]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/pkcs12/p12_crt.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / pkcs12 / p12_crt.c
1 /*
2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include "internal/cryptlib.h"
12 #include <openssl/pkcs12.h>
13 #include "p12_local.h"
14
15 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
16 PKCS12_SAFEBAG *bag);
17
18 static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
19 {
20 int idx;
21 X509_ATTRIBUTE *attr;
22 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
23 if (idx < 0)
24 return 1;
25 attr = EVP_PKEY_get_attr(pkey, idx);
26 if (!X509at_add1_attr(&bag->attrib, attr))
27 return 0;
28 return 1;
29 }
30
31 PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert,
32 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
33 int mac_iter, int keytype)
34 {
35 PKCS12 *p12 = NULL;
36 STACK_OF(PKCS7) *safes = NULL;
37 STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
38 PKCS12_SAFEBAG *bag = NULL;
39 int i;
40 unsigned char keyid[EVP_MAX_MD_SIZE];
41 unsigned int keyidlen = 0;
42
43 /* Set defaults */
44 if (nid_cert == NID_undef)
45 nid_cert = NID_aes_256_cbc;
46 if (nid_key == NID_undef)
47 nid_key = NID_aes_256_cbc;
48 if (!iter)
49 iter = PKCS12_DEFAULT_ITER;
50 if (!mac_iter)
51 mac_iter = PKCS12_DEFAULT_ITER;
52
53 if (pkey == NULL && cert == NULL && ca == NULL) {
54 ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_NULL_ARGUMENT);
55 return NULL;
56 }
57
58 if (pkey && cert) {
59 if (!X509_check_private_key(cert, pkey))
60 return NULL;
61 if (!X509_digest(cert, EVP_sha1(), keyid, &keyidlen))
62 return NULL;
63 }
64
65 if (cert) {
66 bag = PKCS12_add_cert(&bags, cert);
67 if (name && !PKCS12_add_friendlyname(bag, name, -1))
68 goto err;
69 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
70 goto err;
71 }
72
73 /* Add all other certificates */
74 for (i = 0; i < sk_X509_num(ca); i++) {
75 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
76 goto err;
77 }
78
79 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
80 goto err;
81
82 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
83 bags = NULL;
84
85 if (pkey) {
86 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
87
88 if (!bag)
89 goto err;
90
91 if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
92 goto err;
93 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
94 goto err;
95
96 if (name && !PKCS12_add_friendlyname(bag, name, -1))
97 goto err;
98 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
99 goto err;
100 }
101
102 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
103 goto err;
104
105 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
106 bags = NULL;
107
108 p12 = PKCS12_add_safes(safes, 0);
109
110 if (p12 == NULL)
111 goto err;
112
113 sk_PKCS7_pop_free(safes, PKCS7_free);
114
115 safes = NULL;
116
117 if ((mac_iter != -1) &&
118 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
119 goto err;
120
121 return p12;
122
123 err:
124 PKCS12_free(p12);
125 sk_PKCS7_pop_free(safes, PKCS7_free);
126 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
127 return NULL;
128
129 }
130
131 PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
132 {
133 PKCS12_SAFEBAG *bag = NULL;
134 char *name;
135 int namelen = -1;
136 unsigned char *keyid;
137 int keyidlen = -1;
138
139 /* Add user certificate */
140 if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL)
141 goto err;
142
143 /*
144 * Use friendlyName and localKeyID in certificate. (if present)
145 */
146
147 name = (char *)X509_alias_get0(cert, &namelen);
148
149 if (name && !PKCS12_add_friendlyname(bag, name, namelen))
150 goto err;
151
152 keyid = X509_keyid_get0(cert, &keyidlen);
153
154 if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
155 goto err;
156
157 if (!pkcs12_add_bag(pbags, bag))
158 goto err;
159
160 return bag;
161
162 err:
163 PKCS12_SAFEBAG_free(bag);
164 return NULL;
165
166 }
167
168 PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
169 EVP_PKEY *key, int key_usage, int iter,
170 int nid_key, const char *pass)
171 {
172
173 PKCS12_SAFEBAG *bag = NULL;
174 PKCS8_PRIV_KEY_INFO *p8 = NULL;
175
176 /* Make a PKCS#8 structure */
177 if ((p8 = EVP_PKEY2PKCS8(key)) == NULL)
178 goto err;
179 if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
180 goto err;
181 if (nid_key != -1) {
182 bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1, NULL, 0,
183 iter, p8);
184 PKCS8_PRIV_KEY_INFO_free(p8);
185 } else
186 bag = PKCS12_SAFEBAG_create0_p8inf(p8);
187
188 if (!bag)
189 goto err;
190
191 if (!pkcs12_add_bag(pbags, bag))
192 goto err;
193
194 return bag;
195
196 err:
197 PKCS12_SAFEBAG_free(bag);
198 return NULL;
199
200 }
201
202 PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags,
203 int nid_type, const unsigned char *value, int len)
204 {
205 PKCS12_SAFEBAG *bag = NULL;
206
207 /* Add secret, storing the value as an octet string */
208 if ((bag = PKCS12_SAFEBAG_create_secret(nid_type, V_ASN1_OCTET_STRING, value, len)) == NULL)
209 goto err;
210
211 if (!pkcs12_add_bag(pbags, bag))
212 goto err;
213
214 return bag;
215 err:
216 PKCS12_SAFEBAG_free(bag);
217 return NULL;
218 }
219
220 int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
221 int nid_safe, int iter, const char *pass)
222 {
223 PKCS7 *p7 = NULL;
224 int free_safes = 0;
225
226 if (*psafes == NULL) {
227 *psafes = sk_PKCS7_new_null();
228 if (*psafes == NULL)
229 return 0;
230 free_safes = 1;
231 }
232
233 if (nid_safe == 0)
234 #ifdef OPENSSL_NO_RC2
235 nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
236 #else
237 nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
238 #endif
239
240 if (nid_safe == -1)
241 p7 = PKCS12_pack_p7data(bags);
242 else
243 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, iter, bags);
244 if (p7 == NULL)
245 goto err;
246
247 if (!sk_PKCS7_push(*psafes, p7))
248 goto err;
249
250 return 1;
251
252 err:
253 if (free_safes) {
254 sk_PKCS7_free(*psafes);
255 *psafes = NULL;
256 }
257 PKCS7_free(p7);
258 return 0;
259
260 }
261
262 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
263 PKCS12_SAFEBAG *bag)
264 {
265 int free_bags = 0;
266
267 if (pbags == NULL)
268 return 1;
269 if (*pbags == NULL) {
270 *pbags = sk_PKCS12_SAFEBAG_new_null();
271 if (*pbags == NULL)
272 return 0;
273 free_bags = 1;
274 }
275
276 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) {
277 if (free_bags) {
278 sk_PKCS12_SAFEBAG_free(*pbags);
279 *pbags = NULL;
280 }
281 return 0;
282 }
283
284 return 1;
285
286 }
287
288 PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
289 {
290 PKCS12 *p12;
291
292 if (nid_p7 <= 0)
293 nid_p7 = NID_pkcs7_data;
294 p12 = PKCS12_init(nid_p7);
295 if (p12 == NULL)
296 return NULL;
297
298 if (!PKCS12_pack_authsafes(p12, safes)) {
299 PKCS12_free(p12);
300 return NULL;
301 }
302
303 return p12;
304
305 }
A mirror of the official openssl repository