summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/pkcs12
diff options
context:
space:
mode:
authordjm <>2010-10-01 22:54:21 +0000
committerdjm <>2010-10-01 22:54:21 +0000
commit829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (patch)
treee03b9f1bd051e844b971936729e9df549a209130 /src/lib/libcrypto/pkcs12
parente6b755d2a53d3cac7a344dfdd6bf7c951cac754c (diff)
downloadopenbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.gz
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.bz2
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.zip
import OpenSSL-1.0.0a
Diffstat (limited to 'src/lib/libcrypto/pkcs12')
-rw-r--r--src/lib/libcrypto/pkcs12/p12_add.c20
-rw-r--r--src/lib/libcrypto/pkcs12/p12_attr.c2
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crpt.c20
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crt.c11
-rw-r--r--src/lib/libcrypto/pkcs12/p12_key.c7
-rw-r--r--src/lib/libcrypto/pkcs12/p12_kiss.c163
-rw-r--r--src/lib/libcrypto/pkcs12/p12_mutl.c8
-rw-r--r--src/lib/libcrypto/pkcs12/p12_npas.c17
-rw-r--r--src/lib/libcrypto/pkcs12/p12_utl.c4
-rw-r--r--src/lib/libcrypto/pkcs12/pk12err.c2
-rw-r--r--src/lib/libcrypto/pkcs12/pkcs12.h6
11 files changed, 134 insertions, 126 deletions
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 1f3e378f5c..27ac5facfa 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -106,6 +106,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
106 PKCS8_PRIV_KEY_INFO *p8) 106 PKCS8_PRIV_KEY_INFO *p8)
107{ 107{
108 PKCS12_SAFEBAG *bag; 108 PKCS12_SAFEBAG *bag;
109 const EVP_CIPHER *pbe_ciph;
109 110
110 /* Set up the safe bag */ 111 /* Set up the safe bag */
111 if (!(bag = PKCS12_SAFEBAG_new())) { 112 if (!(bag = PKCS12_SAFEBAG_new())) {
@@ -114,8 +115,14 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
114 } 115 }
115 116
116 bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag); 117 bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
118
119 pbe_ciph = EVP_get_cipherbynid(pbe_nid);
120
121 if (pbe_ciph)
122 pbe_nid = -1;
123
117 if (!(bag->value.shkeybag = 124 if (!(bag->value.shkeybag =
118 PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter, 125 PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
119 p8))) { 126 p8))) {
120 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE); 127 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
121 return NULL; 128 return NULL;
@@ -164,6 +171,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
164{ 171{
165 PKCS7 *p7; 172 PKCS7 *p7;
166 X509_ALGOR *pbe; 173 X509_ALGOR *pbe;
174 const EVP_CIPHER *pbe_ciph;
167 if (!(p7 = PKCS7_new())) { 175 if (!(p7 = PKCS7_new())) {
168 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE); 176 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
169 return NULL; 177 return NULL;
@@ -173,7 +181,15 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
173 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE); 181 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
174 return NULL; 182 return NULL;
175 } 183 }
176 if (!(pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen))) { 184
185 pbe_ciph = EVP_get_cipherbynid(pbe_nid);
186
187 if (pbe_ciph)
188 pbe = PKCS5_pbe2_set(pbe_ciph, iter, salt, saltlen);
189 else
190 pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
191
192 if (!pbe) {
177 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE); 193 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
178 return NULL; 194 return NULL;
179 } 195 }
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index 68d6c5ad15..e4d9c25647 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -139,7 +139,7 @@ char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
139 ASN1_TYPE *atype; 139 ASN1_TYPE *atype;
140 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL; 140 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL;
141 if (atype->type != V_ASN1_BMPSTRING) return NULL; 141 if (atype->type != V_ASN1_BMPSTRING) return NULL;
142 return uni2asc(atype->value.bmpstring->data, 142 return OPENSSL_uni2asc(atype->value.bmpstring->data,
143 atype->value.bmpstring->length); 143 atype->value.bmpstring->length);
144} 144}
145 145
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index f8b952e27e..b71d07b4d0 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -60,28 +60,10 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63/* PKCS#12 specific PBE functions */ 63/* PKCS#12 PBE algorithms now in static table */
64 64
65void PKCS12_PBE_add(void) 65void PKCS12_PBE_add(void)
66{ 66{
67#ifndef OPENSSL_NO_RC4
68EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
69 PKCS12_PBE_keyivgen);
70EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
71 PKCS12_PBE_keyivgen);
72#endif
73#ifndef OPENSSL_NO_DES
74EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
75 EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
76EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC,
77 EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
78#endif
79#ifndef OPENSSL_NO_RC2
80EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
81 EVP_sha1(), PKCS12_PBE_keyivgen);
82EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
83 EVP_sha1(), PKCS12_PBE_keyivgen);
84#endif
85} 67}
86 68
87int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 69int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 9522342fa5..96b131defa 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -59,10 +59,6 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62#ifdef OPENSSL_FIPS
63#include <openssl/fips.h>
64#endif
65
66 62
67 63
68static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); 64static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
@@ -94,14 +90,7 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
94 90
95 /* Set defaults */ 91 /* Set defaults */
96 if (!nid_cert) 92 if (!nid_cert)
97 {
98#ifdef OPENSSL_FIPS
99 if (FIPS_mode())
100 nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
101 else
102#endif
103 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 93 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
104 }
105 if (!nid_key) 94 if (!nid_key)
106 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 95 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
107 if (!iter) 96 if (!iter)
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 9e57eee4a4..a29794bbbc 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -81,15 +81,18 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
81 int ret; 81 int ret;
82 unsigned char *unipass; 82 unsigned char *unipass;
83 int uniplen; 83 int uniplen;
84
84 if(!pass) { 85 if(!pass) {
85 unipass = NULL; 86 unipass = NULL;
86 uniplen = 0; 87 uniplen = 0;
87 } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { 88 } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) {
88 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); 89 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
89 return 0; 90 return 0;
90 } 91 }
91 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, 92 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
92 id, iter, n, out, md_type); 93 id, iter, n, out, md_type);
94 if (ret <= 0)
95 return 0;
93 if(unipass) { 96 if(unipass) {
94 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ 97 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
95 OPENSSL_free(unipass); 98 OPENSSL_free(unipass);
@@ -129,6 +132,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
129#endif 132#endif
130 v = EVP_MD_block_size (md_type); 133 v = EVP_MD_block_size (md_type);
131 u = EVP_MD_size (md_type); 134 u = EVP_MD_size (md_type);
135 if (u < 0)
136 return 0;
132 D = OPENSSL_malloc (v); 137 D = OPENSSL_malloc (v);
133 Ai = OPENSSL_malloc (u); 138 Ai = OPENSSL_malloc (u);
134 B = OPENSSL_malloc (v + 1); 139 B = OPENSSL_malloc (v + 1);
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 5c4c6ec988..292cc3ed4a 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -63,16 +63,13 @@
63/* Simplified PKCS#12 routines */ 63/* Simplified PKCS#12 routines */
64 64
65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, 65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
66 EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); 66 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
67 67
68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
69 int passlen, EVP_PKEY **pkey, X509 **cert, 69 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
70 STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
71 char *keymatch);
72 70
73static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen, 71static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
74 EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca, 72 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
75 ASN1_OCTET_STRING **keyid, char *keymatch);
76 73
77/* Parse and decrypt a PKCS#12 structure returning user key, user cert 74/* Parse and decrypt a PKCS#12 structure returning user key, user cert
78 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL, 75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
@@ -83,24 +80,20 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
83int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 80int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
84 STACK_OF(X509) **ca) 81 STACK_OF(X509) **ca)
85{ 82{
86 83 STACK_OF(X509) *ocerts = NULL;
84 X509 *x = NULL;
87 /* Check for NULL PKCS12 structure */ 85 /* Check for NULL PKCS12 structure */
88 86
89 if(!p12) { 87 if(!p12)
88 {
90 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER); 89 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
91 return 0; 90 return 0;
92 }
93
94 /* Allocate stack for ca certificates if needed */
95 if ((ca != NULL) && (*ca == NULL)) {
96 if (!(*ca = sk_X509_new_null())) {
97 PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
98 return 0;
99 } 91 }
100 }
101 92
102 if(pkey) *pkey = NULL; 93 if(pkey)
103 if(cert) *cert = NULL; 94 *pkey = NULL;
95 if(cert)
96 *cert = NULL;
104 97
105 /* Check the mac */ 98 /* Check the mac */
106 99
@@ -122,19 +115,61 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
122 goto err; 115 goto err;
123 } 116 }
124 117
125 if (!parse_pk12 (p12, pass, -1, pkey, cert, ca)) 118 /* Allocate stack for other certificates */
119 ocerts = sk_X509_new_null();
120
121 if (!ocerts)
122 {
123 PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
124 return 0;
125 }
126
127 if (!parse_pk12 (p12, pass, -1, pkey, ocerts))
126 { 128 {
127 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR); 129 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
128 goto err; 130 goto err;
129 } 131 }
130 132
133 while ((x = sk_X509_pop(ocerts)))
134 {
135 if (pkey && *pkey && cert && !*cert)
136 {
137 if (X509_check_private_key(x, *pkey))
138 {
139 *cert = x;
140 x = NULL;
141 }
142 }
143
144 if (ca && x)
145 {
146 if (!*ca)
147 *ca = sk_X509_new_null();
148 if (!*ca)
149 goto err;
150 if (!sk_X509_push(*ca, x))
151 goto err;
152 x = NULL;
153 }
154 if (x)
155 X509_free(x);
156 }
157
158 if (ocerts)
159 sk_X509_pop_free(ocerts, X509_free);
160
131 return 1; 161 return 1;
132 162
133 err: 163 err:
134 164
135 if (pkey && *pkey) EVP_PKEY_free(*pkey); 165 if (pkey && *pkey)
136 if (cert && *cert) X509_free(*cert); 166 EVP_PKEY_free(*pkey);
137 if (ca) sk_X509_pop_free(*ca, X509_free); 167 if (cert && *cert)
168 X509_free(*cert);
169 if (x)
170 X509_free(*cert);
171 if (ocerts)
172 sk_X509_pop_free(ocerts, X509_free);
138 return 0; 173 return 0;
139 174
140} 175}
@@ -142,15 +177,13 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
142/* Parse the outer PKCS#12 structure */ 177/* Parse the outer PKCS#12 structure */
143 178
144static int parse_pk12(PKCS12 *p12, const char *pass, int passlen, 179static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
145 EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) 180 EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
146{ 181{
147 STACK_OF(PKCS7) *asafes; 182 STACK_OF(PKCS7) *asafes;
148 STACK_OF(PKCS12_SAFEBAG) *bags; 183 STACK_OF(PKCS12_SAFEBAG) *bags;
149 int i, bagnid; 184 int i, bagnid;
150 PKCS7 *p7; 185 PKCS7 *p7;
151 ASN1_OCTET_STRING *keyid = NULL;
152 186
153 char keymatch = 0;
154 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0; 187 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;
155 for (i = 0; i < sk_PKCS7_num (asafes); i++) { 188 for (i = 0; i < sk_PKCS7_num (asafes); i++) {
156 p7 = sk_PKCS7_value (asafes, i); 189 p7 = sk_PKCS7_value (asafes, i);
@@ -164,8 +197,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
164 sk_PKCS7_pop_free(asafes, PKCS7_free); 197 sk_PKCS7_pop_free(asafes, PKCS7_free);
165 return 0; 198 return 0;
166 } 199 }
167 if (!parse_bags(bags, pass, passlen, pkey, cert, ca, 200 if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
168 &keyid, &keymatch)) {
169 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 201 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
170 sk_PKCS7_pop_free(asafes, PKCS7_free); 202 sk_PKCS7_pop_free(asafes, PKCS7_free);
171 return 0; 203 return 0;
@@ -173,89 +205,65 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
173 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 205 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
174 } 206 }
175 sk_PKCS7_pop_free(asafes, PKCS7_free); 207 sk_PKCS7_pop_free(asafes, PKCS7_free);
176 if (keyid) M_ASN1_OCTET_STRING_free(keyid);
177 return 1; 208 return 1;
178} 209}
179 210
180 211
181static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 212static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
182 int passlen, EVP_PKEY **pkey, X509 **cert, 213 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
183 STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
184 char *keymatch)
185{ 214{
186 int i; 215 int i;
187 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 216 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
188 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i), 217 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i),
189 pass, passlen, pkey, cert, ca, keyid, 218 pass, passlen, pkey, ocerts))
190 keymatch)) return 0; 219 return 0;
191 } 220 }
192 return 1; 221 return 1;
193} 222}
194 223
195#define MATCH_KEY 0x1
196#define MATCH_CERT 0x2
197#define MATCH_ALL 0x3
198
199static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, 224static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
200 EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca, 225 EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
201 ASN1_OCTET_STRING **keyid,
202 char *keymatch)
203{ 226{
204 PKCS8_PRIV_KEY_INFO *p8; 227 PKCS8_PRIV_KEY_INFO *p8;
205 X509 *x509; 228 X509 *x509;
206 ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
207 ASN1_TYPE *attrib; 229 ASN1_TYPE *attrib;
208 ASN1_BMPSTRING *fname = NULL; 230 ASN1_BMPSTRING *fname = NULL;
231 ASN1_OCTET_STRING *lkid = NULL;
209 232
210 if ((attrib = PKCS12_get_attr (bag, NID_friendlyName))) 233 if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
211 fname = attrib->value.bmpstring; 234 fname = attrib->value.bmpstring;
212 235
213 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) { 236 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
214 lkey = attrib->value.octet_string; 237 lkid = attrib->value.octet_string;
215 ckid = lkey;
216 }
217 238
218 /* Check for any local key id matching (if needed) */
219 if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
220 if (*keyid) {
221 if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
222 } else {
223 if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
224 PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
225 return 0;
226 }
227 }
228 }
229
230 switch (M_PKCS12_bag_type(bag)) 239 switch (M_PKCS12_bag_type(bag))
231 { 240 {
232 case NID_keyBag: 241 case NID_keyBag:
233 if (!lkey || !pkey) return 1; 242 if (!pkey || *pkey)
234 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0; 243 return 1;
235 *keymatch |= MATCH_KEY; 244 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
245 return 0;
236 break; 246 break;
237 247
238 case NID_pkcs8ShroudedKeyBag: 248 case NID_pkcs8ShroudedKeyBag:
239 if (!lkey || !pkey) return 1; 249 if (!pkey || *pkey)
250 return 1;
240 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) 251 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
241 return 0; 252 return 0;
242 *pkey = EVP_PKCS82PKEY(p8); 253 *pkey = EVP_PKCS82PKEY(p8);
243 PKCS8_PRIV_KEY_INFO_free(p8); 254 PKCS8_PRIV_KEY_INFO_free(p8);
244 if (!(*pkey)) return 0; 255 if (!(*pkey)) return 0;
245 *keymatch |= MATCH_KEY;
246 break; 256 break;
247 257
248 case NID_certBag: 258 case NID_certBag:
249 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) 259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
250 return 1; 260 return 1;
251 if (!(x509 = PKCS12_certbag2x509(bag))) return 0; 261 if (!(x509 = PKCS12_certbag2x509(bag)))
252 if(ckid) 262 return 0;
263 if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length))
253 { 264 {
254 if (!X509_keyid_set1(x509, ckid->data, ckid->length)) 265 X509_free(x509);
255 { 266 return 0;
256 X509_free(x509);
257 return 0;
258 }
259 } 267 }
260 if(fname) { 268 if(fname) {
261 int len, r; 269 int len, r;
@@ -272,20 +280,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
272 } 280 }
273 } 281 }
274 282
283 if(!sk_X509_push(ocerts, x509))
284 {
285 X509_free(x509);
286 return 0;
287 }
275 288
276 if (lkey) {
277 *keymatch |= MATCH_CERT;
278 if (cert) *cert = x509;
279 else X509_free(x509);
280 } else {
281 if(ca) sk_X509_push (*ca, x509);
282 else X509_free(x509);
283 }
284 break; 289 break;
285 290
286 case NID_safeContentsBag: 291 case NID_safeContentsBag:
287 return parse_bags(bag->value.safes, pass, passlen, 292 return parse_bags(bag->value.safes, pass, passlen,
288 pkey, cert, ca, keyid, keymatch); 293 pkey, ocerts);
289 break; 294 break;
290 295
291 default: 296 default:
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 70bfef6e5d..9ab740d51f 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -71,6 +71,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
71 HMAC_CTX hmac; 71 HMAC_CTX hmac;
72 unsigned char key[EVP_MAX_MD_SIZE], *salt; 72 unsigned char key[EVP_MAX_MD_SIZE], *salt;
73 int saltlen, iter; 73 int saltlen, iter;
74 int md_size;
74 75
75 if (!PKCS7_type_is_data(p12->authsafes)) 76 if (!PKCS7_type_is_data(p12->authsafes))
76 { 77 {
@@ -87,13 +88,16 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
87 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); 88 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
88 return 0; 89 return 0;
89 } 90 }
91 md_size = EVP_MD_size(md_type);
92 if (md_size < 0)
93 return 0;
90 if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, 94 if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
91 EVP_MD_size(md_type), key, md_type)) { 95 md_size, key, md_type)) {
92 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR); 96 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
93 return 0; 97 return 0;
94 } 98 }
95 HMAC_CTX_init(&hmac); 99 HMAC_CTX_init(&hmac);
96 HMAC_Init_ex(&hmac, key, EVP_MD_size(md_type), md_type, NULL); 100 HMAC_Init_ex(&hmac, key, md_size, md_type, NULL);
97 HMAC_Update(&hmac, p12->authsafes->d.data->data, 101 HMAC_Update(&hmac, p12->authsafes->d.data->data,
98 p12->authsafes->d.data->length); 102 p12->authsafes->d.data->length);
99 HMAC_Final(&hmac, mac, maclen); 103 HMAC_Final(&hmac, mac, maclen);
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 47e5e9c377..2f71355150 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -120,8 +120,13 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
120 bags = PKCS12_unpack_p7data(p7); 120 bags = PKCS12_unpack_p7data(p7);
121 } else if (bagnid == NID_pkcs7_encrypted) { 121 } else if (bagnid == NID_pkcs7_encrypted) {
122 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); 122 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
123 alg_get(p7->d.encrypted->enc_data->algorithm, 123 if (!alg_get(p7->d.encrypted->enc_data->algorithm,
124 &pbe_nid, &pbe_iter, &pbe_saltlen); 124 &pbe_nid, &pbe_iter, &pbe_saltlen))
125 {
126 sk_PKCS12_SAFEBAG_pop_free(bags,
127 PKCS12_SAFEBAG_free);
128 bags = NULL;
129 }
125 } else continue; 130 } else continue;
126 if (!bags) { 131 if (!bags) {
127 sk_PKCS7_pop_free(asafes, PKCS7_free); 132 sk_PKCS7_pop_free(asafes, PKCS7_free);
@@ -193,7 +198,9 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
193 if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1; 198 if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;
194 199
195 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0; 200 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0;
196 alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen); 201 if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter,
202 &p8_saltlen))
203 return 0;
197 if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, 204 if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
198 p8_iter, p8))) return 0; 205 p8_iter, p8))) return 0;
199 X509_SIG_free(bag->value.shkeybag); 206 X509_SIG_free(bag->value.shkeybag);
@@ -208,9 +215,11 @@ static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
208 215
209 p = alg->parameter->value.sequence->data; 216 p = alg->parameter->value.sequence->data;
210 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); 217 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
218 if (!pbe)
219 return 0;
211 *pnid = OBJ_obj2nid(alg->algorithm); 220 *pnid = OBJ_obj2nid(alg->algorithm);
212 *piter = ASN1_INTEGER_get(pbe->iter); 221 *piter = ASN1_INTEGER_get(pbe->iter);
213 *psaltlen = pbe->salt->length; 222 *psaltlen = pbe->salt->length;
214 PBEPARAM_free(pbe); 223 PBEPARAM_free(pbe);
215 return 0; 224 return 1;
216} 225}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index ca30ac4f6d..59c6f453f6 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -62,7 +62,7 @@
62 62
63/* Cheap and nasty Unicode stuff */ 63/* Cheap and nasty Unicode stuff */
64 64
65unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) 65unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
66{ 66{
67 int ulen, i; 67 int ulen, i;
68 unsigned char *unitmp; 68 unsigned char *unitmp;
@@ -81,7 +81,7 @@ unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *un
81 return unitmp; 81 return unitmp;
82} 82}
83 83
84char *uni2asc(unsigned char *uni, int unilen) 84char *OPENSSL_uni2asc(unsigned char *uni, int unilen)
85{ 85{
86 int asclen, i; 86 int asclen, i;
87 char *asctmp; 87 char *asctmp;
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index 07a1fb6907..f6ddf2df12 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
1/* crypto/pkcs12/pk12err.c */ 1/* crypto/pkcs12/pk12err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 4bee605dc0..b17eb9f42b 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -108,8 +108,6 @@ PKCS12_MAC_DATA *mac;
108PKCS7 *authsafes; 108PKCS7 *authsafes;
109} PKCS12; 109} PKCS12;
110 110
111PREDECLARE_STACK_OF(PKCS12_SAFEBAG)
112
113typedef struct { 111typedef struct {
114ASN1_OBJECT *type; 112ASN1_OBJECT *type;
115union { 113union {
@@ -232,8 +230,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
232 const EVP_MD *md_type); 230 const EVP_MD *md_type);
233int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, 231int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
234 int saltlen, const EVP_MD *md_type); 232 int saltlen, const EVP_MD *md_type);
235unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); 233unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
236char *uni2asc(unsigned char *uni, int unilen); 234char *OPENSSL_uni2asc(unsigned char *uni, int unilen);
237 235
238DECLARE_ASN1_FUNCTIONS(PKCS12) 236DECLARE_ASN1_FUNCTIONS(PKCS12)
239DECLARE_ASN1_FUNCTIONS(PKCS12_MAC_DATA) 237DECLARE_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 04:27:55 +0000