diff options
-rw-r--r-- | apps/pkcs12.c | 14 | ||||
-rw-r--r-- | crypto/err/openssl.txt | 2 | ||||
-rw-r--r-- | crypto/pkcs12/p12_attr.c | 28 | ||||
-rw-r--r-- | crypto/pkcs12/p12_crt.c | 18 | ||||
-rw-r--r-- | crypto/pkcs12/p12_sbag.c | 66 | ||||
-rw-r--r-- | crypto/pkcs12/pk12err.c | 3 | ||||
-rw-r--r-- | doc/man3/PKCS12_SAFEBAG_create_cert.pod | 80 | ||||
-rw-r--r-- | doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 74 | ||||
-rw-r--r-- | doc/man3/PKCS12_add1_attr_by_NID.pod | 52 | ||||
-rw-r--r-- | doc/man3/PKCS12_add_cert.pod | 66 | ||||
-rw-r--r-- | doc/man3/PKCS12_add_safe.pod | 64 | ||||
-rw-r--r-- | include/openssl/pkcs12.h | 9 | ||||
-rw-r--r-- | include/openssl/pkcs12err.h | 2 | ||||
-rw-r--r-- | test/build.info | 7 | ||||
-rw-r--r-- | test/pkcs12_format_test.c | 444 | ||||
-rw-r--r-- | test/pkcs12_helper.c | 708 | ||||
-rw-r--r-- | test/pkcs12_helper.h | 99 | ||||
-rw-r--r-- | test/recipes/80-test_pkcs12.t | 5 | ||||
-rw-r--r-- | util/libcrypto.num | 6 |
19 files changed, 1738 insertions, 9 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 3398250efd..46340c0d25 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -789,6 +789,16 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag, X509_free(x509); break; + case NID_secretBag: + if (options & INFO) + BIO_printf(bio_err, "Secret bag\n"); + print_attribs(out, attrs, "Bag Attributes"); + BIO_printf(bio_err, "Bag Type: "); + i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_bag_type(bag)); + BIO_printf(bio_err, "\nBag Value: "); + print_attribute(out, PKCS12_SAFEBAG_get0_bag_obj(bag)); + return 1; + case NID_safeContentsBag: if (options & INFO) BIO_printf(bio_err, "Safe Contents bag\n"); @@ -954,6 +964,10 @@ void print_attribute(BIO *out, const ASN1_TYPE *av) OPENSSL_free(value); break; + case V_ASN1_UTF8STRING: + BIO_printf(out, "%s\n", av->value.utf8string->data); + break; + case V_ASN1_OCTET_STRING: hex_prin(out, av->value.octet_string->data, av->value.octet_string->length); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 53becb8ed4..cbfc495a0a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1058,6 +1058,7 @@ PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF:112:PKCS12_SAFEBAG_create0_p8inf PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8:113:PKCS12_SAFEBAG_create0_pkcs8 PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT:133:\ PKCS12_SAFEBAG_create_pkcs8_encrypt +PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET:134: PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes @@ -2760,6 +2761,7 @@ PKCS12_R_ENCRYPT_ERROR:103:encrypt error PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE:120:error setting encrypted data type PKCS12_R_INVALID_NULL_ARGUMENT:104:invalid null argument PKCS12_R_INVALID_NULL_PKCS12_POINTER:105:invalid null pkcs12 pointer +PKCS12_R_INVALID_TYPE:112:invalid type PKCS12_R_IV_GEN_ERROR:106:iv gen error PKCS12_R_KEY_GEN_ERROR:107:key gen error PKCS12_R_MAC_ABSENT:108:mac absent diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c index e2ca95bcfa..0acecef7a3 100644 --- a/crypto/pkcs12/p12_attr.c +++ b/crypto/pkcs12/p12_attr.c @@ -18,7 +18,7 @@ int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen) { if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID, - V_ASN1_OCTET_STRING, name, namelen)) + V_ASN1_OCTET_STRING, name, namelen) != NULL) return 1; else return 0; @@ -39,7 +39,7 @@ int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) { if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, - MBSTRING_ASC, (unsigned char *)name, namelen)) + MBSTRING_ASC, (unsigned char *)name, namelen) != NULL) return 1; else return 0; @@ -49,7 +49,7 @@ int PKCS12_add_friendlyname_utf8(PKCS12_SAFEBAG *bag, const char *name, int namelen) { if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, - MBSTRING_UTF8, (unsigned char *)name, namelen)) + MBSTRING_UTF8, (unsigned char *)name, namelen) != NULL) return 1; else return 0; @@ -59,7 +59,7 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, int namelen) { if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, - MBSTRING_BMP, name, namelen)) + MBSTRING_BMP, name, namelen) != NULL) return 1; else return 0; @@ -68,7 +68,25 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) { if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name, - MBSTRING_ASC, (unsigned char *)name, namelen)) + MBSTRING_ASC, (unsigned char *)name, namelen) != NULL) + return 1; + else + return 0; +} + +int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type, + const unsigned char *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&bag->attrib, nid, type, bytes, len) != NULL) + return 1; + else + return 0; +} + +int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type, + const unsigned char *bytes, int len) +{ + if (X509at_add1_attr_by_txt(&bag->attrib, attrname, type, bytes, len) != NULL) return 1; else return 0; diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index f75b2437c9..699f1b7d61 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -207,6 +207,24 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, } +PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, + int nid_type, const unsigned char *value, int len) +{ + PKCS12_SAFEBAG *bag = NULL; + + /* Add secret, storing the value as an octet string */ + if ((bag = PKCS12_SAFEBAG_create_secret(nid_type, V_ASN1_OCTET_STRING, value, len)) == NULL) + goto err; + + if (!pkcs12_add_bag(pbags, bag)) + goto err; + + return bag; + err: + PKCS12_SAFEBAG_free(bag); + return NULL; +} + int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, int nid_safe, int iter, const char *pass) { diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c index ccb9acb17e..3da437f7ea 100644 --- a/crypto/pkcs12/p12_sbag.c +++ b/crypto/pkcs12/p12_sbag.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -71,6 +71,16 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag) return OBJ_obj2nid(bag->value.bag->type); } +const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag) +{ + return bag->value.bag->type; +} + +const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag) +{ + return bag->value.bag->value.other; +} + X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag) { if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag) @@ -103,6 +113,60 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl) NID_x509Crl, NID_crlBag); } +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len) +{ + PKCS12_BAGS *bag; + PKCS12_SAFEBAG *safebag; + + if ((bag = PKCS12_BAGS_new()) == NULL) { + PKCS12err(0, ERR_R_MALLOC_FAILURE); + return NULL; + } + bag->type = OBJ_nid2obj(type); + + switch(vtype) { + case V_ASN1_OCTET_STRING: + { + ASN1_OCTET_STRING *strtmp = ASN1_OCTET_STRING_new(); + + if (strtmp == NULL) { + PKCS12err(0, ERR_R_MALLOC_FAILURE); + goto err; + } + /* Pack data into an octet string */ + if (!ASN1_OCTET_STRING_set(strtmp, value, len)) { + ASN1_OCTET_STRING_free(strtmp); + PKCS12err(0, PKCS12_R_ENCODE_ERROR); + goto err; + } + bag->value.other = ASN1_TYPE_new(); + if (bag->value.other == NULL) { + ASN1_OCTET_STRING_free(strtmp); + PKCS12err(0, ERR_R_MALLOC_FAILURE); + goto err; + } + ASN1_TYPE_set(bag->value.other, vtype, strtmp); + } + break; + + default: + PKCS12err(0, PKCS12_R_INVALID_TYPE); + goto err; + } + + if ((safebag = PKCS12_SAFEBAG_new()) == NULL) { + PKCS12err(0, ERR_R_MALLOC_FAILURE); + goto err; + } + safebag->value.bag = bag; + safebag->type = OBJ_nid2obj(NID_secretBag); + return safebag; + + err: + PKCS12_BAGS_free(bag); + return NULL; +} + /* Turn PKCS8 object into a keybag */ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8) diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index c3ad2bf708..f7789dc8d3 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,6 +27,7 @@ static const ERR_STRING_DATA PKCS12_str_reasons[] = { "invalid null argument"}, {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_NULL_PKCS12_POINTER), "invalid null pkcs12 pointer"}, + {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_TYPE), "invalid type"}, {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_IV_GEN_ERROR), "iv gen error"}, {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_KEY_GEN_ERROR), "key gen error"}, {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_ABSENT), "mac absent"}, diff --git a/doc/man3/PKCS12_SAFEBAG_create_cert.pod b/doc/man3/PKCS12_SAFEBAG_create_cert.pod new file mode 100644 index 0000000000..380cde5612 --- /dev/null +++ b/doc/man3/PKCS12_SAFEBAG_create_cert.pod @@ -0,0 +1,80 @@ +=pod + +=head1 NAME + +PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl, +PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, +PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt - Create +PKCS#12 safeBag objects + +=head1 SYNOPSIS + + #include <openssl/pkcs12.h> + + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509); + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl); + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, + const unsigned char* value, + int len); + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8); + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8); + PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, + const char *pass, + int passlen, + unsigned char *salt, + int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf); + +=head1 DESCRIPTION + +PKCS12_SAFEBAG_create_cert() creates a new B<PKCS12_SAFEBAG> of type B<NID_certBag> +containing the supplied certificate. + +PKCS12_SAFEBAG_create_crl() creates a new B<PKCS12_SAFEBAG> of type B<NID_crlBag> +containing the supplied crl. + +PKCS12_SAFEBAG_create_secret() creates a new B<PKCS12_SAFEBAG> of type +corresponding to a PKCS#12 I<secretBag>. The I<secretBag> contents are tagged as +I<type> with an ASN1 value of type I<vtype> constructed using the bytes in +I<value> of length I<len>. + +PKCS12_SAFEBAG_create0_p8inf() creates a new B<PKCS12_SAFEBAG> of type B<NID_keyBag> +containing the supplied PKCS8 structure. + +PKCS12_SAFEBAG_create0_pkcs8() creates a new B<PKCS12_SAFEBAG> of type +B<NID_pkcs8ShroudedKeyBag> containing the supplied PKCS8 structure. + +PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B<PKCS12_SAFEBAG> of type +B<NID_pkcs8ShroudedKeyBag> by encrypting the supplied PKCS8 I<p8inf>. +If I<pbe_nid> is 0, a default encryption algorithm is used. I<pass> is the +passphrase and I<iter> is the iteration count. If I<iter> is zero then a default +value of 2048 is used. If I<salt> is NULL then a salt is generated randomly. + +=head1 NOTES + +PKCS12_SAFEBAG_create_pkcs8_encrypt() makes assumptions regarding the encoding of the given pass +phrase. +See L<passphrase-encoding(7)> for more information. + +PKCS12_SAFEBAG_create_secret() was added in OpenSSL 3.0. + +=head1 RETURN VALUES + +All of these functions return a valid B<PKCS12_SAFEBAG> structure or NULL if an error occurred. + +=head1 SEE ALSO + +L<PKCS12_create(3)>, +L<PKCS12_add_safe(3)>, +L<PKCS12_add_safes(3)> + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod new file mode 100644 index 0000000000..e1bff6a1c8 --- /dev/null +++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod @@ -0,0 +1,74 @@ +=pod + +=head1 NAME + +PKCS12_SAFEBAG_get0_attr, PKCS12_SAFEBAG_get0_type, +PKCS12_SAFEBAG_get_nid, PKCS12_SAFEBAG_get_bag_nid, +PKCS12_SAFEBAG_get0_bag_obj, PKCS12_SAFEBAG_get0_bag_type, +PKCS12_SAFEBAG_get1_cert, PKCS12_SAFEBAG_get1_crl, +PKCS12_SAFEBAG_get0_safes, PKCS12_SAFEBAG_get0_p8inf, +PKCS12_SAFEBAG_get0_pkcs8 - Get objects from a PKCS#12 safeBag + +=head1 SYNOPSIS + + #include <openssl/pkcs12.h> + + const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, + int attr_nid); + const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag); + int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag); + int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag); + const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag); + const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag); + X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag); + X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag); + const STACK_OF(PKCS12_SAFEBAG) *PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag); + const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag); + const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag); + +=head1 DESCRIPTION + +PKCS12_SAFEBAG_get0_attr() gets the attribute value corresponding to the B<attr_nid>. + +PKCS12_SAFEBAG_get0_type() gets the B<safeBag> type as an OID, whereas +PKCS12_SAFEBAG_get_nid() gets the B<safeBag> type as an NID, which could be +B<NID_certBag>, B<NID_crlBag>, B<NID_keyBag>, B<NID_secretBag>, B<NID_safeContentsBag> +or B<NID_pkcs8ShroudedKeyBag>. + +PKCS12_SAFEBAG_get_bag_nid() gets the type of the object contained within the +B<PKCS12_SAFEBAG>. This corresponds to the bag type for most bags, but can be +arbitrary for B<secretBag>s. PKCS12_SAFEBAG_get0_bag_type() gets this type as an OID. + +PKCS12_SAFEBAG_get0_bag_obj() retrieves the object contained within the safeBag. + +PKCS12_SAFEBAG_get1_cert() and PKCS12_SAFEBAG_get1_crl() return new B<X509> or +B<X509_CRL> objects from the item in the safeBag. + +PKCS12_SAFEBAG_get0_p8inf() and PKCS12_SAFEBAG_get0_pkcs8() return the PKCS8 object +from a PKCS8shroudedKeyBag or a keyBag. + +PKCS12_SAFEBAG_get0_safes() retrieves the set of B<safeBags> contained within a +safeContentsBag. + +=head1 RETURN VALUES + +PKCS12_SAFEBAG_get_nid() and PKCS12_SAFEBAG_get_bag_nid() return the NID of the safeBag +or bag object, or -1 if there is no corresponding NID. +Other functions return a valid object of the specified type or NULL if an error occurred. + +=head1 SEE ALSO + +L<PKCS12_create(3)>, +L<PKCS12_add_safe(3)>, +L<PKCS12_add_safes(3)> + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/PKCS12_add1_attr_by_NID.pod b/doc/man3/PKCS12_add1_attr_by_NID.pod new file mode 100644 index 0000000000..4871da35d7 --- /dev/null +++ b/doc/man3/PKCS12_add1_attr_by_NID.pod @@ -0,0 +1,52 @@ +=pod + +=head1 NAME + +PKCS12_add1_attr_by_NID, PKCS12_add1_attr_by_txt - Add an attribute to a PKCS#12 +safeBag structure + +=head1 SYNOPSIS + + #include <openssl/pkcs12.h> + + int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type, + const unsigned char *bytes, int len); + int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type, + const unsigned char *bytes, int len); + +=head1 DESCRIPTION + +These functions add a PKCS#12 Attribute to the Attribute Set of the B<bag>. + +PKCS12_add1_attr_by_NID() adds an attribute of type B<nid> with a value of ASN1 +type B<type> constructed using B<len> bytes from B<bytes>. + +PKCS12_add1_attr_by_txt() adds an attribute of type B<attrname> with a value of +ASN1 type B<type> constructed using B<len> bytes from B<bytes>. + +=head1 NOTES + +These functions do not check whether an existing attribute of the same type is +present. There can be multiple attributes with the same type assigned to a +safeBag. + +Both functions were added in OpenSSL 3.0. + +=head1 RETURN VALUES + +A return value of 1 indicates success, 0 indicates failure. + +=head1 SEE ALSO + +L<PKCS12_create(3)> + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/PKCS12_add_cert.pod b/doc/man3/PKCS12_add_cert.pod new file mode 100644 index 0000000000..bb326f7f4c --- /dev/null +++ b/doc/man3/PKCS12_add_cert.pod @@ -0,0 +1,66 @@ +=pod + +=head1 NAME + +PKCS12_add_cert, PKCS12_add_key, +PKCS12_add_secret - Add an object to a set of PKCS#12 safeBags + +=head1 SYNOPSIS + + #include <openssl/pkcs12.h> + + PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); + PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, + EVP_PKEY *key, int key_usage, int iter, + int key_nid, const char *pass); + PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, + int nid_type, const unsigned char *value, int len); + +=head1 DESCRIPTION + +These functions create a new B<PKCS12_SAFEBAG> and add it to the set of safeBags +in I<pbags>. + +PKCS12_add_cert() creates a PKCS#12 certBag containing the supplied +certificate and adds this to the set of PKCS#12 safeBags. + +PKCS12_add_key() creates a PKCS#12 keyBag (unencrypted) or a pkcs8shroudedKeyBag +(encrypted) containing the supplied B<EVP_PKEY> and adds this to the set of PKCS#12 +safeBags. If I<key_nid> is not -1 then the key is encrypted with the supplied +algorithm, using I<pass> as the passphrase and I<iter> as the iteration count. If +I<iter> is zero then a default value for iteration count of 2048 is used. + +PKCS12_add_secret() creates a PKCS#12 secretBag with an OID corresponding to +the supplied B<nid_type> containing the supplied value as an ASN1 octet string. +This is then added to the set of PKCS#12 safeBags. + +=head1 NOTES + +If a certificate contains an B<alias> or a B<keyid> then this will be +used for the corresponding B<friendlyName> or B<localKeyID> in the +PKCS12 structure. + +PKCS12_add_key() makes assumptions regarding the encoding of the given pass +phrase. +See L<passphrase-encoding(7)> for more information. + +PKCS12_add_secret() was added in OpenSSL 3.0. + +=head1 RETURN VALUES + +A valid B<PKCS12_SAFEBAG> structure or NULL if an error occurred. + +=head1 SEE ALSO + +L<PKCS12_create(3)> + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/PKCS12_add_safe.pod b/doc/man3/PKCS12_add_safe.pod new file mode 100644 index 0000000000..ec657aaa07 --- /dev/null +++ b/doc/man3/PKCS12_add_safe.pod @@ -0,0 +1,64 @@ +=pod + +=head1 NAME + +PKCS12_add_safe, PKCS12_add_safes - Create and add objects to a PKCS#12 structure + +=head1 SYNOPSIS + + #include <openssl/pkcs12.h> + + int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, + int safe_nid, int iter, const char *pass); + PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); + +=head1 DESCRIPTION + +PKCS12_add_safe() creates a new PKCS7 contentInfo containing the supplied +B<PKCS12_SAFEBAG>s and adds this to a set of PKCS7 contentInfos. Its type +depends on the value of B<safe_nid>: + +=over 4 + +=item * If I<safe_nid> is -1, a plain PKCS7 I<data> contentInfo is created. + +=item * If I<safe_nid> is a valid PBE algorithm NID, a PKCS7 B<encryptedData> +contentInfo is created. The algorithm uses I<pass> as the passphrase and I<iter> +as the iteration count. If I<iter> is zero then a default value for iteration +count of 2048 is used. + +=item * If I<safe_nid> is 0, a PKCS7 B<encryptedData> contentInfo is created using +a default encryption algorithm, currently B<NID_pbe_WithSHA1And3_Key_TripleDES_CBC>. + +=back + +PKCS12_add_safes() creates a B<PKCS12> structure containing the supplied set of +PKCS7 contentInfos. The I<safes> are enclosed first within a PKCS7 contentInfo +of type I<p7_nid>. Currently the only supported type is B<NID_pkcs7_data>. + +=head1 NOTES + +PKCS12_add_safe() makes assumptions regarding the encoding of the given pass +phrase. +See L<passphrase-encoding(7)> for more information. + +=head1 RETURN VALUES + +PKCS12_add_safe() returns a value of 1 indicating success or 0 for failure. + +PKCS12_add_safes() returns a valid B<PKCS12> structure or NULL if an error occurred. + +=head1 SEE ALSO + +L<PKCS12_create(3)> + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h index abf124f27a..46e95c11b6 100644 --- a/include/openssl/pkcs12.h +++ b/include/openssl/pkcs12.h @@ -93,6 +93,8 @@ const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag); int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag); int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag); +const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag); +const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag); X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag); X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag); @@ -103,6 +105,7 @@ const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl); +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, @@ -144,6 +147,10 @@ int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen); int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, int namelen); +int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type, + const unsigned char *bytes, int len); +int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type, + const unsigned char *bytes, int len); int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage); ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid); @@ -209,6 +216,8 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage, int iter, int key_nid, const char *pass); +PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, + int nid_type, const unsigned char *value, int len); int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, int safe_nid, int iter, const char *pass); PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h index 8d69b63f1a..0a3f42bd62 100644 --- a/include/openssl/pkcs12err.h +++ b/include/openssl/pkcs12err.h @@ -47,6 +47,7 @@ int ERR_load_PKCS12_strings(void); # define PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF 0 # define PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8 0 # define PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT 0 +# define PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET 0 # define PKCS12_F_PKCS12_SETUP_MAC 0 # define PKCS12_F_PKCS12_SET_MAC 0 # define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 0 @@ -67,6 +68,7 @@ int ERR_load_PKCS12_strings(void); # define PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE 120 # define PKCS12_R_INVALID_NULL_ARGUMENT 104 # define PKCS12_R_INVALID_NULL_PKCS12_POINTER 105 +# define PKCS12_R_INVALID_TYPE 112 # define PKCS12_R_IV_GEN_ERROR 106 # define PKCS12_R_KEY_GEN_ERROR 107 # define PKCS12_R_MAC_ABSENT 108 diff --git a/test/build.info b/test/build.info index d15ee75814..a3e5857b99 100644 --- a/test/build.info +++ b/test/build.info @@ -30,7 +30,7 @@ IF[{- !$disabled{tests} -}] PROGRAMS{noinst}= \ confdump \ versions \ - aborttest test_test \ + aborttest test_test pkcs12_format_test \ sanitytest rsa_complex exdatatest bntest \ ectest ecstresstest gmdifftest pbelutest \ destest mdc2test \ @@ -234,6 +234,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[memleaktest]=../include ../apps/include DEPEND[memleaktest]=../libcrypto libtestutil.a + SOURCE[pkcs12_format_test]=pkcs12_format_test.c pkcs12_helper.c + INCLUDE[pkcs12_format_test]=../include ../apps/include + DEPEND[pkcs12_format_test]=../libcrypto libtestutil.a + SOURCE[stack_test]=stack_test.c INCLUDE[stack_test]=../include ../apps/include DEPEND[stack_test]=../libcrypto libtestutil.a @@ -276,6 +280,7 @@ IF[{- !$disabled{tests} -}] INCLUDE[ssl_test_ctx.o]=../include INCLUDE[handshake_helper.o]=.. ../include + INCLUDE[pkcs12_helper.o]=.. ../include INCLUDE[ssltestlib.o]=.. ../include INCLUDE[cmp_testlib.o]=.. ../include ../apps/include diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c new file mode 100644 index 0000000000..4b638af82d --- /dev/null +++ b/test/pkcs12_format_test.c @@ -0,0 +1,444 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "internal/nelem.h" + +#include <openssl/pkcs12.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/pem.h> + +#include "testutil.h" +#include "pkcs12_helper.h" + + +/* -------------------------------------------------------------------------- + * PKCS12 component test data + */ + +static const unsigned char CERT1[] = +{ + 0x30, 0x82, 0x01, 0xed, 0x30, 0x82, 0x01, 0x56, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, + 0x8b, 0x4b, 0x5e, 0x6c, 0x03, 0x28, 0x4e, 0xe6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x19, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0c, 0x0e, 0x50, 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x52, 0x6f, 0x6f, 0x74, + 0x2d, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x39, 0x33, 0x30, 0x30, 0x30, 0x34, 0x36, + 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x39, 0x32, 0x37, 0x30, 0x30, 0x34, 0x36, 0x35, + 0x36, 0x5a, 0x30, 0x1b, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x50, + 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2d, 0x31, 0x30, + 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xbc, 0xdc, 0x6f, 0x8c, + 0x7a, 0x2a, 0x4b, 0xea, 0x66, 0x66, 0x04, 0xa9, 0x05, 0x92, 0x53, 0xd7, 0x13, 0x3c, 0x49, 0xe1, + 0xc8, 0xbb, 0xdf, 0x3d, 0xcb, 0x88, 0x31, 0x07, 0x20, 0x59, 0x93, 0x24, 0x7f, 0x7d, 0xc6, 0x84, + 0x81, 0x16, 0x64, 0x4a, 0x52, 0xa6, 0x30, 0x44, 0xdc, 0x1a, 0x30, 0xde, 0xae, 0x29, 0x18, 0xcf, + 0xc7, 0xf3, 0xcf, 0x0c, 0xb7, 0x8e, 0x2b, 0x1e, 0x21, 0x01, 0x0b, 0xfb, 0xe5, 0xe6, 0xcf, 0x2b, + 0x84, 0xe1, 0x33, 0xf8, 0xba, 0x02, 0xfc, 0x30, 0xfa, 0xc4, 0x33, 0xc7, 0x37, 0xc6, 0x7f, 0x72, + 0x31, 0x92, 0x1d, 0x8f, 0xa0, 0xfb, 0xe5, 0x4a, 0x08, 0x31, 0x78, 0x80, 0x9c, 0x23, 0xb4, 0xe9, + 0x19, 0x56, 0x04, 0xfa, 0x0d, 0x07, 0x04, 0xb7, 0x43, 0xac, 0x4c, 0x49, 0x7c, 0xc2, 0xa1, 0x44, + 0xc1, 0x48, 0x7d, 0x28, 0xe5, 0x23, 0x66, 0x07, 0x22, 0xd5, 0xf0, 0xf1, 0x02, 0x03, 0x01, 0x00, + 0x01, 0xa3, 0x3b, 0x30, 0x39, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, + 0x80, 0x14, 0xdb, 0xbb, 0xb8, 0x92, 0x4e, 0x24, 0x0b, 0x1b, 0xbb, 0x78, 0x33, 0xf9, 0x01, 0x02, + 0x23, 0x0d, 0x96, 0x18, 0x30, 0x47, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, + 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, + 0x00, 0x1c, 0x13, 0xdc, 0x02, 0xf1, 0x44, 0x36, 0x65, 0xa9, 0xbe, 0x30, 0x1c, 0x66, 0x14, 0x20, + 0x86, 0x5a, 0xa8, 0x69, 0x25, 0xf8, 0x1a, 0xb6, 0x9e, 0x5e, 0xe9, 0x89, 0xb8, 0x67, 0x70, 0x19, + 0x87, 0x60, 0xeb, 0x4b, |