Allow PKCS12 export to set arbitrary bag attributes

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19025)
author: Graham Woodward <graham.woodward@ibm.com> 2022-08-19 08:46:47 +0100
committer: Matt Caswell <matt@openssl.org> 2022-09-23 17:40:02 +0100
commit: e869c867c1c405de3b6538586f17b67937556a4b (patch)
tree: 21feab85e639e54c1e2a8a6d1a68a807f2e7dae4 /apps/pkcs12.c
parent: ecc920b3277311e859282b6d400ba8566d7ea8c1 (diff)
1 files changed, 70 insertions, 4 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 0338ff30d6..f4aef816dd 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -14,6 +14,8 @@
 #include <string.h>
 #include "apps.h"
 #include "progs.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
@@ -54,6 +56,7 @@ void hex_prin(BIO *out, unsigned char *buf, int len);
 static int alg_print(const X509_ALGOR *alg);
 int cert_load(BIO *in, STACK_OF(X509) *sk);
 static int set_pbe(int *ppbe, const char *str);
+static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg);
 
 typedef enum OPTION_choice {
     OPT_COMMON,
@@ -525,6 +528,11 @@ int pkcs12_main(int argc, char **argv)
         EVP_MD *macmd = NULL;
         unsigned char *catmp = NULL;
         int i;
+        CONF *conf = NULL;
+        ASN1_OBJECT *obj = NULL;
+        STACK_OF(CONF_VALUE) *cb_sk = NULL;
+        const char *cb_attr = NULL;
+        const CONF_VALUE *val = NULL;
 
         if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
             BIO_printf(bio_err, "Nothing to export due to -noout or -nocerts and -nokeys\n");
@@ -669,9 +677,30 @@ int pkcs12_main(int argc, char **argv)
         if (!twopass)
             OPENSSL_strlcpy(macpass, pass, sizeof(macpass));
 
-        p12 = PKCS12_create_ex(cpass, name, key, ee_cert, certs,
-                               key_pbe, cert_pbe, iter, -1, keytype,
-                               app_get0_libctx(), app_get0_propq());
+        /* Load the config file */
+        if ((conf = app_load_config(default_config_file)) == NULL)
+            goto export_end;
+        if (!app_load_modules(conf))
+            goto export_end;
+        /* Find the cert bag section */
+        if ((cb_attr = NCONF_get_string(conf, "pkcs12", "certBagAttr")) != NULL) {
+            if ((cb_sk = NCONF_get_section(conf, cb_attr)) != NULL) {
+                for (i = 0; i < sk_CONF_VALUE_num(cb_sk); i++) {
+                    val = sk_CONF_VALUE_value(cb_sk, i);
+                    if (strcmp(val->name, "jdkTrustedKeyUsage") == 0)
+                        obj = OBJ_txt2obj(val->value, 0);
+                }
+            } else {
+                ERR_clear_error();
+            }
+        } else {
+            ERR_clear_error();
+        }
+
+        p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs,
+                                key_pbe, cert_pbe, iter, -1, keytype,
+                                app_get0_libctx(), app_get0_propq(),
+                                jdk_trust, (void*)obj);
 
         if (p12 == NULL) {
             BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n",
@@ -708,7 +737,8 @@ int pkcs12_main(int argc, char **argv)
         OSSL_STACK_OF_X509_free(certs);
         OSSL_STACK_OF_X509_free(untrusted_certs);
         X509_free(ee_cert);
-
+        NCONF_free(conf);
+        ASN1_OBJECT_free(obj);
         ERR_print_errors(bio_err);
         goto end;
 
@@ -838,6 +868,31 @@ int pkcs12_main(int argc, char **argv)
     return ret;
 }
 
+static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg)
+{
+    STACK_OF(X509_ATTRIBUTE) *attrs = NULL;
+    X509_ATTRIBUTE *attr = NULL;
+
+    /* Nothing to do */
+    if (cbarg == NULL)
+        return 1;
+
+    /* Get the current attrs */
+    attrs = (STACK_OF(X509_ATTRIBUTE)*)PKCS12_SAFEBAG_get0_attrs(bag);
+
+    /* Create a new attr for the JDK Trusted Usage and add it */
+    attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT*)cbarg);
+
+    /* Add the new attr, if attrs is NULL, it'll be initialised */
+    X509at_add1_attr(&attrs, attr);
+
+    /* Set the bag attrs */
+    PKCS12_SAFEBAG_set0_attrs(bag, attrs);
+
+    X509_ATTRIBUTE_free(attr);
+    return 1;
+}
+
 int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
                         int passlen, int options, char *pempass,
                         const EVP_CIPHER *enc)
@@ -1137,6 +1192,8 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
 void print_attribute(BIO *out, const ASN1_TYPE *av)
 {
     char *value;
+    const char *ln;
+    char objbuf[80];
 
     switch (av->type) {
     case V_ASN1_BMPSTRING:
@@ -1163,6 +1220,15 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
         BIO_printf(out, "\n");
         break;
 
+    case V_ASN1_OBJECT:
+        ln = OBJ_nid2ln(OBJ_obj2nid(av->value.object));
+        if (!ln)
+            ln = "";
+        OBJ_obj2txt(objbuf, sizeof(objbuf), av->value.object, 1);
+        BIO_printf(out, "%s (%s)", ln, objbuf);
+        BIO_printf(out, "\n");
+        break;
+
     default:
         BIO_printf(out, "<Unsupported tag %d>\n", av->type);
         break;
author	Graham Woodward <graham.woodward@ibm.com>	2022-08-19 08:46:47 +0100
committer	Matt Caswell <matt@openssl.org>	2022-09-23 17:40:02 +0100
commit	e869c867c1c405de3b6538586f17b67937556a4b (patch)
tree	21feab85e639e54c1e2a8a6d1a68a807f2e7dae4 /apps/pkcs12.c
parent	ecc920b3277311e859282b6d400ba8566d7ea8c1 (diff)