]>
Commit | Line | Data |
---|---|---|
0f113f3e MC |
1 | /* |
2 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project | |
3 | * 1999. | |
21131f00 DSH |
4 | */ |
5 | /* ==================================================================== | |
6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | |
7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | |
11 | * | |
12 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 13 | * notice, this list of conditions and the following disclaimer. |
21131f00 DSH |
14 | * |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in | |
17 | * the documentation and/or other materials provided with the | |
18 | * distribution. | |
19 | * | |
20 | * 3. All advertising materials mentioning features or use of this | |
21 | * software must display the following acknowledgment: | |
22 | * "This product includes software developed by the OpenSSL Project | |
23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
24 | * | |
25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
26 | * endorse or promote products derived from this software without | |
27 | * prior written permission. For written permission, please contact | |
28 | * licensing@OpenSSL.org. | |
29 | * | |
30 | * 5. Products derived from this software may not be called "OpenSSL" | |
31 | * nor may "OpenSSL" appear in their names without prior written | |
32 | * permission of the OpenSSL Project. | |
33 | * | |
34 | * 6. Redistributions of any form whatsoever must retain the following | |
35 | * acknowledgment: | |
36 | * "This product includes software developed by the OpenSSL Project | |
37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
38 | * | |
39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
51 | * ==================================================================== | |
52 | * | |
53 | * This product includes cryptographic software written by Eric Young | |
54 | * (eay@cryptsoft.com). This product includes software written by Tim | |
55 | * Hudson (tjh@cryptsoft.com). | |
56 | * | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
60 | #include <stdlib.h> | |
61 | #include <string.h> | |
62 | #include <openssl/pem.h> | |
63 | #include <openssl/err.h> | |
64 | #include <openssl/pkcs12.h> | |
03922a63 | 65 | #include "p12_lcl.h" |
21131f00 DSH |
66 | |
67 | /* PKCS#12 password change routine */ | |
68 | ||
69 | static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass); | |
f2716dad | 70 | static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, |
0f113f3e | 71 | char *newpass); |
21131f00 DSH |
72 | static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass); |
73 | static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); | |
74 | ||
0f113f3e | 75 | /* |
21131f00 DSH |
76 | * Change the password on a PKCS#12 structure. |
77 | */ | |
78 | ||
79 | int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) | |
80 | { | |
0f113f3e MC |
81 | /* Check for NULL PKCS12 structure */ |
82 | ||
83 | if (!p12) { | |
84 | PKCS12err(PKCS12_F_PKCS12_NEWPASS, | |
85 | PKCS12_R_INVALID_NULL_PKCS12_POINTER); | |
86 | return 0; | |
87 | } | |
88 | ||
89 | /* Check the mac */ | |
90 | ||
91 | if (!PKCS12_verify_mac(p12, oldpass, -1)) { | |
92 | PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_MAC_VERIFY_FAILURE); | |
93 | return 0; | |
94 | } | |
95 | ||
96 | if (!newpass_p12(p12, oldpass, newpass)) { | |
97 | PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_PARSE_ERROR); | |
98 | return 0; | |
99 | } | |
100 | ||
101 | return 1; | |
21131f00 DSH |
102 | } |
103 | ||
104 | /* Parse the outer PKCS#12 structure */ | |
105 | ||
106 | static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) | |
107 | { | |
d800d0f4 DSH |
108 | STACK_OF(PKCS7) *asafes = NULL, *newsafes = NULL; |
109 | STACK_OF(PKCS12_SAFEBAG) *bags = NULL; | |
0f113f3e MC |
110 | int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; |
111 | PKCS7 *p7, *p7new; | |
a6eb1ce6 | 112 | ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL; |
0f113f3e MC |
113 | unsigned char mac[EVP_MAX_MD_SIZE]; |
114 | unsigned int maclen; | |
d800d0f4 | 115 | int rv = 0; |
0f113f3e | 116 | |
75ebbd9a | 117 | if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL) |
d800d0f4 | 118 | goto err; |
75ebbd9a | 119 | if ((newsafes = sk_PKCS7_new_null()) == NULL) |
d800d0f4 | 120 | goto err; |
0f113f3e MC |
121 | for (i = 0; i < sk_PKCS7_num(asafes); i++) { |
122 | p7 = sk_PKCS7_value(asafes, i); | |
123 | bagnid = OBJ_obj2nid(p7->type); | |
124 | if (bagnid == NID_pkcs7_data) { | |
125 | bags = PKCS12_unpack_p7data(p7); | |
126 | } else if (bagnid == NID_pkcs7_encrypted) { | |
127 | bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); | |
128 | if (!alg_get(p7->d.encrypted->enc_data->algorithm, | |
d800d0f4 DSH |
129 | &pbe_nid, &pbe_iter, &pbe_saltlen)) |
130 | goto err; | |
131 | } else { | |
0f113f3e | 132 | continue; |
0f113f3e | 133 | } |
d800d0f4 DSH |
134 | if (bags == NULL) |
135 | goto err; | |
136 | if (!newpass_bags(bags, oldpass, newpass)) | |
137 | goto err; | |
0f113f3e MC |
138 | /* Repack bag in same form with new password */ |
139 | if (bagnid == NID_pkcs7_data) | |
140 | p7new = PKCS12_pack_p7data(bags); | |
141 | else | |
142 | p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL, | |
143 | pbe_saltlen, pbe_iter, bags); | |
d800d0f4 DSH |
144 | if (!p7new || !sk_PKCS7_push(newsafes, p7new)) |
145 | goto err; | |
0f113f3e | 146 | sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); |
d800d0f4 | 147 | bags = NULL; |
0f113f3e | 148 | } |
0f113f3e MC |
149 | |
150 | /* Repack safe: save old safe in case of error */ | |
151 | ||
152 | p12_data_tmp = p12->authsafes->d.data; | |
75ebbd9a | 153 | if ((p12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) |
d800d0f4 | 154 | goto err; |
0f113f3e | 155 | if (!PKCS12_pack_authsafes(p12, newsafes)) |
d800d0f4 | 156 | goto err; |
0f113f3e MC |
157 | |
158 | if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) | |
d800d0f4 | 159 | goto err; |
a6eb1ce6 DSH |
160 | X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); |
161 | if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) | |
d800d0f4 | 162 | goto err; |
0f113f3e | 163 | |
d800d0f4 | 164 | rv = 1; |
21131f00 | 165 | |
d800d0f4 DSH |
166 | err: |
167 | /* Restore old safe if necessary */ | |
168 | if (rv == 1) { | |
169 | ASN1_OCTET_STRING_free(p12_data_tmp); | |
170 | } else if (p12_data_tmp != NULL) { | |
171 | ASN1_OCTET_STRING_free(p12->authsafes->d.data); | |
172 | p12->authsafes->d.data = p12_data_tmp; | |
173 | } | |
174 | sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); | |
175 | sk_PKCS7_pop_free(asafes, PKCS7_free); | |
176 | sk_PKCS7_pop_free(newsafes, PKCS7_free); | |
177 | return rv; | |
21131f00 DSH |
178 | } |
179 | ||
f2716dad | 180 | static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, |
0f113f3e | 181 | char *newpass) |
21131f00 | 182 | { |
0f113f3e MC |
183 | int i; |
184 | for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { | |
185 | if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i), oldpass, newpass)) | |
186 | return 0; | |
187 | } | |
188 | return 1; | |
21131f00 DSH |
189 | } |
190 | ||
191 | /* Change password of safebag: only needs handle shrouded keybags */ | |
192 | ||
193 | static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) | |
194 | { | |
0f113f3e MC |
195 | PKCS8_PRIV_KEY_INFO *p8; |
196 | X509_SIG *p8new; | |
197 | int p8_nid, p8_saltlen, p8_iter; | |
a6eb1ce6 | 198 | X509_ALGOR *shalg; |
0f113f3e | 199 | |
762ee38d | 200 | if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag) |
0f113f3e MC |
201 | return 1; |
202 | ||
75ebbd9a | 203 | if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL) |
0f113f3e | 204 | return 0; |
a6eb1ce6 DSH |
205 | X509_SIG_get0(&shalg, NULL, bag->value.shkeybag); |
206 | if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen)) | |
0f113f3e | 207 | return 0; |
d800d0f4 DSH |
208 | p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, |
209 | p8_iter, p8); | |
210 | PKCS8_PRIV_KEY_INFO_free(p8); | |
211 | if (p8new == NULL) | |
0f113f3e MC |
212 | return 0; |
213 | X509_SIG_free(bag->value.shkeybag); | |
214 | bag->value.shkeybag = p8new; | |
215 | return 1; | |
21131f00 DSH |
216 | } |
217 | ||
218 | static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen) | |
219 | { | |
0f113f3e | 220 | PBEPARAM *pbe; |
e93c8748 | 221 | pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), alg->parameter); |
0f113f3e MC |
222 | if (!pbe) |
223 | return 0; | |
224 | *pnid = OBJ_obj2nid(alg->algorithm); | |
225 | *piter = ASN1_INTEGER_get(pbe->iter); | |
226 | *psaltlen = pbe->salt->length; | |
227 | PBEPARAM_free(pbe); | |
228 | return 1; | |
21131f00 | 229 | } |