2 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/pkcs12.h>
13 #include "p12_local.h"
15 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
18 static int copy_bag_attr(PKCS12_SAFEBAG
*bag
, EVP_PKEY
*pkey
, int nid
)
22 idx
= EVP_PKEY_get_attr_by_NID(pkey
, nid
, -1);
25 attr
= EVP_PKEY_get_attr(pkey
, idx
);
26 if (!X509at_add1_attr(&bag
->attrib
, attr
))
31 PKCS12
*PKCS12_create(const char *pass
, const char *name
, EVP_PKEY
*pkey
, X509
*cert
,
32 STACK_OF(X509
) *ca
, int nid_key
, int nid_cert
, int iter
,
33 int mac_iter
, int keytype
)
36 STACK_OF(PKCS7
) *safes
= NULL
;
37 STACK_OF(PKCS12_SAFEBAG
) *bags
= NULL
;
38 PKCS12_SAFEBAG
*bag
= NULL
;
40 unsigned char keyid
[EVP_MAX_MD_SIZE
];
41 unsigned int keyidlen
= 0;
46 nid_cert
= NID_pbe_WithSHA1And3_Key_TripleDES_CBC
;
48 nid_cert
= NID_pbe_WithSHA1And40BitRC2_CBC
;
51 nid_key
= NID_pbe_WithSHA1And3_Key_TripleDES_CBC
;
53 iter
= PKCS12_DEFAULT_ITER
;
57 if (pkey
== NULL
&& cert
== NULL
&& ca
== NULL
) {
58 ERR_raise(ERR_LIB_PKCS12
, PKCS12_R_INVALID_NULL_ARGUMENT
);
63 if (!X509_check_private_key(cert
, pkey
))
65 if (!X509_digest(cert
, EVP_sha1(), keyid
, &keyidlen
))
70 bag
= PKCS12_add_cert(&bags
, cert
);
71 if (name
&& !PKCS12_add_friendlyname(bag
, name
, -1))
73 if (keyidlen
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
77 /* Add all other certificates */
78 for (i
= 0; i
< sk_X509_num(ca
); i
++) {
79 if (!PKCS12_add_cert(&bags
, sk_X509_value(ca
, i
)))
83 if (bags
&& !PKCS12_add_safe(&safes
, bags
, nid_cert
, iter
, pass
))
86 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
90 bag
= PKCS12_add_key(&bags
, pkey
, keytype
, iter
, nid_key
, pass
);
95 if (!copy_bag_attr(bag
, pkey
, NID_ms_csp_name
))
97 if (!copy_bag_attr(bag
, pkey
, NID_LocalKeySet
))
100 if (name
&& !PKCS12_add_friendlyname(bag
, name
, -1))
102 if (keyidlen
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
106 if (bags
&& !PKCS12_add_safe(&safes
, bags
, -1, 0, NULL
))
109 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
112 p12
= PKCS12_add_safes(safes
, 0);
117 sk_PKCS7_pop_free(safes
, PKCS7_free
);
121 if ((mac_iter
!= -1) &&
122 !PKCS12_set_mac(p12
, pass
, -1, NULL
, 0, mac_iter
, NULL
))
129 sk_PKCS7_pop_free(safes
, PKCS7_free
);
130 sk_PKCS12_SAFEBAG_pop_free(bags
, PKCS12_SAFEBAG_free
);
135 PKCS12_SAFEBAG
*PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG
) **pbags
, X509
*cert
)
137 PKCS12_SAFEBAG
*bag
= NULL
;
140 unsigned char *keyid
;
143 /* Add user certificate */
144 if ((bag
= PKCS12_SAFEBAG_create_cert(cert
)) == NULL
)
148 * Use friendlyName and localKeyID in certificate. (if present)
151 name
= (char *)X509_alias_get0(cert
, &namelen
);
153 if (name
&& !PKCS12_add_friendlyname(bag
, name
, namelen
))
156 keyid
= X509_keyid_get0(cert
, &keyidlen
);
158 if (keyid
&& !PKCS12_add_localkeyid(bag
, keyid
, keyidlen
))
161 if (!pkcs12_add_bag(pbags
, bag
))
167 PKCS12_SAFEBAG_free(bag
);
172 PKCS12_SAFEBAG
*PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
173 EVP_PKEY
*key
, int key_usage
, int iter
,
174 int nid_key
, const char *pass
)
177 PKCS12_SAFEBAG
*bag
= NULL
;
178 PKCS8_PRIV_KEY_INFO
*p8
= NULL
;
180 /* Make a PKCS#8 structure */
181 if ((p8
= EVP_PKEY2PKCS8(key
)) == NULL
)
183 if (key_usage
&& !PKCS8_add_keyusage(p8
, key_usage
))
186 bag
= PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key
, pass
, -1, NULL
, 0,
188 PKCS8_PRIV_KEY_INFO_free(p8
);
190 bag
= PKCS12_SAFEBAG_create0_p8inf(p8
);
195 if (!pkcs12_add_bag(pbags
, bag
))
201 PKCS12_SAFEBAG_free(bag
);
206 PKCS12_SAFEBAG
*PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
207 int nid_type
, const unsigned char *value
, int len
)
209 PKCS12_SAFEBAG
*bag
= NULL
;
211 /* Add secret, storing the value as an octet string */
212 if ((bag
= PKCS12_SAFEBAG_create_secret(nid_type
, V_ASN1_OCTET_STRING
, value
, len
)) == NULL
)
215 if (!pkcs12_add_bag(pbags
, bag
))
220 PKCS12_SAFEBAG_free(bag
);
224 int PKCS12_add_safe(STACK_OF(PKCS7
) **psafes
, STACK_OF(PKCS12_SAFEBAG
) *bags
,
225 int nid_safe
, int iter
, const char *pass
)
230 if (*psafes
== NULL
) {
231 *psafes
= sk_PKCS7_new_null();
238 #ifdef OPENSSL_NO_RC2
239 nid_safe
= NID_pbe_WithSHA1And3_Key_TripleDES_CBC
;
241 nid_safe
= NID_pbe_WithSHA1And40BitRC2_CBC
;
245 p7
= PKCS12_pack_p7data(bags
);
247 p7
= PKCS12_pack_p7encdata(nid_safe
, pass
, -1, NULL
, 0, iter
, bags
);
251 if (!sk_PKCS7_push(*psafes
, p7
))
258 sk_PKCS7_free(*psafes
);
266 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG
) **pbags
,
273 if (*pbags
== NULL
) {
274 *pbags
= sk_PKCS12_SAFEBAG_new_null();
280 if (!sk_PKCS12_SAFEBAG_push(*pbags
, bag
)) {
282 sk_PKCS12_SAFEBAG_free(*pbags
);
292 PKCS12
*PKCS12_add_safes(STACK_OF(PKCS7
) *safes
, int nid_p7
)
297 nid_p7
= NID_pkcs7_data
;
298 p12
= PKCS12_init(nid_p7
);
302 if (!PKCS12_pack_authsafes(p12
, safes
)) {