resolve conflicts

author: djm <> 2008-09-06 12:17:54 +0000
committer: djm <> 2008-09-06 12:17:54 +0000
commit: 38ce604e3cc97706b876b0525ddff0121115456d (patch)
tree: 7ccc28afe1789ea3dbedf72365f955d5b8e105b5 /src/lib/libcrypto/pkcs12/p12_crt.c
parent: 12867252827c8efaa8ddd1fa3b3d6e321e2bcdef (diff)
download: openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.gz
openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.bz2
openbsd-38ce604e3cc97706b876b0525ddff0121115456d.zip
1 files changed, 256 insertions, 80 deletions
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 40340a7bef..dbafda17b6 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,9 +1,9 @@
 /* p12_crt.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -60,113 +60,289 @@
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
             STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
             int keytype)
 {
-        PKCS12 *p12;
+        PKCS12 *p12 = NULL;
-        STACK_OF(PKCS12_SAFEBAG) *bags;
+        STACK_OF(PKCS7) *safes = NULL;
-        STACK_OF(PKCS7) *safes;
+        STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
-        PKCS12_SAFEBAG *bag;
+        PKCS12_SAFEBAG *bag = NULL;
-        PKCS8_PRIV_KEY_INFO *p8;
-        PKCS7 *authsafe;
-        X509 *tcert;
        int i;
        unsigned char keyid[EVP_MAX_MD_SIZE];
-        unsigned int keyidlen;
+        unsigned int keyidlen = 0;
        /* Set defaults */
-        if(!nid_cert)
+        if (!nid_cert)
-                {
+                nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
-#ifdef OPENSSL_FIPS
+        if (!nid_key)
-                if (FIPS_mode())
+                nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-                        nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+        if (!iter)
-                else
+                iter = PKCS12_DEFAULT_ITER;
-#endif
+        if (!mac_iter)
-                        nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+                mac_iter = 1;
-                }
-        if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-        if(!iter) iter = PKCS12_DEFAULT_ITER;
-        if(!mac_iter) mac_iter = 1;
-        if(!pkey || !cert) {
+        if(!pkey && !cert && !ca)
+                {
                PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
                return NULL;
-        }
+                }
-        if(!X509_check_private_key(cert, pkey)) return NULL;
-        if(!(bags = sk_PKCS12_SAFEBAG_new_null ())) {
+        if (pkey && cert)
-                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                {
-                return NULL;
+                if(!X509_check_private_key(cert, pkey))
-        }
+                        return NULL;
+                X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+                }
-        /* Add user certificate */
+        if (cert)
-        if(!(bag = PKCS12_x5092certbag(cert))) return NULL;
+                {
-        if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
+                bag = PKCS12_add_cert(&bags, cert);
-        X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+                if(name && !PKCS12_add_friendlyname(bag, name, -1))
-        if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+                        goto err;
+                if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+                        goto err;
+                }
-        if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
-                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        
        /* Add all other certificates */
-        if(ca) {
+        for(i = 0; i < sk_X509_num(ca); i++)
-                for(i = 0; i < sk_X509_num(ca); i++) {
+                {
-                        tcert = sk_X509_value(ca, i);
+                if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
-                        if(!(bag = PKCS12_x5092certbag(tcert))) return NULL;
+                        goto err;
-                        if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
+                }
-                                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-                                return NULL;
+        if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
+                        goto err;
+        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+        bags = NULL;
+        if (pkey)
+                {
+                int cspidx;
+                bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
+                if (!bag)
+                        goto err;
+                cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
+                if (cspidx >= 0)
+                        {
+                        X509_ATTRIBUTE *cspattr;
+                        cspattr = EVP_PKEY_get_attr(pkey, cspidx);
+                        if (!X509at_add1_attr(&bag->attrib, cspattr))
+                                goto err;
                        }
+                if(name && !PKCS12_add_friendlyname(bag, name, -1))
+                        goto err;
+                if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+                        goto err;
                }
-        }
-        /* Turn certbags into encrypted authsafe */
+        if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
-        authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
+                        goto err;
-                                          iter, bags);
        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+        bags = NULL;
-        if (!authsafe) return NULL;
+        p12 = PKCS12_add_safes(safes, 0);
+        sk_PKCS7_pop_free(safes, PKCS7_free);
+        safes = NULL;
+        if ((mac_iter != -1) &&
+                !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
+            goto err;
+        return p12;
+        err:
+        if (p12)
+                PKCS12_free(p12);
+        if (safes)
+                sk_PKCS7_pop_free(safes, PKCS7_free);
+        if (bags)
+                sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+        return NULL;
+}
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
+        {
+        PKCS12_SAFEBAG *bag = NULL;
+        char *name;
+        int namelen = -1;
+        unsigned char *keyid;
+        int keyidlen = -1;
+        /* Add user certificate */
+        if(!(bag = PKCS12_x5092certbag(cert)))
+                goto err;
+        /* Use friendlyName and localKeyID in certificate.
+         * (if present)
+         */
+        name = (char *)X509_alias_get0(cert, &namelen);
+        if(name && !PKCS12_add_friendlyname(bag, name, namelen))
+                goto err;
+        keyid = X509_keyid_get0(cert, &keyidlen);
+        if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+                goto err;
+        if (!pkcs12_add_bag(pbags, bag))
+                goto err;
+        return bag;
+        err:
+        if (bag)
+                PKCS12_SAFEBAG_free(bag);
+        return NULL;
-        if(!(safes = sk_PKCS7_new_null ())
-           || !sk_PKCS7_push(safes, authsafe)) {
-                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-                return NULL;
        }
-        /* Make a shrouded key bag */
+PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
-        if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
+                                                int key_usage, int iter,
-        if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
+                                                int nid_key, char *pass)
-        bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
+        {
-        if(!bag) return NULL;
-        PKCS8_PRIV_KEY_INFO_free(p8);
+        PKCS12_SAFEBAG *bag = NULL;
-        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
+        PKCS8_PRIV_KEY_INFO *p8 = NULL;
-        if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
-        if(!(bags = sk_PKCS12_SAFEBAG_new_null())
+        /* Make a PKCS#8 structure */
-           || !sk_PKCS12_SAFEBAG_push (bags, bag)) {
+        if(!(p8 = EVP_PKEY2PKCS8(key)))
-                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                goto err;
-                return NULL;
+        if(key_usage && !PKCS8_add_keyusage(p8, key_usage))
+                goto err;
+        if (nid_key != -1)
+                {
+                bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
+                PKCS8_PRIV_KEY_INFO_free(p8);
+                }
+        else
+                bag = PKCS12_MAKE_KEYBAG(p8);
+        if(!bag)
+                goto err;
+        if (!pkcs12_add_bag(pbags, bag))
+                goto err;
+        return bag;
+        err:
+        if (bag)
+                PKCS12_SAFEBAG_free(bag);
+        return NULL;
        }
-        /* Turn it into unencrypted safe bag */
-        if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
+int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
-        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+                                                int nid_safe, int iter, char *pass)
-        if(!sk_PKCS7_push(safes, authsafe)) {
+        {
-                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+        PKCS7 *p7 = NULL;
-                return NULL;
+        int free_safes = 0;
+        if (!*psafes)
+                {
+                *psafes = sk_PKCS7_new_null();
+                if (!*psafes)
+                        return 0;
+                free_safes = 1;
+                }
+        else
+                free_safes = 0;
+        if (nid_safe == 0)
+                nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+        if (nid_safe == -1)
+                p7 = PKCS12_pack_p7data(bags);
+        else
+                p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
+                                          iter, bags);
+        if (!p7)
+                goto err;
+        if (!sk_PKCS7_push(*psafes, p7))
+                goto err;
+        return 1;
+        err:
+        if (free_safes)
+                {
+                sk_PKCS7_free(*psafes);
+                *psafes = NULL;
+                }
+        if (p7)
+                PKCS7_free(p7);
+        return 0;
        }
-        if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag)
+        {
+        int free_bags;
+        if (!pbags)
+                return 1;
+        if (!*pbags)
+                {
+                *pbags = sk_PKCS12_SAFEBAG_new_null();
+                if (!*pbags)
+                        return 0;
+                free_bags = 1;
+                }
+        else 
+                free_bags = 0;
-        if(!PKCS12_pack_authsafes (p12, safes)) return NULL;
+        if (!sk_PKCS12_SAFEBAG_push(*pbags, bag))
+                {
+                if (free_bags)
+                        {
+                        sk_PKCS12_SAFEBAG_free(*pbags);
+                        *pbags = NULL;
+                        }
+                return 0;
+                }
-        sk_PKCS7_pop_free(safes, PKCS7_free);
+        return 1;
+        }
+                
+PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
+        {
+        PKCS12 *p12;
+        if (nid_p7 <= 0)
+                nid_p7 = NID_pkcs7_data;
+        p12 = PKCS12_init(nid_p7);
+        if (!p12)
+                return NULL;
-        if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
+        if(!PKCS12_pack_authsafes(p12, safes))
-            return NULL;
+                {
+                PKCS12_free(p12);
+                return NULL;
+                }
        return p12;
-}
+        }
author	djm <>	2008-09-06 12:17:54 +0000
committer	djm <>	2008-09-06 12:17:54 +0000
commit	38ce604e3cc97706b876b0525ddff0121115456d (patch)
tree	7ccc28afe1789ea3dbedf72365f955d5b8e105b5 /src/lib/libcrypto/pkcs12/p12_crt.c
parent	12867252827c8efaa8ddd1fa3b3d6e321e2bcdef (diff)
download	openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.gz openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.bz2 openbsd-38ce604e3cc97706b876b0525ddff0121115456d.zip

diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c index 40340a7bef..dbafda17b6 100644 --- a/src/lib/libcrypto/pkcs12/p12_crt.c +++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,9 +1,9 @@
1	/* p12_crt.c */	1	/* p12_crt.c */
2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3	* project 1999.	3	* project.
4	*/	4	*/
5	/* ====================================================================	5	/* ====================================================================
6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.	6	* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7	*	7	*
8	* Redistribution and use in source and binary forms, with or without	8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions	9	* modification, are permitted provided that the following conditions
@@ -60,113 +60,289 @@
60	#include "cryptlib.h"	60	#include "cryptlib.h"
61	#include <openssl/pkcs12.h>	61	#include <openssl/pkcs12.h>
62		62
		63
		64	static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) *pbags, PKCS12_SAFEBAG bag);
		65
63	PKCS12 PKCS12_create(char pass, char name, EVP_PKEY pkey, X509 *cert,	66	PKCS12 PKCS12_create(char pass, char name, EVP_PKEY pkey, X509 *cert,
64	STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,	67	STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
65	int keytype)	68	int keytype)
66	{	69	{
67	PKCS12 *p12;	70	PKCS12 *p12 = NULL;
68	STACK_OF(PKCS12_SAFEBAG) *bags;	71	STACK_OF(PKCS7) *safes = NULL;
69	STACK_OF(PKCS7) *safes;	72	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
70	PKCS12_SAFEBAG *bag;	73	PKCS12_SAFEBAG *bag = NULL;
71	PKCS8_PRIV_KEY_INFO *p8;
72	PKCS7 *authsafe;
73	X509 *tcert;
74	int i;	74	int i;
75	unsigned char keyid[EVP_MAX_MD_SIZE];	75	unsigned char keyid[EVP_MAX_MD_SIZE];
76	unsigned int keyidlen;	76	unsigned int keyidlen = 0;
77		77
78	/* Set defaults */	78	/* Set defaults */
79	if(!nid_cert)	79	if (!nid_cert)
80	{	80	nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
81	#ifdef OPENSSL_FIPS	81	if (!nid_key)
82	if (FIPS_mode())	82	nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
83	nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;	83	if (!iter)
84	else	84	iter = PKCS12_DEFAULT_ITER;
85	#endif	85	if (!mac_iter)
86	nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;	86	mac_iter = 1;
87	}
88	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
89	if(!iter) iter = PKCS12_DEFAULT_ITER;
90	if(!mac_iter) mac_iter = 1;
91		87
92	if(!pkey \|\| !cert) {	88	if(!pkey && !cert && !ca)
		89	{
93	PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);	90	PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
94	return NULL;	91	return NULL;
95	}	92	}
96
97	if(!X509_check_private_key(cert, pkey)) return NULL;
98		93
99	if(!(bags = sk_PKCS12_SAFEBAG_new_null ())) {	94	if (pkey && cert)
100	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);	95	{
101	return NULL;	96	if(!X509_check_private_key(cert, pkey))
102	}	97	return NULL;
		98	X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
		99	}
103		100
104	/* Add user certificate */	101	if (cert)
105	if(!(bag = PKCS12_x5092certbag(cert))) return NULL;	102	{
106	if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;	103	bag = PKCS12_add_cert(&bags, cert);
107	X509_digest(cert, EVP_sha1(), keyid, &keyidlen);	104	if(name && !PKCS12_add_friendlyname(bag, name, -1))
108	if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;	105	goto err;
		106	if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
		107	goto err;
		108	}
109		109
110	if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
111	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
112	return NULL;
113	}
114
115	/* Add all other certificates */	110	/* Add all other certificates */
116	if(ca) {	111	for(i = 0; i < sk_X509_num(ca); i++)
117	for(i = 0; i < sk_X509_num(ca); i++) {	112	{
118	tcert = sk_X509_value(ca, i);	113	if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
119	if(!(bag = PKCS12_x5092certbag(tcert))) return NULL;	114	goto err;
120	if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {	115	}
121	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);	116
122	return NULL;	117	if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
		118	goto err;
		119
		120	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
		121	bags = NULL;
		122
		123	if (pkey)
		124	{
		125	int cspidx;
		126	bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
		127
		128	if (!bag)
		129	goto err;
		130
		131	cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
		132	if (cspidx >= 0)
		133	{
		134	X509_ATTRIBUTE *cspattr;
		135	cspattr = EVP_PKEY_get_attr(pkey, cspidx);
		136	if (!X509at_add1_attr(&bag->attrib, cspattr))
		137	goto err;
123	}	138	}
		139
		140	if(name && !PKCS12_add_friendlyname(bag, name, -1))
		141	goto err;
		142	if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
		143	goto err;
124	}	144	}
125	}
126		145
127	/* Turn certbags into encrypted authsafe */	146	if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
128	authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,	147	goto err;
129	iter, bags);	148
130	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);	149	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
		150	bags = NULL;
131		151
132	if (!authsafe) return NULL;	152	p12 = PKCS12_add_safes(safes, 0);
		153
		154	sk_PKCS7_pop_free(safes, PKCS7_free);
		155
		156	safes = NULL;
		157
		158	if ((mac_iter != -1) &&
		159	!PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
		160	goto err;
		161
		162	return p12;
		163
		164	err:
		165
		166	if (p12)
		167	PKCS12_free(p12);
		168	if (safes)
		169	sk_PKCS7_pop_free(safes, PKCS7_free);
		170	if (bags)
		171	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
		172	return NULL;
		173
		174	}
		175
		176	PKCS12_SAFEBAG PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) pbags, X509 cert)
		177	{
		178	PKCS12_SAFEBAG *bag = NULL;
		179	char *name;
		180	int namelen = -1;
		181	unsigned char *keyid;
		182	int keyidlen = -1;
		183
		184	/* Add user certificate */
		185	if(!(bag = PKCS12_x5092certbag(cert)))
		186	goto err;
		187
		188	/* Use friendlyName and localKeyID in certificate.
		189	* (if present)
		190	*/
		191
		192	name = (char *)X509_alias_get0(cert, &namelen);
		193
		194	if(name && !PKCS12_add_friendlyname(bag, name, namelen))
		195	goto err;
		196
		197	keyid = X509_keyid_get0(cert, &keyidlen);
		198
		199	if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
		200	goto err;
		201
		202	if (!pkcs12_add_bag(pbags, bag))
		203	goto err;
		204
		205	return bag;
		206
		207	err:
		208
		209	if (bag)
		210	PKCS12_SAFEBAG_free(bag);
		211
		212	return NULL;
133		213
134	if(!(safes = sk_PKCS7_new_null ())
135	\|\| !sk_PKCS7_push(safes, authsafe)) {
136	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
137	return NULL;
138	}	214	}
139		215
140	/* Make a shrouded key bag */	216	PKCS12_SAFEBAG PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) pbags, EVP_PKEY key,
141	if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;	217	int key_usage, int iter,
142	if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;	218	int nid_key, char *pass)
143	bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);	219	{
144	if(!bag) return NULL;	220
145	PKCS8_PRIV_KEY_INFO_free(p8);	221	PKCS12_SAFEBAG *bag = NULL;
146	if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;	222	PKCS8_PRIV_KEY_INFO *p8 = NULL;
147	if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;	223
148	if(!(bags = sk_PKCS12_SAFEBAG_new_null())	224	/* Make a PKCS#8 structure */
149	\|\| !sk_PKCS12_SAFEBAG_push (bags, bag)) {	225	if(!(p8 = EVP_PKEY2PKCS8(key)))
150	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);	226	goto err;
151	return NULL;	227	if(key_usage && !PKCS8_add_keyusage(p8, key_usage))
		228	goto err;
		229	if (nid_key != -1)
		230	{
		231	bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
		232	PKCS8_PRIV_KEY_INFO_free(p8);
		233	}
		234	else
		235	bag = PKCS12_MAKE_KEYBAG(p8);
		236
		237	if(!bag)
		238	goto err;
		239
		240	if (!pkcs12_add_bag(pbags, bag))
		241	goto err;
		242
		243	return bag;
		244
		245	err:
		246
		247	if (bag)
		248	PKCS12_SAFEBAG_free(bag);
		249
		250	return NULL;
		251
152	}	252	}
153	/* Turn it into unencrypted safe bag */	253
154	if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;	254	int PKCS12_add_safe(STACK_OF(PKCS7) *psafes, STACK_OF(PKCS12_SAFEBAG) bags,
155	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);	255	int nid_safe, int iter, char *pass)
156	if(!sk_PKCS7_push(safes, authsafe)) {	256	{
157	PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);	257	PKCS7 *p7 = NULL;
158	return NULL;	258	int free_safes = 0;
		259
		260	if (!*psafes)
		261	{
		262	*psafes = sk_PKCS7_new_null();
		263	if (!*psafes)
		264	return 0;
		265	free_safes = 1;
		266	}
		267	else
		268	free_safes = 0;
		269
		270	if (nid_safe == 0)
		271	nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
		272
		273	if (nid_safe == -1)
		274	p7 = PKCS12_pack_p7data(bags);
		275	else
		276	p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
		277	iter, bags);
		278	if (!p7)
		279	goto err;
		280
		281	if (!sk_PKCS7_push(*psafes, p7))
		282	goto err;
		283
		284	return 1;
		285
		286	err:
		287	if (free_safes)
		288	{
		289	sk_PKCS7_free(*psafes);
		290	*psafes = NULL;
		291	}
		292
		293	if (p7)
		294	PKCS7_free(p7);
		295
		296	return 0;
		297
159	}	298	}
160		299
161	if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;	300	static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) *pbags, PKCS12_SAFEBAG bag)
		301	{
		302	int free_bags;
		303	if (!pbags)
		304	return 1;
		305	if (!*pbags)
		306	{
		307	*pbags = sk_PKCS12_SAFEBAG_new_null();
		308	if (!*pbags)
		309	return 0;
		310	free_bags = 1;
		311	}
		312	else
		313	free_bags = 0;
162		314
163	if(!PKCS12_pack_authsafes (p12, safes)) return NULL;	315	if (!sk_PKCS12_SAFEBAG_push(*pbags, bag))
		316	{
		317	if (free_bags)
		318	{
		319	sk_PKCS12_SAFEBAG_free(*pbags);
		320	*pbags = NULL;
		321	}
		322	return 0;
		323	}
164		324
165	sk_PKCS7_pop_free(safes, PKCS7_free);	325	return 1;
		326
		327	}
		328
		329
		330	PKCS12 PKCS12_add_safes(STACK_OF(PKCS7) safes, int nid_p7)
		331	{
		332	PKCS12 *p12;
		333	if (nid_p7 <= 0)
		334	nid_p7 = NID_pkcs7_data;
		335	p12 = PKCS12_init(nid_p7);
		336
		337	if (!p12)
		338	return NULL;
166		339
167	if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))	340	if(!PKCS12_pack_authsafes(p12, safes))
168	return NULL;	341	{
		342	PKCS12_free(p12);
		343	return NULL;
		344	}
169		345
170	return p12;	346	return p12;
171		347
172	}	348	}