2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/pkcs12.h>
13 #include "p12_local.h"
15 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
18 static int copy_bag_attr(PKCS12_SAFEBAG
*bag
, EVP_PKEY
*pkey
, int nid
)
22 idx
= EVP_PKEY_get_attr_by_NID(pkey
, nid
, -1);
25 attr
= EVP_PKEY_get_attr(pkey
, idx
);
26 if (!X509at_add1_attr(&bag
->attrib
, attr
))
31 PKCS12
*PKCS12_create(const char *pass
, const char *name
, EVP_PKEY
*pkey
, X509
*cert
,
32 STACK_OF(X509
) *ca
, int nid_key
, int nid_cert
, int iter
,
33 int mac_iter
, int keytype
)
36 STACK_OF(PKCS7
) *safes
= NULL
;
37 STACK_OF(PKCS12_SAFEBAG
) *bags
= NULL
;
38 PKCS12_SAFEBAG
*bag
= NULL
;
40 unsigned char keyid
[EVP_MAX_MD_SIZE
];
41 unsigned int keyidlen
= 0;
44 if (nid_cert
== NID_undef
)
45 nid_cert
= NID_aes_256_cbc
;
46 if (nid_key
== NID_undef
)
47 nid_key
= NID_aes_256_cbc
;
49 iter
= PKCS12_DEFAULT_ITER
;
51 mac_iter
= PKCS12_DEFAULT_ITER
;
53 if (pkey
== NULL
&& cert
== NULL
&& ca
== NULL
) {
54 ERR_raise(ERR_LIB_PKCS12
, PKCS12_R_INVALID_NULL_ARGUMENT
);
59 if (!X509_check_private_key(cert
, pkey
))
61 if (!X509_digest(cert
, EVP_sha1(), keyid
, &keyidlen
))
66 bag
= PKCS12_add_cert(&bags
, cert
);
67 if (name
&& !PKCS12_add_friendlyname(bag
, name
, -1))
69 if (keyidlen
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
73 /* Add all other certificates */
74 for (i
= 0; i
< sk_X509_num(ca
); i
++) {
75 if (!PKCS12_add_cert(&bags
, sk_X509_value(ca
, i
)))
79 if (bags
&& !PKCS12_add_safe(&safes
, bags
, nid_cert
, iter
, pass
))
82 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
86 bag
= PKCS12_add_key(&bags
, pkey
, keytype
, iter
, nid_key
, pass
);
91 if (!copy_bag_attr(bag
, pkey
, NID_ms_csp_name
))
93 if (!copy_bag_attr(bag
, pkey
, NID_LocalKeySet
))
96 if (name
&& !PKCS12_add_friendlyname(bag
, name
, -1))
98 if (keyidlen
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
102 if (bags
&& !PKCS12_add_safe(&safes
, bags
, -1, 0, NULL
))
105 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
108 p12
= PKCS12_add_safes(safes
, 0);
113 sk_PKCS7_pop_free(safes
, PKCS7_free
);
117 if ((mac_iter
!= -1) &&
118 !PKCS12_set_mac(p12
, pass
, -1, NULL
, 0, mac_iter
, NULL
))
125 sk_PKCS7_pop_free(safes
, PKCS7_free
);
126 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
131 PKCS12_SAFEBAG
*PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG
) **pbags
, X509
*cert
)
133 PKCS12_SAFEBAG
*bag
= NULL
;
136 unsigned char *keyid
;
139 /* Add user certificate */
140 if ((bag
= PKCS12_SAFEBAG_create_cert(cert
)) == NULL
)
144 * Use friendlyName and localKeyID in certificate. (if present)
147 name
= (char *)X509_alias_get0(cert
, &namelen
);
149 if (name
&& !PKCS12_add_friendlyname(bag
, name
, namelen
))
152 keyid
= X509_keyid_get0(cert
, &keyidlen
);
154 if (keyid
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
157 if (!pkcs12_add_bag(pbags
, bag
))
163 PKCS12_SAFEBAG_free(bag
);
168 PKCS12_SAFEBAG
*PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
169 EVP_PKEY
*key
, int key_usage
, int iter
,
170 int nid_key
, const char *pass
)
173 PKCS12_SAFEBAG
*bag
= NULL
;
174 PKCS8_PRIV_KEY_INFO
*p8
= NULL
;
176 /* Make a PKCS#8 structure */
177 if ((p8
= EVP_PKEY2PKCS8(key
)) == NULL
)
179 if (key_usage
&& !PKCS8_add_keyusage(p8
, key_usage
))
182 bag
= PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key
, pass
, -1, NULL
, 0,
184 PKCS8_PRIV_KEY_INFO_free(p8
);
186 bag
= PKCS12_SAFEBAG_create0_p8inf(p8
);
191 if (!pkcs12_add_bag(pbags
, bag
))
197 PKCS12_SAFEBAG_free(bag
);
202 PKCS12_SAFEBAG
*PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
203 int nid_type
, const unsigned char *value
, int len
)
205 PKCS12_SAFEBAG
*bag
= NULL
;
207 /* Add secret, storing the value as an octet string */
208 if ((bag
= PKCS12_SAFEBAG_create_secret(nid_type
, V_ASN1_OCTET_STRING
, value
, len
)) == NULL
)
211 if (!pkcs12_add_bag(pbags
, bag
))
216 PKCS12_SAFEBAG_free(bag
);
220 int PKCS12_add_safe(STACK_OF(PKCS7
) **psafes
, STACK_OF(PKCS12_SAFEBAG
) *bags
,
221 int nid_safe
, int iter
, const char *pass
)
226 if (*psafes
== NULL
) {
227 *psafes
= sk_PKCS7_new_null();
234 #ifdef OPENSSL_NO_RC2
235 nid_safe
= NID_pbe_WithSHA1And3_Key_TripleDES_CBC
;
237 nid_safe
= NID_pbe_WithSHA1And40BitRC2_CBC
;
241 p7
= PKCS12_pack_p7data(bags
);
243 p7
= PKCS12_pack_p7encdata(nid_safe
, pass
, -1, NULL
, 0, iter
, bags
);
247 if (!sk_PKCS7_push(*psafes
, p7
))
254 sk_PKCS7_free(*psafes
);
262 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
269 if (*pbags
== NULL
) {
270 *pbags
= sk_PKCS12_SAFEBAG_new_null();
276 if (!sk_PKCS12_SAFEBAG_push(*pbags
, bag
)) {
278 sk_PKCS12_SAFEBAG_free(*pbags
);
288 PKCS12
*PKCS12_add_safes(STACK_OF(PKCS7
) *safes
, int nid_p7
)
293 nid_p7
= NID_pkcs7_data
;
294 p12
= PKCS12_init(nid_p7
);
298 if (!PKCS12_pack_authsafes(p12
, safes
)) {