Add new APIs to get PKCS12 secretBag OID and value

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10063)

4 files changed, 108 insertions, 7 deletions

diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c
index e2ca95bcfa..0acecef7a3 100644
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@@ -18,7 +18,7 @@ int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
                           int namelen)
 {
     if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
-                                V_ASN1_OCTET_STRING, name, namelen))
+                                V_ASN1_OCTET_STRING, name, namelen) != NULL)
         return 1;
     else
         return 0;
@@ -39,7 +39,7 @@ int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
                                 int namelen)
 {
     if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
-                                MBSTRING_ASC, (unsigned char *)name, namelen))
+                                MBSTRING_ASC, (unsigned char *)name, namelen) != NULL)
         return 1;
     else
         return 0;
@@ -49,7 +49,7 @@ int PKCS12_add_friendlyname_utf8(PKCS12_SAFEBAG *bag, const char *name,
                                 int namelen)
 {
     if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
-                                MBSTRING_UTF8, (unsigned char *)name, namelen))
+                                MBSTRING_UTF8, (unsigned char *)name, namelen) != NULL)
         return 1;
     else
         return 0;
@@ -59,7 +59,7 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
                                 const unsigned char *name, int namelen)
 {
     if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
-                                MBSTRING_BMP, name, namelen))
+                                MBSTRING_BMP, name, namelen) != NULL)
         return 1;
     else
         return 0;
@@ -68,7 +68,25 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
 int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
 {
     if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
-                                MBSTRING_ASC, (unsigned char *)name, namelen))
+                                MBSTRING_ASC, (unsigned char *)name, namelen) != NULL)
+        return 1;
+    else
+        return 0;
+}
+
+int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
+                            const unsigned char *bytes, int len)
+{
+    if (X509at_add1_attr_by_NID(&bag->attrib, nid, type, bytes, len) != NULL)
+        return 1;
+    else
+        return 0;
+}
+
+int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
+                            const unsigned char *bytes, int len)
+{
+    if (X509at_add1_attr_by_txt(&bag->attrib, attrname, type, bytes, len) != NULL)
         return 1;
     else
         return 0;
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index f75b2437c9..699f1b7d61 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -207,6 +207,24 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
 
 }
 
+PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, 
+                                  int nid_type, const unsigned char *value, int len)
+{
+    PKCS12_SAFEBAG *bag = NULL;
+
+    /* Add secret, storing the value as an octet string */
+    if ((bag = PKCS12_SAFEBAG_create_secret(nid_type, V_ASN1_OCTET_STRING, value, len)) == NULL)
+        goto err;
+
+    if (!pkcs12_add_bag(pbags, bag))
+        goto err;
+
+    return bag;
+ err:
+    PKCS12_SAFEBAG_free(bag);
+    return NULL;
+}
+
 int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
                     int nid_safe, int iter, const char *pass)
 {
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index ccb9acb17e..3da437f7ea 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -71,6 +71,16 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
     return OBJ_obj2nid(bag->value.bag->type);
 }
 
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
+{
+    return bag->value.bag->type;
+}
+
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
+{
+    return bag->value.bag->value.other;
+}
+
 X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
 {
     if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
@@ -103,6 +113,60 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
                                     NID_x509Crl, NID_crlBag);
 }
 
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len)
+{
+    PKCS12_BAGS *bag;
+    PKCS12_SAFEBAG *safebag;
+
+    if ((bag = PKCS12_BAGS_new()) == NULL) {
+        PKCS12err(0, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    bag->type = OBJ_nid2obj(type);
+
+    switch(vtype) {
+    case V_ASN1_OCTET_STRING:
+        {
+            ASN1_OCTET_STRING *strtmp = ASN1_OCTET_STRING_new();
+
+            if (strtmp == NULL) {
+                PKCS12err(0, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
+            /* Pack data into an octet string */
+            if (!ASN1_OCTET_STRING_set(strtmp, value, len)) {
+                ASN1_OCTET_STRING_free(strtmp);
+                PKCS12err(0, PKCS12_R_ENCODE_ERROR);
+                goto err;
+            }
+            bag->value.other = ASN1_TYPE_new();
+            if (bag->value.other == NULL) {
+                ASN1_OCTET_STRING_free(strtmp);
+                PKCS12err(0, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
+            ASN1_TYPE_set(bag->value.other, vtype, strtmp);
+        }
+        break;
+
+    default:
+        PKCS12err(0, PKCS12_R_INVALID_TYPE);
+        goto err;
+    }
+
+    if ((safebag = PKCS12_SAFEBAG_new()) == NULL) {
+        PKCS12err(0, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    safebag->value.bag = bag;
+    safebag->type = OBJ_nid2obj(NID_secretBag);
+    return safebag;
+ 
+ err:
+    PKCS12_BAGS_free(bag);
+    return NULL;
+}
+
 /* Turn PKCS8 object into a keybag */
 
 PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c
index c3ad2bf708..f7789dc8d3 100644
--- a/crypto/pkcs12/pk12err.c
+++ b/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -27,6 +27,7 @@ static const ERR_STRING_DATA PKCS12_str_reasons[] = {
     "invalid null argument"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_NULL_PKCS12_POINTER),
     "invalid null pkcs12 pointer"},
+    {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_TYPE), "invalid type"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_IV_GEN_ERROR), "iv gen error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_KEY_GEN_ERROR), "key gen error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_ABSENT), "mac absent"},