytes, len);
- if (!TEST_ptr(pkey))
- goto err;
- err:
- return pkey;
- }
- /* -------------------------------------------------------------------------
- * PKCS12 builder
- */
- PKCS12_BUILDER *new_pkcs12_builder(const char *filename)
- {
- PKCS12_BUILDER *pb = OPENSSL_malloc(sizeof(PKCS12_BUILDER));
- if (!TEST_ptr(pb))
- return NULL;
- pb->filename = filename;
- pb->success = 1;
- return pb;
- }
- int end_pkcs12_builder(PKCS12_BUILDER *pb)
- {
- int result = pb->success;
- OPENSSL_free(pb);
- return result;
- }
- void start_pkcs12(PKCS12_BUILDER *pb)
- {
- pb->safes = NULL;
- }
- void end_pkcs12(PKCS12_BUILDER *pb)
- {
- if (!pb->success)
- return;
- generate_p12(pb, NULL);
- }
- void end_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
- {
- if (!pb->success)
- return;
- generate_p12(pb, mac);
- }
- /* Generate the PKCS12 encoding and write to memory bio */
- static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
- {
- PKCS12 *p12;
- if (!pb->success)
- return;
- pb->p12bio = BIO_new(BIO_s_mem());
- if (!TEST_ptr(pb->p12bio)) {
- pb->success = 0;
- return;
- }
- p12 = PKCS12_add_safes(pb->safes, 0);
- if (!TEST_ptr(p12)) {
- pb->success = 0;
- goto err;
- }
- sk_PKCS7_pop_free(pb->safes, PKCS7_free);
- if (mac != NULL) {
- if (!TEST_true(PKCS12_set_mac(p12, mac->pass, strlen(mac->pass),
- NULL, 0, mac->iter, EVP_get_digestbynid(mac->nid)))) {
- pb->success = 0;
- goto err;
- }
- }
- i2d_PKCS12_bio(pb->p12bio, p12);
- /* Can write to file here for debug */
- if (write_files)
- write_p12(p12, pb->filename);
- err:
- PKCS12_free(p12);
- }
- static int write_p12(PKCS12 *p12, const char *outfile)
- {
- int ret = 0;
- BIO *out = BIO_new_file(outfile, "w");
- if (out == NULL)
- goto err;
- if (!TEST_int_eq(i2d_PKCS12_bio(out, p12), 1))
- goto err;
- ret = 1;
- err:
- BIO_free(out);
- return ret;
- }
- static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac)
- {
- PKCS12 *p12 = NULL;
- p12 = d2i_PKCS12_bio(bio, NULL);
- BIO_free(bio);
- if (!TEST_ptr(p12))
- goto err;
- if (mac == NULL) {
- if (!TEST_false(PKCS12_mac_present(p12)))
- goto err;
- } else {
- if (!check_p12_mac(p12, mac))
- goto err;
- }
- return p12;
- err:
- PKCS12_free(p12);
- return NULL;
- }
- /* For use with existing files */
- static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac)
- {
- PKCS12 *p12 = NULL;
- BIO *in = BIO_new_file(infile, "r");
- if (in == NULL)
- goto err;
- p12 = d2i_PKCS12_bio(in, NULL);
- BIO_free(in);
- if (!TEST_ptr(p12))
- goto err;
- if (mac == NULL) {
- if (!TEST_false(PKCS12_mac_present(p12)))
- goto err;
- } else {
- if (!check_p12_mac(p12, mac))
- goto err;
- }
- return p12;
- err:
- PKCS12_free(p12);
- return NULL;
- }
- static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac)
- {
- return TEST_true(PKCS12_mac_present(p12))
- && TEST_true(PKCS12_verify_mac(p12, mac->pass, strlen(mac->pass)));
- }
- /* -------------------------------------------------------------------------
- * PKCS7 content info builder
- */
- void start_contentinfo(PKCS12_BUILDER *pb)
- {
- pb->bags = NULL;
- }
- void end_contentinfo(PKCS12_BUILDER *pb)
- {
- if (pb->success) {
- if (pb->bags && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, -1, 0, NULL))) {
- pb->success = 0;
- return;
- }
- }
- sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
- pb->bags = NULL;
- }
- void end_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
- {
- if (pb->success) {
- if (pb->bags
- && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, enc->nid, enc->iter, enc->pass))) {
- pb->success = 0;
- return;
- }
- }
- sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
- pb->bags = NULL;
- }
- static STACK_OF(PKCS12_SAFEBAG) *decode_contentinfo(STACK_OF(PKCS7) *safes, int idx, const PKCS12_ENC *enc)
- {
- STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
- PKCS7 *p7 = sk_PKCS7_value(safes, idx);
- int bagnid = OBJ_obj2nid(p7->type);
- if (enc) {
- if (!TEST_int_eq(bagnid, NID_pkcs7_encrypted))
- goto err;
- /* TODO: Check algorithm (iterations?) against what we originally set */
- bags = PKCS12_unpack_p7encdata(p7, enc->pass, strlen(enc->pass));
- } else {
- if (!TEST_int_eq(bagnid, NID_pkcs7_data))
- goto err;
- bags = PKCS12_unpack_p7data(p7);
- }
- if (!TEST_ptr(bags))
- goto err;
- return bags;
- err:
- return NULL;
- }
- /* -------------------------------------------------------------------------
- * PKCS12 safeBag/attribute builder
- */
- static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs)
- {
- int ret = 0;
- int attr_nid;
- const PKCS12_ATTR *p_attr = attrs;
- if (attrs == NULL)
- return 1;
- while (p_attr->oid != NULL) {
- TEST_info("Adding attribute %s = %s", p_attr->oid, p_attr->value);
- attr_nid = OBJ_txt2nid(p_attr->oid);
- if (attr_nid == NID_friendlyName) {
- if (!TEST_true(PKCS12_add_friendlyname(bag, p_attr->value, -1)))
- goto err;
- } else if (attr_nid == NID_localKeyID) {
- if (!TEST_true(PKCS12_add_localkeyid(bag, (unsigned char *)p_attr->value,
- strlen(p_attr->value))))
- goto err;
- } else {
- /* Custom attribute values limited to ASCII in these tests */
- if (!TEST_true(PKCS12_add1_attr_by_txt(bag, p_attr->oid, MBSTRING_ASC,
- (unsigned char *)p_attr->value,
- strlen(p_attr->value))))
- goto err;
- }
- p_attr++;
- }
- ret = 1;
- err:
- return ret;
- }
- void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
- const PKCS12_ATTR *attrs)
- {
- PKCS12_SAFEBAG *bag = NULL;
- X509 *cert = NULL;
- char *name;
- if (!pb->success)
- return;
- cert = load_cert(bytes, len);
- if (!TEST_ptr(cert)) {
- pb->success = 0;
- return;
- }
- name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
- TEST_info("Adding certificate <%s>", name);
- OPENSSL_free(name);
- bag = PKCS12_add_cert(&pb->bags, cert);
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- goto err;
- }
- if (!TEST_true(add_attributes(bag, attrs))) {
- pb->success = 0;
- goto err;
- }
- err:
- X509_free(cert);
- }
- void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
- const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
- {
- PKCS12_SAFEBAG *bag = NULL;
- EVP_PKEY *pkey = NULL;
- if (!pb->success)
- return;
- TEST_info("Adding key");
- pkey = load_pkey(bytes, len);
- if (!TEST_ptr(pkey)) {
- pb->success = 0;
- return;
- }
- bag = PKCS12_add_key(&pb->bags, pkey, 0 /*keytype*/, enc->iter, enc->nid, enc->pass);
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- goto err;
- }
- if (!add_attributes(bag, attrs))
- pb->success = 0;
- err:
- EVP_PKEY_free(pkey);
- }
- void add_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret,
- const PKCS12_ATTR *attrs)
- {
- PKCS12_SAFEBAG *bag = NULL;
- if (!pb->success)
- return;
- TEST_info("Adding secret <%s>", secret);
- bag = PKCS12_add_secret(&pb->bags, secret_nid, (const unsigned char *)secret, strlen(secret));
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- return;
- }
- if (!add_attributes(bag, attrs))
- pb->success = 0;
- }
- /* -------------------------------------------------------------------------
- * PKCS12 structure checking
- */
- static int check_asn1_string(const ASN1_TYPE *av, const char *txt)
- {
- int ret = 0;
- char *value = NULL;
- if (!TEST_ptr(av))
- goto err;
- switch (av->type) {
- case V_ASN1_BMPSTRING:
- value = OPENSSL_uni2asc(av->value.bmpstring->data,
- av->value.bmpstring->length);
- if (!TEST_str_eq(txt, (char *)value))
- goto err;
- break;
- case V_ASN1_UTF8STRING:
- if (!TEST_str_eq(txt, (char *)av->value.utf8string->data))
- goto err;
- break;
- case V_ASN1_OCTET_STRING:
- if (!TEST_str_eq(txt, (char *)av->value.octet_string->data))
- goto err;
- break;
- default:
- /* Tests do not support other attribute types currently */
- goto err;
- }
- ret = 1;
- err:
- OPENSSL_free(value);
- return ret;
- }
- static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs)
- {
- int ret = 0;
- X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
- int i, j;
- char attr_txt[100];
- for (i = 0; i < sk_X509_ATTRIBUTE_num(bag_attrs); i++) {
- const PKCS12_ATTR *p_attr = attrs;
- ASN1_OBJECT *attr_obj;
- attr = sk_X509_ATTRIBUTE_value(bag_attrs, i);
- attr_obj = X509_ATTRIBUTE_get0_object(attr);
- OBJ_obj2txt(attr_txt, 100, attr_obj, 0);
- while(p_attr->oid != NULL) {
- /* Find a matching attribute type */
- if (strcmp(p_attr->oid, attr_txt) == 0) {
- /* TODO: Handle multi-value attributes */
- if (!TEST_int_eq(X509_ATTRIBUTE_count(attr), 1))
- goto err;
- for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
- {
- av = X509_ATTRIBUTE_get0_type(attr, j);
- if (!TEST_true(check_asn1_string(av, p_attr->value)))
- goto err;
- }
- break;
- }
- p_attr++;
- }
- }
- ret = 1;
- err:
- return ret;
- }
- void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
- const PKCS12_ATTR *attrs)
- {
- X509 *x509 = NULL;
- X509 *ref_x509 = NULL;
- const PKCS12_SAFEBAG *bag;
- if (!pb->success)
- return;
- bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- return;
- }
- if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
- || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_certBag)
- || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), NID_x509Certificate)) {
- pb->success = 0;
- return;
- }
- x509 = PKCS12_SAFEBAG_get1_cert(bag);
- if (!TEST_ptr(x509)) {
- pb->success = 0;
- goto err;
- }
- ref_x509 = load_cert(bytes, len);
- if (!TEST_false(X509_cmp(x509, ref_x509)))
- pb->success = 0;
- err:
- X509_free(x509);
- X509_free(ref_x509);
- }
- void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
- const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
- {
- EVP_PKEY *pkey = NULL;
- EVP_PKEY *ref_pkey = NULL;
- PKCS8_PRIV_KEY_INFO *p8;
- const PKCS8_PRIV_KEY_INFO *p8c;
- const PKCS12_SAFEBAG *bag;
- if (!pb->success)
- return;
- bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- return;
- }
- if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)) {
- pb->success = 0;
- return;
- }
- switch (PKCS12_SAFEBAG_get_nid(bag)) {
- case NID_keyBag:
- p8c = PKCS12_SAFEBAG_get0_p8inf(bag);
- if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8c))) {
- pb->success = 0;
- goto err;
- }
- /* TODO: handle key attributes */
- /* PKCS8_pkey_get0_attrs(p8c); */
- break;
- case NID_pkcs8ShroudedKeyBag:
- if (!TEST_ptr(p8 = PKCS12_decrypt_skey(bag, enc->pass, strlen(enc->pass)))) {
- pb->success = 0;
- goto err;
- }
- if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8))) {
- PKCS8_PRIV_KEY_INFO_free(p8);
- pb->success = 0;
- goto err;
- }
- /* TODO: handle key attributes */
- /* PKCS8_pkey_get0_attrs(p8); */
- PKCS8_PRIV_KEY_INFO_free(p8);
- break;
- default:
- pb->success = 0;
- goto err;
- }
- /* PKEY compare returns 1 for match */
- ref_pkey = load_pkey(bytes, len);
- if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey)))
- pb->success = 0;
- err:
- EVP_PKEY_free(pkey);
- EVP_PKEY_free(ref_pkey);
- }
- void check_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret, const PKCS12_ATTR *attrs)
- {
- const PKCS12_SAFEBAG *bag;
- if (!pb->success)
- return;
-
- bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
- if (!TEST_ptr(bag)) {
- pb->success = 0;
- return;
- }
-
- if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
- || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_secretBag)
- || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), secret_nid)
- || !TEST_true(check_asn1_string(PKCS12_SAFEBAG_get0_bag_obj(bag), secret)))
- pb->success = 0;
- }
- void start_check_pkcs12(PKCS12_BUILDER *pb)
- {
- PKCS12 *p12 = from_bio_p12(pb->p12bio, NULL);
- if (!TEST_ptr(p12)) {
- pb->success = 0;
- return;
- }
- pb->safes = PKCS12_unpack_authsafes(p12);
- if (!TEST_ptr(pb->safes))
- pb->success = 0;
- pb->safe_idx = 0;
- PKCS12_free(p12);
- }
- void start_check_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
- {
- PKCS12 *p12 = from_bio_p12(pb->p12bio, mac);
- if (!TEST_ptr(p12)) {
- pb->success = 0;
- return;
- }
- pb->safes = PKCS12_unpack_authsafes(p12);
- if (!TEST_ptr(pb->safes))
- pb->success = 0;
- pb->safe_idx = 0;
- PKCS12_free(p12);
- }
- void start_check_pkcs12_file(PKCS12_BUILDER *pb)
- {
- PKCS12 *p12 = read_p12(pb->filename, NULL);
- if (!TEST_ptr(p12)) {
- pb->success = 0;
- return;
- }
- pb->safes = PKCS12_unpack_authsafes(p12);
- if (!TEST_ptr(pb->safes))
- pb->success = 0;
- pb->safe_idx = 0;
- PKCS12_free(p12);
- }
-
- void start_check_pkcs12_file_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
- {
- PKCS12 *p12 = read_p12(pb->filename, mac);
- if (!TEST_ptr(p12)) {
- pb->success = 0;
- return;
- }
- pb->safes = PKCS12_unpack_authsafes(p12);
- if (!TEST_ptr(pb->safes))
- pb->success = 0;
- pb->safe_idx = 0;
- PKCS12_free(p12);
- }
- void end_check_pkcs12(PKCS12_BUILDER *pb)
- {
- sk_PKCS7_pop_free(pb->safes, PKCS7_free);
- }
- void start_check_contentinfo(PKCS12_BUILDER *pb)
- {
- pb->bag_idx = 0;
- pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, NULL);
- if (!TEST_ptr(pb->bags)) {
- pb->success = 0;
- return;
- }
- TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
- }
- void start_check_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
- {
- pb->bag_idx = 0;
- pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, enc);
- if (!TEST_ptr(pb->bags)) {
- pb->success = 0;
- return;
- }
- TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
- }
- void end_check_contentinfo(PKCS12_BUILDER *pb)
- {
- if (!TEST_int_eq(sk_PKCS12_SAFEBAG_num(pb->bags), pb->bag_idx))
- pb->success = 0;
- sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
- pb->bags = NULL;
- }
|