File: | s/lib/pkcs12/p12d.c |
Warning: | line 2233, column 9 Value stored to 'setNickname' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | |
5 | #include "nssrenam.h" |
6 | #include "nss.h" |
7 | #include "p12t.h" |
8 | #include "p12.h" |
9 | #include "plarena.h" |
10 | #include "secitem.h" |
11 | #include "secoid.h" |
12 | #include "seccomon.h" |
13 | #include "secport.h" |
14 | #include "cert.h" |
15 | #include "secpkcs7.h" |
16 | #include "secasn1.h" |
17 | #include "secerr.h" |
18 | #include "pk11func.h" |
19 | #include "p12plcy.h" |
20 | #include "p12local.h" |
21 | #include "secder.h" |
22 | #include "secport.h" |
23 | |
24 | #include "certdb.h" |
25 | |
26 | #include "prcpucfg.h" |
27 | |
28 | /* This belongs in secport.h */ |
29 | #define PORT_ArenaGrowArray(poolp, oldptr, type, oldnum, newnum)(type *)PORT_ArenaGrow_Util((poolp), (oldptr), (oldnum) * sizeof (type), (newnum) * sizeof(type)) \ |
30 | (type *)PORT_ArenaGrowPORT_ArenaGrow_Util((poolp), (oldptr), \ |
31 | (oldnum) * sizeof(type), (newnum) * sizeof(type)) |
32 | |
33 | typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext; |
34 | |
35 | /* Opaque structure for decoding SafeContents. These are used |
36 | * for each authenticated safe as well as any nested safe contents. |
37 | */ |
38 | struct sec_PKCS12SafeContentsContextStr { |
39 | /* the parent decoder context */ |
40 | SEC_PKCS12DecoderContext *p12dcx; |
41 | |
42 | /* memory arena to allocate space from */ |
43 | PLArenaPool *arena; |
44 | |
45 | /* decoder context and destination for decoding safe contents */ |
46 | SEC_ASN1DecoderContext *safeContentsA1Dcx; |
47 | sec_PKCS12SafeContents safeContents; |
48 | |
49 | /* information for decoding safe bags within the safe contents. |
50 | * these variables are updated for each safe bag decoded. |
51 | */ |
52 | SEC_ASN1DecoderContext *currentSafeBagA1Dcx; |
53 | sec_PKCS12SafeBag *currentSafeBag; |
54 | PRBool skipCurrentSafeBag; |
55 | |
56 | /* if the safe contents is nested, the parent is pointed to here. */ |
57 | sec_PKCS12SafeContentsContext *nestedSafeContentsCtx; |
58 | }; |
59 | |
60 | /* opaque decoder context structure. information for decoding a pkcs 12 |
61 | * PDU are stored here as well as decoding pointers for intermediary |
62 | * structures which are part of the PKCS 12 PDU. Upon a successful |
63 | * decode, the safe bags containing certificates and keys encountered. |
64 | */ |
65 | struct SEC_PKCS12DecoderContextStr { |
66 | PLArenaPool *arena; |
67 | PK11SlotInfo *slot; |
68 | void *wincx; |
69 | PRBool error; |
70 | int errorValue; |
71 | |
72 | /* password */ |
73 | SECItem *pwitem; |
74 | |
75 | /* used for decoding the PFX structure */ |
76 | SEC_ASN1DecoderContext *pfxA1Dcx; |
77 | sec_PKCS12PFXItem pfx; |
78 | |
79 | /* safe bags found during decoding */ |
80 | sec_PKCS12SafeBag **safeBags; |
81 | unsigned int safeBagCount; |
82 | |
83 | /* state variables for decoding authenticated safes. */ |
84 | SEC_PKCS7DecoderContext *currentASafeP7Dcx; |
85 | SEC_ASN1DecoderContext *aSafeA1Dcx; |
86 | SEC_PKCS7DecoderContext *aSafeP7Dcx; |
87 | SEC_PKCS7ContentInfo *aSafeCinfo; |
88 | sec_PKCS12AuthenticatedSafe authSafe; |
89 | sec_PKCS12SafeContents safeContents; |
90 | |
91 | /* safe contents info */ |
92 | unsigned int safeContentsCnt; |
93 | sec_PKCS12SafeContentsContext **safeContentsList; |
94 | |
95 | /* HMAC info */ |
96 | sec_PKCS12MacData macData; |
97 | |
98 | /* routines for reading back the data to be hmac'd */ |
99 | /* They are called as follows. |
100 | * |
101 | * Stage 1: decode the aSafes cinfo into a buffer in dArg, |
102 | * which p12d.c sometimes refers to as the "temp file". |
103 | * This occurs during SEC_PKCS12DecoderUpdate calls. |
104 | * |
105 | * dOpen(dArg, PR_FALSE) |
106 | * dWrite(dArg, buf, len) |
107 | * ... |
108 | * dWrite(dArg, buf, len) |
109 | * dClose(dArg, PR_FALSE) |
110 | * |
111 | * Stage 2: verify MAC |
112 | * This occurs SEC_PKCS12DecoderVerify. |
113 | * |
114 | * dOpen(dArg, PR_TRUE) |
115 | * dRead(dArg, buf, IN_BUF_LEN) |
116 | * ... |
117 | * dRead(dArg, buf, IN_BUF_LEN) |
118 | * dClose(dArg, PR_TRUE) |
119 | */ |
120 | digestOpenFn dOpen; |
121 | digestCloseFn dClose; |
122 | digestIOFn dRead, dWrite; |
123 | void *dArg; |
124 | PRBool dIsOpen; /* is the temp file created? */ |
125 | |
126 | /* helper functions */ |
127 | SECKEYGetPasswordKey pwfn; |
128 | void *pwfnarg; |
129 | PRBool swapUnicodeBytes; |
130 | PRBool forceUnicode; |
131 | |
132 | /* import information */ |
133 | PRBool bagsVerified; |
134 | |
135 | /* buffer management for the default callbacks implementation */ |
136 | void *buffer; /* storage area */ |
137 | PRInt32 filesize; /* actual data size */ |
138 | PRInt32 allocated; /* total buffer size allocated */ |
139 | PRInt32 currentpos; /* position counter */ |
140 | SECPKCS12TargetTokenCAs tokenCAs; |
141 | sec_PKCS12SafeBag **keyList; /* used by ...IterateNext() */ |
142 | unsigned int iteration; |
143 | SEC_PKCS12DecoderItem decitem; |
144 | }; |
145 | |
146 | /* forward declarations of functions that are used when decoding |
147 | * safeContents bags which are nested and when decoding the |
148 | * authenticatedSafes. |
149 | */ |
150 | static SECStatus |
151 | sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext |
152 | *safeContentsCtx); |
153 | static SECStatus |
154 | sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext |
155 | *safeContentsCtx); |
156 | |
157 | /* make sure that the PFX version being decoded is a version |
158 | * which we support. |
159 | */ |
160 | static PRBool |
161 | sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx) |
162 | { |
163 | /* if no version, assume it is not supported */ |
164 | if (pfx->version.len == 0) { |
165 | return PR_FALSE0; |
166 | } |
167 | |
168 | if (DER_GetIntegerDER_GetInteger_Util(&pfx->version) > SEC_PKCS12_VERSION3) { |
169 | return PR_FALSE0; |
170 | } |
171 | |
172 | return PR_TRUE1; |
173 | } |
174 | |
175 | /* retrieve the key for decrypting the safe contents */ |
176 | static PK11SymKey * |
177 | sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid) |
178 | { |
179 | SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; |
180 | PK11SlotInfo *slot; |
181 | PK11SymKey *bulkKey; |
182 | SECItem pwitem = { 0 }; |
183 | SECOidTag algorithm; |
184 | |
185 | if (!p12dcx) { |
186 | return NULL((void*)0); |
187 | } |
188 | |
189 | /* if no slot specified, use the internal key slot */ |
190 | if (p12dcx->slot) { |
191 | slot = PK11_ReferenceSlot(p12dcx->slot); |
192 | } else { |
193 | slot = PK11_GetInternalKeySlot(); |
194 | } |
195 | |
196 | algorithm = SECOID_GetAlgorithmTagSECOID_GetAlgorithmTag_Util(algid); |
197 | |
198 | if (p12dcx->forceUnicode) { |
199 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &pwitem, p12dcx->pwitem) != SECSuccess) { |
200 | PK11_FreeSlot(slot); |
201 | return NULL((void*)0); |
202 | } |
203 | } else { |
204 | if (!sec_pkcs12_decode_password(NULL((void*)0), &pwitem, algorithm, p12dcx->pwitem)) { |
205 | PK11_FreeSlot(slot); |
206 | return NULL((void*)0); |
207 | } |
208 | } |
209 | |
210 | bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE0, p12dcx->wincx); |
211 | /* some tokens can't generate PBE keys on their own, generate the |
212 | * key in the internal slot, and let the Import code deal with it, |
213 | * (if the slot can't generate PBEs, then we need to use the internal |
214 | * slot anyway to unwrap). */ |
215 | if (!bulkKey && !PK11_IsInternal(slot)) { |
216 | PK11_FreeSlot(slot); |
217 | slot = PK11_GetInternalKeySlot(); |
218 | bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE0, p12dcx->wincx); |
219 | } |
220 | PK11_FreeSlot(slot); |
221 | |
222 | /* set the password data on the key */ |
223 | if (bulkKey) { |
224 | PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL((void*)0)); |
225 | } |
226 | |
227 | if (pwitem.data) { |
228 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&pwitem, PR_FALSE0); |
229 | } |
230 | |
231 | return bulkKey; |
232 | } |
233 | |
234 | /* XXX this needs to be modified to handle enveloped data. most |
235 | * likely, it should mirror the routines for SMIME in that regard. |
236 | */ |
237 | static PRBool |
238 | sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, |
239 | PK11SymKey *bulkkey) |
240 | { |
241 | PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid); |
242 | |
243 | if (!decryptionAllowed) { |
244 | return PR_FALSE0; |
245 | } |
246 | |
247 | return PR_TRUE1; |
248 | } |
249 | |
250 | /* when we encounter a new safe bag during the decoding, we need |
251 | * to allocate space for the bag to be decoded to and set the |
252 | * state variables appropriately. all of the safe bags are allocated |
253 | * in a buffer in the outer SEC_PKCS12DecoderContext, however, |
254 | * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext |
255 | * for the current bag. |
256 | */ |
257 | static SECStatus |
258 | sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext |
259 | *safeContentsCtx) |
260 | { |
261 | void *mark = NULL((void*)0); |
262 | SEC_PKCS12DecoderContext *p12dcx; |
263 | |
264 | /* make sure that the structures are defined, and there has |
265 | * not been an error in the decoding |
266 | */ |
267 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || safeContentsCtx->p12dcx->error) { |
268 | return SECFailure; |
269 | } |
270 | |
271 | p12dcx = safeContentsCtx->p12dcx; |
272 | mark = PORT_ArenaMarkPORT_ArenaMark_Util(p12dcx->arena); |
273 | |
274 | /* allocate a new safe bag, if bags already exist, grow the |
275 | * list of bags, otherwise allocate a new list. the list is |
276 | * NULL terminated. |
277 | */ |
278 | p12dcx->safeBags = (!p12dcx->safeBagCount) |
279 | ? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, 2)(sec_PKCS12SafeBag * *)PORT_ArenaZAlloc_Util(p12dcx->arena , sizeof(sec_PKCS12SafeBag *) * (2)) |
280 | : PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeBags,(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)) |
281 | sec_PKCS12SafeBag *, p12dcx->safeBagCount + 1,(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)) |
282 | p12dcx->safeBagCount + 2)(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)); |
283 | |
284 | if (!p12dcx->safeBags) { |
285 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
286 | goto loser; |
287 | } |
288 | |
289 | /* append the bag to the end of the list and update the reference |
290 | * in the safeContentsCtx. |
291 | */ |
292 | p12dcx->safeBags[p12dcx->safeBagCount] = |
293 | safeContentsCtx->currentSafeBag = |
294 | PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag)(sec_PKCS12SafeBag *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof (sec_PKCS12SafeBag)); |
295 | if (!safeContentsCtx->currentSafeBag) { |
296 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
297 | goto loser; |
298 | } |
299 | p12dcx->safeBags[++p12dcx->safeBagCount] = NULL((void*)0); |
300 | |
301 | safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot; |
302 | safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem; |
303 | safeContentsCtx->currentSafeBag->swapUnicodeBytes = |
304 | safeContentsCtx->p12dcx->swapUnicodeBytes; |
305 | safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena; |
306 | safeContentsCtx->currentSafeBag->tokenCAs = |
307 | safeContentsCtx->p12dcx->tokenCAs; |
308 | |
309 | PORT_ArenaUnmarkPORT_ArenaUnmark_Util(p12dcx->arena, mark); |
310 | return SECSuccess; |
311 | |
312 | loser: |
313 | |
314 | /* if an error occurred, release the memory and set the error flag |
315 | * the only possible errors triggered by this function are memory |
316 | * related. |
317 | */ |
318 | if (mark) { |
319 | PORT_ArenaReleasePORT_ArenaRelease_Util(p12dcx->arena, mark); |
320 | } |
321 | |
322 | p12dcx->error = PR_TRUE1; |
323 | return SECFailure; |
324 | } |
325 | |
326 | /* A wrapper for updating the ASN1 context in which a safeBag is |
327 | * being decoded. This function is called as a callback from |
328 | * secasn1d when decoding SafeContents structures. |
329 | */ |
330 | static void |
331 | sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, |
332 | unsigned long len, int depth, |
333 | SEC_ASN1EncodingPart data_kind) |
334 | { |
335 | sec_PKCS12SafeContentsContext *safeContentsCtx = |
336 | (sec_PKCS12SafeContentsContext *)arg; |
337 | SEC_PKCS12DecoderContext *p12dcx; |
338 | SECStatus rv; |
339 | |
340 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { |
341 | return; |
342 | } |
343 | p12dcx = safeContentsCtx->p12dcx; |
344 | |
345 | /* make sure that there are no errors and we are not skipping the current safeBag */ |
346 | if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { |
347 | goto loser; |
348 | } |
349 | |
350 | rv = SEC_ASN1DecoderUpdateSEC_ASN1DecoderUpdate_Util(safeContentsCtx->currentSafeBagA1Dcx, data, len); |
351 | if (rv != SECSuccess) { |
352 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
353 | p12dcx->error = PR_TRUE1; |
354 | goto loser; |
355 | } |
356 | |
357 | /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we |
358 | * may not get another opportunity to clean up the decoder context. |
359 | */ |
360 | if (safeContentsCtx->skipCurrentSafeBag) { |
361 | goto loser; |
362 | } |
363 | |
364 | return; |
365 | |
366 | loser: |
367 | /* Finish the decoder context. Because there |
368 | * is not a way of returning an error message, it may be worth |
369 | * while to do a check higher up and finish any decoding contexts |
370 | * that are still open. |
371 | */ |
372 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->currentSafeBagA1Dcx); |
373 | safeContentsCtx->currentSafeBagA1Dcx = NULL((void*)0); |
374 | return; |
375 | } |
376 | |
377 | /* notify function for decoding safeBags. This function is |
378 | * used to filter safeBag types which are not supported, |
379 | * initiate the decoding of nested safe contents, and decode |
380 | * safeBags in general. this function is set when the decoder |
381 | * context for the safeBag is first created. |
382 | */ |
383 | static void |
384 | sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before, |
385 | void *dest, int real_depth) |
386 | { |
387 | sec_PKCS12SafeContentsContext *safeContentsCtx = |
388 | (sec_PKCS12SafeContentsContext *)arg; |
389 | SEC_PKCS12DecoderContext *p12dcx; |
390 | sec_PKCS12SafeBag *bag; |
391 | PRBool after; |
392 | |
393 | /* if an error is encountered, return */ |
394 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
395 | safeContentsCtx->p12dcx->error) { |
396 | return; |
397 | } |
398 | p12dcx = safeContentsCtx->p12dcx; |
399 | |
400 | /* to make things more readable */ |
401 | if (before) |
402 | after = PR_FALSE0; |
403 | else |
404 | after = PR_TRUE1; |
405 | |
406 | /* have we determined the safeBagType yet? */ |
407 | bag = safeContentsCtx->currentSafeBag; |
408 | if (bag->bagTypeTag == NULL((void*)0)) { |
409 | if (after && (dest == &(bag->safeBagType))) { |
410 | bag->bagTypeTag = SECOID_FindOIDSECOID_FindOID_Util(&(bag->safeBagType)); |
411 | if (bag->bagTypeTag == NULL((void*)0)) { |
412 | p12dcx->error = PR_TRUE1; |
413 | p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; |
414 | } |
415 | } |
416 | return; |
417 | } |
418 | |
419 | /* process the safeBag depending on it's type. those |
420 | * which we do not support, are ignored. we start a decoding |
421 | * context for a nested safeContents. |
422 | */ |
423 | switch (bag->bagTypeTag->offset) { |
424 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
425 | case SEC_OID_PKCS12_V1_CERT_BAG_ID: |
426 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: |
427 | break; |
428 | case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID: |
429 | /* if we are just starting to decode the safeContents, initialize |
430 | * a new safeContentsCtx to process it. |
431 | */ |
432 | if (before && (dest == &(bag->safeBagContent))) { |
433 | sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx); |
434 | } else if (after && (dest == &(bag->safeBagContent))) { |
435 | /* clean up the nested decoding */ |
436 | sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx); |
437 | } |
438 | break; |
439 | case SEC_OID_PKCS12_V1_CRL_BAG_ID: |
440 | case SEC_OID_PKCS12_V1_SECRET_BAG_ID: |
441 | default: |
442 | /* skip any safe bag types we don't understand or handle */ |
443 | safeContentsCtx->skipCurrentSafeBag = PR_TRUE1; |
444 | break; |
445 | } |
446 | |
447 | return; |
448 | } |
449 | |
450 | /* notify function for decoding safe contents. each entry in the |
451 | * safe contents is a safeBag which needs to be allocated and |
452 | * the decoding context initialized at the beginning and then |
453 | * the context needs to be closed and finished at the end. |
454 | * |
455 | * this function is set when the safeContents decode context is |
456 | * initialized. |
457 | */ |
458 | static void |
459 | sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before, |
460 | void *dest, int real_depth) |
461 | { |
462 | sec_PKCS12SafeContentsContext *safeContentsCtx = |
463 | (sec_PKCS12SafeContentsContext *)arg; |
464 | SEC_PKCS12DecoderContext *p12dcx; |
465 | SECStatus rv; |
466 | |
467 | /* if there is an error we don't want to continue processing, |
468 | * just return and keep going. |
469 | */ |
470 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
471 | safeContentsCtx->p12dcx->error) { |
472 | return; |
473 | } |
474 | p12dcx = safeContentsCtx->p12dcx; |
475 | |
476 | /* if we are done with the current safeBag, then we need to |
477 | * finish the context and set the state variables appropriately. |
478 | */ |
479 | if (!before) { |
480 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(safeContentsCtx->safeContentsA1Dcx); |
481 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->currentSafeBagA1Dcx); |
482 | safeContentsCtx->currentSafeBagA1Dcx = NULL((void*)0); |
483 | safeContentsCtx->skipCurrentSafeBag = PR_FALSE0; |
484 | } else { |
485 | /* we are starting a new safe bag. we need to allocate space |
486 | * for the bag and initialize the decoding context. |
487 | */ |
488 | rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx); |
489 | if (rv != SECSuccess) { |
490 | goto loser; |
491 | } |
492 | |
493 | /* set up the decoder context */ |
494 | safeContentsCtx->currentSafeBagA1Dcx = |
495 | SEC_ASN1DecoderStartSEC_ASN1DecoderStart_Util(p12dcx->arena, |
496 | safeContentsCtx->currentSafeBag, |
497 | sec_PKCS12SafeBagTemplate); |
498 | if (!safeContentsCtx->currentSafeBagA1Dcx) { |
499 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
500 | goto loser; |
501 | } |
502 | |
503 | /* set the notify and filter procs so that the safe bag |
504 | * data gets sent to the proper location when decoding. |
505 | */ |
506 | SEC_ASN1DecoderSetNotifyProcSEC_ASN1DecoderSetNotifyProc_Util(safeContentsCtx->currentSafeBagA1Dcx, |
507 | sec_pkcs12_decoder_safe_bag_notify, |
508 | safeContentsCtx); |
509 | SEC_ASN1DecoderSetFilterProcSEC_ASN1DecoderSetFilterProc_Util(safeContentsCtx->safeContentsA1Dcx, |
510 | sec_pkcs12_decoder_safe_bag_update, |
511 | safeContentsCtx, PR_TRUE1); |
512 | } |
513 | |
514 | return; |
515 | |
516 | loser: |
517 | /* in the event of an error, we want to close the decoding |
518 | * context and clear the filter and notify procedures. |
519 | */ |
520 | p12dcx->error = PR_TRUE1; |
521 | |
522 | if (safeContentsCtx->currentSafeBagA1Dcx) { |
523 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->currentSafeBagA1Dcx); |
524 | safeContentsCtx->currentSafeBagA1Dcx = NULL((void*)0); |
525 | } |
526 | |
527 | SEC_ASN1DecoderClearNotifyProcSEC_ASN1DecoderClearNotifyProc_Util(safeContentsCtx->safeContentsA1Dcx); |
528 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(safeContentsCtx->safeContentsA1Dcx); |
529 | |
530 | return; |
531 | } |
532 | |
533 | /* initialize the safeContents for decoding. this routine |
534 | * is used for authenticatedSafes as well as nested safeContents. |
535 | */ |
536 | static sec_PKCS12SafeContentsContext * |
537 | sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx, |
538 | PRBool nestedSafe) |
539 | { |
540 | sec_PKCS12SafeContentsContext *safeContentsCtx = NULL((void*)0); |
541 | const SEC_ASN1Template *theTemplate; |
542 | |
543 | if (!p12dcx || p12dcx->error) { |
544 | return NULL((void*)0); |
545 | } |
546 | |
547 | /* allocate a new safeContents list or grow the existing list and |
548 | * append the new safeContents onto the end. |
549 | */ |
550 | p12dcx->safeContentsList = (!p12dcx->safeContentsCnt) |
551 | ? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeContentsContext *, 2)(sec_PKCS12SafeContentsContext * *)PORT_ArenaZAlloc_Util(p12dcx ->arena, sizeof(sec_PKCS12SafeContentsContext *) * (2)) |
552 | : PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeContentsList,(sec_PKCS12SafeContentsContext * *)PORT_ArenaGrow_Util((p12dcx ->arena), (p12dcx->safeContentsList), (1 + p12dcx->safeContentsCnt ) * sizeof(sec_PKCS12SafeContentsContext *), (2 + p12dcx-> safeContentsCnt) * sizeof(sec_PKCS12SafeContentsContext *)) |
553 | sec_PKCS12SafeContentsContext *,(sec_PKCS12SafeContentsContext * *)PORT_ArenaGrow_Util((p12dcx ->arena), (p12dcx->safeContentsList), (1 + p12dcx->safeContentsCnt ) * sizeof(sec_PKCS12SafeContentsContext *), (2 + p12dcx-> safeContentsCnt) * sizeof(sec_PKCS12SafeContentsContext *)) |
554 | 1 + p12dcx->safeContentsCnt,(sec_PKCS12SafeContentsContext * *)PORT_ArenaGrow_Util((p12dcx ->arena), (p12dcx->safeContentsList), (1 + p12dcx->safeContentsCnt ) * sizeof(sec_PKCS12SafeContentsContext *), (2 + p12dcx-> safeContentsCnt) * sizeof(sec_PKCS12SafeContentsContext *)) |
555 | 2 + p12dcx->safeContentsCnt)(sec_PKCS12SafeContentsContext * *)PORT_ArenaGrow_Util((p12dcx ->arena), (p12dcx->safeContentsList), (1 + p12dcx->safeContentsCnt ) * sizeof(sec_PKCS12SafeContentsContext *), (2 + p12dcx-> safeContentsCnt) * sizeof(sec_PKCS12SafeContentsContext *)); |
556 | |
557 | if (!p12dcx->safeContentsList) { |
558 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
559 | goto loser; |
560 | } |
561 | |
562 | p12dcx->safeContentsList[p12dcx->safeContentsCnt] = safeContentsCtx = |
563 | PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeContentsContext)(sec_PKCS12SafeContentsContext *)PORT_ArenaZAlloc_Util(p12dcx ->arena, sizeof(sec_PKCS12SafeContentsContext)); |
564 | if (!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) { |
565 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
566 | goto loser; |
567 | } |
568 | p12dcx->safeContentsList[++p12dcx->safeContentsCnt] = NULL((void*)0); |
569 | |
570 | /* set up the state variables */ |
571 | safeContentsCtx->p12dcx = p12dcx; |
572 | safeContentsCtx->arena = p12dcx->arena; |
573 | |
574 | /* begin the decoding -- the template is based on whether we are |
575 | * decoding a nested safeContents or not. |
576 | */ |
577 | if (nestedSafe == PR_TRUE1) { |
578 | theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate; |
579 | } else { |
580 | theTemplate = sec_PKCS12SafeContentsDecodeTemplate; |
581 | } |
582 | |
583 | /* start the decoder context */ |
584 | safeContentsCtx->safeContentsA1Dcx = SEC_ASN1DecoderStartSEC_ASN1DecoderStart_Util(p12dcx->arena, |
585 | &safeContentsCtx->safeContents, |
586 | theTemplate); |
587 | |
588 | if (!safeContentsCtx->safeContentsA1Dcx) { |
589 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
590 | goto loser; |
591 | } |
592 | |
593 | /* set the safeContents notify procedure to look for |
594 | * and start the decode of safeBags. |
595 | */ |
596 | SEC_ASN1DecoderSetNotifyProcSEC_ASN1DecoderSetNotifyProc_Util(safeContentsCtx->safeContentsA1Dcx, |
597 | sec_pkcs12_decoder_safe_contents_notify, |
598 | safeContentsCtx); |
599 | |
600 | return safeContentsCtx; |
601 | |
602 | loser: |
603 | /* in the case of an error, we want to finish the decoder |
604 | * context and set the error flag. |
605 | */ |
606 | if (safeContentsCtx && safeContentsCtx->safeContentsA1Dcx) { |
607 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->safeContentsA1Dcx); |
608 | safeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
609 | } |
610 | |
611 | p12dcx->error = PR_TRUE1; |
612 | |
613 | return NULL((void*)0); |
614 | } |
615 | |
616 | /* wrapper for updating safeContents. this is set as the filter of |
617 | * safeBag when there is a nested safeContents. |
618 | */ |
619 | static void |
620 | sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf, |
621 | unsigned long len, int depth, |
622 | SEC_ASN1EncodingPart data_kind) |
623 | { |
624 | sec_PKCS12SafeContentsContext *safeContentsCtx = |
625 | (sec_PKCS12SafeContentsContext *)arg; |
626 | SEC_PKCS12DecoderContext *p12dcx; |
627 | SECStatus rv; |
628 | |
629 | /* check for an error */ |
630 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
631 | safeContentsCtx->p12dcx->error || !safeContentsCtx->safeContentsA1Dcx) { |
632 | return; |
633 | } |
634 | |
635 | /* no need to update if no data sent in */ |
636 | if (!len || !buf) { |
637 | return; |
638 | } |
639 | |
640 | /* update the decoding context */ |
641 | p12dcx = safeContentsCtx->p12dcx; |
642 | rv = SEC_ASN1DecoderUpdateSEC_ASN1DecoderUpdate_Util(safeContentsCtx->safeContentsA1Dcx, buf, len); |
643 | if (rv != SECSuccess) { |
644 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
645 | goto loser; |
646 | } |
647 | |
648 | return; |
649 | |
650 | loser: |
651 | /* handle any errors. If a decoding context is open, close it. */ |
652 | p12dcx->error = PR_TRUE1; |
653 | if (safeContentsCtx->safeContentsA1Dcx) { |
654 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->safeContentsA1Dcx); |
655 | safeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
656 | } |
657 | } |
658 | |
659 | /* whenever a new safeContentsSafeBag is encountered, we need |
660 | * to init a safeContentsContext. |
661 | */ |
662 | static SECStatus |
663 | sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext |
664 | *safeContentsCtx) |
665 | { |
666 | /* check for an error */ |
667 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
668 | safeContentsCtx->p12dcx->error) { |
669 | return SECFailure; |
670 | } |
671 | |
672 | safeContentsCtx->nestedSafeContentsCtx = |
673 | sec_pkcs12_decoder_safe_contents_init_decode(safeContentsCtx->p12dcx, |
674 | PR_TRUE1); |
675 | if (!safeContentsCtx->nestedSafeContentsCtx) { |
676 | return SECFailure; |
677 | } |
678 | |
679 | /* set up new filter proc */ |
680 | SEC_ASN1DecoderSetNotifyProcSEC_ASN1DecoderSetNotifyProc_Util( |
681 | safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx, |
682 | sec_pkcs12_decoder_safe_contents_notify, |
683 | safeContentsCtx->nestedSafeContentsCtx); |
684 | |
685 | SEC_ASN1DecoderSetFilterProcSEC_ASN1DecoderSetFilterProc_Util(safeContentsCtx->currentSafeBagA1Dcx, |
686 | sec_pkcs12_decoder_nested_safe_contents_update, |
687 | safeContentsCtx->nestedSafeContentsCtx, |
688 | PR_TRUE1); |
689 | |
690 | return SECSuccess; |
691 | } |
692 | |
693 | /* when the safeContents is done decoding, we need to reset the |
694 | * proper filter and notify procs and close the decoding context |
695 | */ |
696 | static SECStatus |
697 | sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext |
698 | *safeContentsCtx) |
699 | { |
700 | /* check for error */ |
701 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
702 | safeContentsCtx->p12dcx->error) { |
703 | return SECFailure; |
704 | } |
705 | |
706 | /* clean up */ |
707 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(safeContentsCtx->currentSafeBagA1Dcx); |
708 | SEC_ASN1DecoderClearNotifyProcSEC_ASN1DecoderClearNotifyProc_Util( |
709 | safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx); |
710 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util( |
711 | safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx); |
712 | safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
713 | safeContentsCtx->nestedSafeContentsCtx = NULL((void*)0); |
714 | |
715 | return SECSuccess; |
716 | } |
717 | |
718 | /* wrapper for updating safeContents. This is used when decoding |
719 | * the nested safeContents and any authenticatedSafes. |
720 | */ |
721 | static void |
722 | sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf, |
723 | unsigned long len) |
724 | { |
725 | SECStatus rv; |
726 | sec_PKCS12SafeContentsContext *safeContentsCtx = |
727 | (sec_PKCS12SafeContentsContext *)arg; |
728 | SEC_PKCS12DecoderContext *p12dcx; |
729 | |
730 | /* check for error */ |
731 | if (!safeContentsCtx || !safeContentsCtx->p12dcx || |
732 | safeContentsCtx->p12dcx->error || !safeContentsCtx->safeContentsA1Dcx) { |
733 | return; |
734 | } |
735 | p12dcx = safeContentsCtx->p12dcx; |
736 | |
737 | /* update the decoder */ |
738 | rv = SEC_ASN1DecoderUpdateSEC_ASN1DecoderUpdate_Util(safeContentsCtx->safeContentsA1Dcx, buf, len); |
739 | if (rv != SECSuccess) { |
740 | /* if we fail while trying to decode a 'safe', it's probably because |
741 | * we didn't have the correct password. */ |
742 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_BAD_PASSWORD); |
743 | p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; |
744 | SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx, SEC_ERROR_BAD_PASSWORD); |
745 | goto loser; |
746 | } |
747 | |
748 | return; |
749 | |
750 | loser: |
751 | /* set the error and finish the context */ |
752 | p12dcx->error = PR_TRUE1; |
753 | if (safeContentsCtx->safeContentsA1Dcx) { |
754 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->safeContentsA1Dcx); |
755 | safeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
756 | } |
757 | |
758 | return; |
759 | } |
760 | |
761 | /* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate |
762 | */ |
763 | static void |
764 | sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data, |
765 | unsigned long len, int depth, |
766 | SEC_ASN1EncodingPart data_kind) |
767 | { |
768 | SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg; |
769 | |
770 | SEC_PKCS7DecoderUpdate(p7dcx, data, len); |
771 | } |
772 | |
773 | /* notify function for decoding aSafes. at the beginning, |
774 | * of an authenticatedSafe, we start a decode of a safeContents. |
775 | * at the end, we clean up the safeContents decoder context and |
776 | * reset state variables |
777 | */ |
778 | static void |
779 | sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, |
780 | int real_depth) |
781 | { |
782 | SEC_PKCS12DecoderContext *p12dcx; |
783 | sec_PKCS12SafeContentsContext *safeContentsCtx; |
784 | |
785 | /* make sure no error occurred. */ |
786 | p12dcx = (SEC_PKCS12DecoderContext *)arg; |
787 | if (!p12dcx || p12dcx->error) { |
788 | return; |
789 | } |
790 | |
791 | if (before) { |
792 | |
793 | /* init a new safeContentsContext */ |
794 | safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx, |
795 | PR_FALSE0); |
796 | if (!safeContentsCtx) { |
797 | goto loser; |
798 | } |
799 | |
800 | /* initiate the PKCS7ContentInfo decode */ |
801 | p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart( |
802 | sec_pkcs12_decoder_safe_contents_callback, |
803 | safeContentsCtx, |
804 | p12dcx->pwfn, p12dcx->pwfnarg, |
805 | sec_pkcs12_decoder_get_decrypt_key, p12dcx, |
806 | sec_pkcs12_decoder_decryption_allowed); |
807 | if (!p12dcx->currentASafeP7Dcx) { |
808 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
809 | goto loser; |
810 | } |
811 | SEC_ASN1DecoderSetFilterProcSEC_ASN1DecoderSetFilterProc_Util(p12dcx->aSafeA1Dcx, |
812 | sec_pkcs12_decoder_wrap_p7_update, |
813 | p12dcx->currentASafeP7Dcx, PR_TRUE1); |
814 | } |
815 | |
816 | if (!before) { |
817 | /* if one is being decoded, finish the decode */ |
818 | if (p12dcx->currentASafeP7Dcx != NULL((void*)0)) { |
819 | SEC_PKCS7ContentInfo *cinfo; |
820 | unsigned int cnt = p12dcx->safeContentsCnt - 1; |
821 | safeContentsCtx = p12dcx->safeContentsList[cnt]; |
822 | if (safeContentsCtx->safeContentsA1Dcx) { |
823 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(p12dcx->aSafeA1Dcx); |
824 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->safeContentsA1Dcx); |
825 | safeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
826 | } |
827 | cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx); |
828 | p12dcx->currentASafeP7Dcx = NULL((void*)0); |
829 | if (!cinfo) { |
830 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
831 | goto loser; |
832 | } |
833 | SEC_PKCS7DestroyContentInfo(cinfo); /* don't leak it */ |
834 | } |
835 | } |
836 | |
837 | return; |
838 | |
839 | loser: |
840 | /* set the error flag */ |
841 | p12dcx->error = PR_TRUE1; |
842 | return; |
843 | } |
844 | |
845 | /* wrapper for updating asafes decoding context. this function |
846 | * writes data being decoded to disk, so that a mac can be computed |
847 | * later. |
848 | */ |
849 | static void |
850 | sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf, |
851 | unsigned long len) |
852 | { |
853 | SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; |
854 | SECStatus rv; |
855 | |
856 | if (!p12dcx || p12dcx->error) { |
857 | return; |
858 | } |
859 | |
860 | /* update the context */ |
861 | rv = SEC_ASN1DecoderUpdateSEC_ASN1DecoderUpdate_Util(p12dcx->aSafeA1Dcx, buf, len); |
862 | if (rv != SECSuccess) { |
863 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
864 | p12dcx->error = PR_TRUE1; |
865 | goto loser; |
866 | } |
867 | |
868 | /* if we are writing to a file, write out the new information */ |
869 | if (p12dcx->dWrite) { |
870 | unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg, |
871 | (unsigned char *)buf, len); |
872 | if (writeLen != len) { |
873 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
874 | goto loser; |
875 | } |
876 | } |
877 | |
878 | return; |
879 | |
880 | loser: |
881 | /* set the error flag */ |
882 | p12dcx->error = PR_TRUE1; |
883 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(p12dcx->aSafeA1Dcx); |
884 | p12dcx->aSafeA1Dcx = NULL((void*)0); |
885 | |
886 | return; |
887 | } |
888 | |
889 | /* start the decode of an authenticatedSafe contentInfo. |
890 | */ |
891 | static SECStatus |
892 | sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx) |
893 | { |
894 | if (!p12dcx || p12dcx->error) { |
895 | return SECFailure; |
896 | } |
897 | |
898 | /* start the decode context */ |
899 | p12dcx->aSafeA1Dcx = SEC_ASN1DecoderStartSEC_ASN1DecoderStart_Util(p12dcx->arena, |
900 | &p12dcx->authSafe, |
901 | sec_PKCS12AuthenticatedSafeTemplate); |
902 | if (!p12dcx->aSafeA1Dcx) { |
903 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
904 | goto loser; |
905 | } |
906 | |
907 | /* set the notify function */ |
908 | SEC_ASN1DecoderSetNotifyProcSEC_ASN1DecoderSetNotifyProc_Util(p12dcx->aSafeA1Dcx, |
909 | sec_pkcs12_decoder_asafes_notify, p12dcx); |
910 | |
911 | /* begin the authSafe decoder context */ |
912 | p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart( |
913 | sec_pkcs12_decoder_asafes_callback, p12dcx, |
914 | p12dcx->pwfn, p12dcx->pwfnarg, NULL((void*)0), NULL((void*)0), NULL((void*)0)); |
915 | if (!p12dcx->aSafeP7Dcx) { |
916 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
917 | goto loser; |
918 | } |
919 | |
920 | /* open the temp file for writing, if the digest functions were set */ |
921 | if (p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE0) != SECSuccess) { |
922 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
923 | goto loser; |
924 | } |
925 | /* dOpen(dArg, PR_FALSE) creates the temp file */ |
926 | p12dcx->dIsOpen = PR_TRUE1; |
927 | |
928 | return SECSuccess; |
929 | |
930 | loser: |
931 | p12dcx->error = PR_TRUE1; |
932 | |
933 | if (p12dcx->aSafeA1Dcx) { |
934 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(p12dcx->aSafeA1Dcx); |
935 | p12dcx->aSafeA1Dcx = NULL((void*)0); |
936 | } |
937 | |
938 | if (p12dcx->aSafeP7Dcx) { |
939 | SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx); |
940 | p12dcx->aSafeP7Dcx = NULL((void*)0); |
941 | } |
942 | |
943 | return SECFailure; |
944 | } |
945 | |
946 | /* wrapper for updating the safeContents. this function is used as |
947 | * a filter for the pfx when decoding the authenticated safes |
948 | */ |
949 | static void |
950 | sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf, |
951 | unsigned long len, int depth, |
952 | SEC_ASN1EncodingPart data_kind) |
953 | { |
954 | SEC_PKCS12DecoderContext *p12dcx; |
955 | SECStatus rv; |
956 | |
957 | p12dcx = (SEC_PKCS12DecoderContext *)arg; |
958 | if (!p12dcx || p12dcx->error) { |
959 | return; |
960 | } |
961 | |
962 | /* update the safeContents decoder */ |
963 | rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len); |
964 | if (rv != SECSuccess) { |
965 | p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; |
966 | goto loser; |
967 | } |
968 | |
969 | return; |
970 | |
971 | loser: |
972 | |
973 | /* did we find an error? if so, close the context and set the |
974 | * error flag. |
975 | */ |
976 | SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx); |
977 | p12dcx->aSafeP7Dcx = NULL((void*)0); |
978 | p12dcx->error = PR_TRUE1; |
979 | } |
980 | |
981 | /* notify procedure used while decoding the pfx. When we encounter |
982 | * the authSafes, we want to trigger the decoding of authSafes as well |
983 | * as when we encounter the macData, trigger the decoding of it. we do |
984 | * this because we we are streaming the decoder and not decoding in place. |
985 | * the pfx which is the destination, only has the version decoded into it. |
986 | */ |
987 | static void |
988 | sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest, |
989 | int real_depth) |
990 | { |
991 | SECStatus rv; |
992 | SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; |
993 | |
994 | /* if an error occurs, clear the notifyProc and the filterProc |
995 | * and continue. |
996 | */ |
997 | if (p12dcx->error) { |
998 | SEC_ASN1DecoderClearNotifyProcSEC_ASN1DecoderClearNotifyProc_Util(p12dcx->pfxA1Dcx); |
999 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(p12dcx->pfxA1Dcx); |
1000 | return; |
1001 | } |
1002 | |
1003 | if (before && (dest == &p12dcx->pfx.encodedAuthSafe)) { |
1004 | |
1005 | /* we want to make sure this is a version we support */ |
1006 | if (!sec_pkcs12_proper_version(&p12dcx->pfx)) { |
1007 | p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION; |
1008 | goto loser; |
1009 | } |
1010 | |
1011 | /* start the decode of the aSafes cinfo... */ |
1012 | rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx); |
1013 | if (rv != SECSuccess) { |
1014 | goto loser; |
1015 | } |
1016 | |
1017 | /* set the filter proc to update the authenticated safes. */ |
1018 | SEC_ASN1DecoderSetFilterProcSEC_ASN1DecoderSetFilterProc_Util(p12dcx->pfxA1Dcx, |
1019 | sec_pkcs12_decode_asafes_cinfo_update, |
1020 | p12dcx, PR_TRUE1); |
1021 | } |
1022 | |
1023 | if (!before && (dest == &p12dcx->pfx.encodedAuthSafe)) { |
1024 | |
1025 | /* we are done decoding the authenticatedSafes, so we need to |
1026 | * finish the decoderContext and clear the filter proc |
1027 | * and close the hmac callback, if present |
1028 | */ |
1029 | p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx); |
1030 | p12dcx->aSafeP7Dcx = NULL((void*)0); |
1031 | if (!p12dcx->aSafeCinfo) { |
1032 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
1033 | goto loser; |
1034 | } |
1035 | SEC_ASN1DecoderClearFilterProcSEC_ASN1DecoderClearFilterProc_Util(p12dcx->pfxA1Dcx); |
1036 | if (p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE0) != SECSuccess)) { |
1037 | p12dcx->errorValue = PORT_GetErrorPORT_GetError_Util(); |
1038 | goto loser; |
1039 | } |
1040 | } |
1041 | |
1042 | return; |
1043 | |
1044 | loser: |
1045 | p12dcx->error = PR_TRUE1; |
1046 | } |
1047 | |
1048 | /* default implementations of the open/close/read/write functions for |
1049 | SEC_PKCS12DecoderStart |
1050 | */ |
1051 | |
1052 | #define DEFAULT_TEMP_SIZE4096 4096 |
1053 | |
1054 | static SECStatus |
1055 | p12u_DigestOpen(void *arg, PRBool readData) |
1056 | { |
1057 | SEC_PKCS12DecoderContext *p12cxt = arg; |
1058 | |
1059 | p12cxt->currentpos = 0; |
1060 | |
1061 | if (PR_FALSE0 == readData) { |
1062 | /* allocate an initial buffer */ |
1063 | p12cxt->filesize = 0; |
1064 | p12cxt->allocated = DEFAULT_TEMP_SIZE4096; |
1065 | p12cxt->buffer = PORT_AllocPORT_Alloc_Util(DEFAULT_TEMP_SIZE4096); |
1066 | PR_ASSERT(p12cxt->buffer)((p12cxt->buffer)?((void)0):PR_Assert("p12cxt->buffer", "p12d.c",1066)); |
1067 | } else { |
1068 | PR_ASSERT(p12cxt->buffer)((p12cxt->buffer)?((void)0):PR_Assert("p12cxt->buffer", "p12d.c",1068)); |
1069 | if (!p12cxt->buffer) { |
1070 | return SECFailure; /* no data to read */ |
1071 | } |
1072 | } |
1073 | |
1074 | return SECSuccess; |
1075 | } |
1076 | |
1077 | static SECStatus |
1078 | p12u_DigestClose(void *arg, PRBool removeFile) |
1079 | { |
1080 | SEC_PKCS12DecoderContext *p12cxt = arg; |
1081 | |
1082 | PR_ASSERT(p12cxt)((p12cxt)?((void)0):PR_Assert("p12cxt","p12d.c",1082)); |
1083 | if (!p12cxt) { |
1084 | return SECFailure; |
1085 | } |
1086 | p12cxt->currentpos = 0; |
1087 | |
1088 | if (PR_TRUE1 == removeFile) { |
1089 | PR_ASSERT(p12cxt->buffer)((p12cxt->buffer)?((void)0):PR_Assert("p12cxt->buffer", "p12d.c",1089)); |
1090 | if (!p12cxt->buffer) { |
1091 | return SECFailure; |
1092 | } |
1093 | if (p12cxt->buffer) { |
1094 | PORT_FreePORT_Free_Util(p12cxt->buffer); |
1095 | p12cxt->buffer = NULL((void*)0); |
1096 | p12cxt->allocated = 0; |
1097 | p12cxt->filesize = 0; |
1098 | } |
1099 | } |
1100 | |
1101 | return SECSuccess; |
1102 | } |
1103 | |
1104 | static int |
1105 | p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len) |
1106 | { |
1107 | int toread = len; |
1108 | SEC_PKCS12DecoderContext *p12cxt = arg; |
1109 | |
1110 | if (!buf || len == 0 || !p12cxt->buffer) { |
1111 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1112 | return -1; |
1113 | } |
1114 | |
1115 | if ((p12cxt->filesize - p12cxt->currentpos) < (long)len) { |
1116 | /* trying to read past the end of the buffer */ |
1117 | toread = p12cxt->filesize - p12cxt->currentpos; |
1118 | } |
1119 | memcpy(buf, (char *)p12cxt->buffer + p12cxt->currentpos, toread); |
1120 | p12cxt->currentpos += toread; |
1121 | return toread; |
1122 | } |
1123 | |
1124 | static int |
1125 | p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len) |
1126 | { |
1127 | SEC_PKCS12DecoderContext *p12cxt = arg; |
1128 | |
1129 | if (!buf || len == 0) { |
1130 | return -1; |
1131 | } |
1132 | |
1133 | if (p12cxt->currentpos + (long)len > p12cxt->filesize) { |
1134 | p12cxt->filesize = p12cxt->currentpos + len; |
1135 | } else { |
1136 | p12cxt->filesize += len; |
1137 | } |
1138 | if (p12cxt->filesize > p12cxt->allocated) { |
1139 | void *newbuffer; |
1140 | size_t newsize = p12cxt->filesize + DEFAULT_TEMP_SIZE4096; |
1141 | newbuffer = PORT_ReallocPORT_Realloc_Util(p12cxt->buffer, newsize); |
1142 | if (NULL((void*)0) == newbuffer) { |
1143 | return -1; /* can't extend the buffer */ |
1144 | } |
1145 | p12cxt->buffer = newbuffer; |
1146 | p12cxt->allocated = newsize; |
1147 | } |
1148 | PR_ASSERT(p12cxt->buffer)((p12cxt->buffer)?((void)0):PR_Assert("p12cxt->buffer", "p12d.c",1148)); |
1149 | memcpy((char *)p12cxt->buffer + p12cxt->currentpos, buf, len); |
1150 | p12cxt->currentpos += len; |
1151 | return len; |
1152 | } |
1153 | |
1154 | /* SEC_PKCS12DecoderStart |
1155 | * Creates a decoder context for decoding a PKCS 12 PDU objct. |
1156 | * This function sets up the initial decoding context for the |
1157 | * PFX and sets the needed state variables. |
1158 | * |
1159 | * pwitem - the password for the hMac and any encoded safes. |
1160 | * this should be changed to take a callback which retrieves |
1161 | * the password. it may be possible for different safes to |
1162 | * have different passwords. also, the password is already |
1163 | * in unicode. it should probably be converted down below via |
1164 | * a unicode conversion callback. |
1165 | * slot - the slot to import the dataa into should multiple slots |
1166 | * be supported based on key type and cert type? |
1167 | * dOpen, dClose, dRead, dWrite - digest routines for writing data |
1168 | * to a file so it could be read back and the hmac recomputed |
1169 | * and verified. doesn't seem to be a way for both encoding |
1170 | * and decoding to be single pass, thus the need for these |
1171 | * routines. |
1172 | * dArg - the argument for dOpen, etc. |
1173 | * |
1174 | * if NULL == dOpen == dClose == dRead == dWrite == dArg, then default |
1175 | * implementations using a memory buffer are used |
1176 | * |
1177 | * This function returns the decoder context, if it was successful. |
1178 | * Otherwise, null is returned. |
1179 | */ |
1180 | SEC_PKCS12DecoderContext * |
1181 | SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx, |
1182 | digestOpenFn dOpen, digestCloseFn dClose, |
1183 | digestIOFn dRead, digestIOFn dWrite, void *dArg) |
1184 | { |
1185 | SEC_PKCS12DecoderContext *p12dcx; |
1186 | PLArenaPool *arena; |
1187 | PRInt32 forceUnicode = PR_FALSE0; |
1188 | SECStatus rv; |
1189 | |
1190 | arena = PORT_NewArenaPORT_NewArena_Util(2048); /* different size? */ |
1191 | if (!arena) { |
1192 | return NULL((void*)0); /* error is already set */ |
1193 | } |
1194 | |
1195 | /* allocate the decoder context and set the state variables */ |
1196 | p12dcx = PORT_ArenaZNew(arena, SEC_PKCS12DecoderContext)(SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc_Util(arena, sizeof (SEC_PKCS12DecoderContext)); |
1197 | if (!p12dcx) { |
1198 | goto loser; /* error is already set */ |
1199 | } |
1200 | |
1201 | if (!dOpen && !dClose && !dRead && !dWrite && !dArg) { |
1202 | /* use default implementations */ |
1203 | dOpen = p12u_DigestOpen; |
1204 | dClose = p12u_DigestClose; |
1205 | dRead = p12u_DigestRead; |
1206 | dWrite = p12u_DigestWrite; |
1207 | dArg = (void *)p12dcx; |
1208 | } |
1209 | |
1210 | p12dcx->arena = arena; |
1211 | p12dcx->pwitem = pwitem; |
1212 | p12dcx->slot = (slot ? PK11_ReferenceSlot(slot) |
1213 | : PK11_GetInternalKeySlot()); |
1214 | p12dcx->wincx = wincx; |
1215 | p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs; |
1216 | #ifdef IS_LITTLE_ENDIAN1 |
1217 | p12dcx->swapUnicodeBytes = PR_TRUE1; |
1218 | #else |
1219 | p12dcx->swapUnicodeBytes = PR_FALSE0; |
1220 | #endif |
1221 | rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE0x00c, &forceUnicode); |
1222 | if (rv != SECSuccess) { |
1223 | goto loser; |
1224 | } |
1225 | p12dcx->forceUnicode = forceUnicode; |
1226 | p12dcx->errorValue = 0; |
1227 | p12dcx->error = PR_FALSE0; |
1228 | |
1229 | /* start the decoding of the PFX and set the notify proc |
1230 | * for the PFX item. |
1231 | */ |
1232 | p12dcx->pfxA1Dcx = SEC_ASN1DecoderStartSEC_ASN1DecoderStart_Util(p12dcx->arena, &p12dcx->pfx, |
1233 | sec_PKCS12PFXItemTemplate); |
1234 | if (!p12dcx->pfxA1Dcx) { |
1235 | PK11_FreeSlot(p12dcx->slot); |
1236 | goto loser; |
1237 | } |
1238 | |
1239 | SEC_ASN1DecoderSetNotifyProcSEC_ASN1DecoderSetNotifyProc_Util(p12dcx->pfxA1Dcx, |
1240 | sec_pkcs12_decoder_pfx_notify_proc, |
1241 | p12dcx); |
1242 | |
1243 | /* set up digest functions */ |
1244 | p12dcx->dOpen = dOpen; |
1245 | p12dcx->dWrite = dWrite; |
1246 | p12dcx->dClose = dClose; |
1247 | p12dcx->dRead = dRead; |
1248 | p12dcx->dArg = dArg; |
1249 | p12dcx->dIsOpen = PR_FALSE0; |
1250 | |
1251 | p12dcx->keyList = NULL((void*)0); |
1252 | p12dcx->decitem.type = 0; |
1253 | p12dcx->decitem.der = NULL((void*)0); |
1254 | p12dcx->decitem.hasKey = PR_FALSE0; |
1255 | p12dcx->decitem.friendlyName = NULL((void*)0); |
1256 | p12dcx->iteration = 0; |
1257 | |
1258 | return p12dcx; |
1259 | |
1260 | loser: |
1261 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_TRUE1); |
1262 | return NULL((void*)0); |
1263 | } |
1264 | |
1265 | SECStatus |
1266 | SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx, |
1267 | SECPKCS12TargetTokenCAs tokenCAs) |
1268 | { |
1269 | if (!p12dcx || p12dcx->error) { |
1270 | return SECFailure; |
1271 | } |
1272 | p12dcx->tokenCAs = tokenCAs; |
1273 | return SECSuccess; |
1274 | } |
1275 | |
1276 | /* SEC_PKCS12DecoderUpdate |
1277 | * Streaming update sending more data to the decoder. If |
1278 | * an error occurs, SECFailure is returned. |
1279 | * |
1280 | * p12dcx - the decoder context |
1281 | * data, len - the data buffer and length of data to send to |
1282 | * the update functions. |
1283 | */ |
1284 | SECStatus |
1285 | SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, |
1286 | unsigned char *data, unsigned long len) |
1287 | { |
1288 | SECStatus rv; |
1289 | |
1290 | if (!p12dcx || p12dcx->error) { |
1291 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1292 | return SECFailure; |
1293 | } |
1294 | |
1295 | /* update the PFX decoder context */ |
1296 | rv = SEC_ASN1DecoderUpdateSEC_ASN1DecoderUpdate_Util(p12dcx->pfxA1Dcx, (const char *)data, len); |
1297 | if (rv != SECSuccess) { |
1298 | p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; |
1299 | goto loser; |
1300 | } |
1301 | |
1302 | return SECSuccess; |
1303 | |
1304 | loser: |
1305 | |
1306 | p12dcx->error = PR_TRUE1; |
1307 | return SECFailure; |
1308 | } |
1309 | |
1310 | /* This should be a nice sized buffer for reading in data (potentially large |
1311 | ** amounts) to be MACed. It should be MUCH larger than HASH_LENGTH_MAX. |
1312 | */ |
1313 | #define IN_BUF_LEN1024 1024 |
1314 | #ifdef DEBUG1 |
1315 | static const char bufferEnd[] = { "BufferEnd" }; |
1316 | #endif |
1317 | #define FUDGE128 128 /* must be as large as bufferEnd or more. */ |
1318 | |
1319 | /* verify the hmac by reading the data from the temporary file |
1320 | * using the routines specified when the decodingContext was |
1321 | * created and return SECSuccess if the hmac matches. |
1322 | */ |
1323 | static SECStatus |
1324 | sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) |
1325 | { |
1326 | PK11Context *pk11cx = NULL((void*)0); |
1327 | PK11SymKey *symKey = NULL((void*)0); |
1328 | SECItem *params = NULL((void*)0); |
1329 | unsigned char *buf; |
1330 | SECStatus rv = SECFailure; |
1331 | SECStatus lrv; |
1332 | unsigned int bufLen; |
1333 | int iteration; |
1334 | int bytesRead; |
1335 | SECOidTag algtag; |
1336 | SECItem hmacRes; |
1337 | SECItem ignore = { 0 }; |
1338 | CK_MECHANISM_TYPE integrityMech; |
1339 | |
1340 | if (!p12dcx || p12dcx->error) { |
1341 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1342 | return SECFailure; |
1343 | } |
1344 | buf = (unsigned char *)PORT_AllocPORT_Alloc_Util(IN_BUF_LEN1024 + FUDGE128); |
1345 | if (!buf) |
1346 | return SECFailure; /* error code has been set. */ |
1347 | |
1348 | #ifdef DEBUG1 |
1349 | memcpy(buf + IN_BUF_LEN1024, bufferEnd, sizeof bufferEnd); |
1350 | #endif |
1351 | |
1352 | /* generate hmac key */ |
1353 | if (p12dcx->macData.iter.data) { |
1354 | iteration = (int)DER_GetIntegerDER_GetInteger_Util(&p12dcx->macData.iter); |
1355 | } else { |
1356 | iteration = 1; |
1357 | } |
1358 | |
1359 | params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem, |
1360 | iteration); |
1361 | |
1362 | algtag = SECOID_GetAlgorithmTagSECOID_GetAlgorithmTag_Util(&p12dcx->macData.safeMac.digestAlgorithm); |
1363 | integrityMech = sec_pkcs12_algtag_to_keygen_mech(algtag); |
1364 | if (integrityMech == CKM_INVALID_MECHANISM0xffffffffUL) { |
1365 | goto loser; |
1366 | } |
1367 | symKey = PK11_KeyGen(NULL((void*)0), integrityMech, params, 0, NULL((void*)0)); |
1368 | PK11_DestroyPBEParams(params); |
1369 | params = NULL((void*)0); |
1370 | if (!symKey) |
1371 | goto loser; |
1372 | /* init hmac */ |
1373 | pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag), |
1374 | CKA_SIGN0x00000108UL, symKey, &ignore); |
1375 | if (!pk11cx) { |
1376 | goto loser; |
1377 | } |
1378 | lrv = PK11_DigestBegin(pk11cx); |
1379 | if (lrv == SECFailure) { |
1380 | goto loser; |
1381 | } |
1382 | |
1383 | /* try to open the data for readback */ |
1384 | if (p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE1) != SECSuccess)) { |
1385 | goto loser; |
1386 | } |
1387 | |
1388 | /* read the data back IN_BUF_LEN bytes at a time and recompute |
1389 | * the hmac. if fewer bytes are read than are requested, it is |
1390 | * assumed that the end of file has been reached. if bytesRead |
1391 | * is returned as -1, then an error occurred reading from the |
1392 | * file. |
1393 | */ |
1394 | do { |
1395 | bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN1024); |
1396 | if (bytesRead < 0) { |
1397 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_UNABLE_TO_READ); |
1398 | goto loser; |
1399 | } |
1400 | PORT_Assert(bytesRead <= IN_BUF_LEN)((bytesRead <= 1024)?((void)0):PR_Assert("bytesRead <= IN_BUF_LEN" ,"p12d.c",1400)); |
1401 | PORT_Assert(!memcmp(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd))((!memcmp(buf + 1024, bufferEnd, sizeof bufferEnd))?((void)0) :PR_Assert("!memcmp(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd)" ,"p12d.c",1401)); |
1402 | |
1403 | if (bytesRead > IN_BUF_LEN1024) { |
1404 | /* dRead callback overflowed buffer. */ |
1405 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INPUT_LEN); |
1406 | goto loser; |
1407 | } |
1408 | |
1409 | if (bytesRead) { |
1410 | lrv = PK11_DigestOp(pk11cx, buf, bytesRead); |
1411 | if (lrv == SECFailure) { |
1412 | goto loser; |
1413 | } |
1414 | } |
1415 | } while (bytesRead == IN_BUF_LEN1024); |
1416 | |
1417 | /* finish the hmac context */ |
1418 | lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN1024); |
1419 | if (lrv == SECFailure) { |
1420 | goto loser; |
1421 | } |
1422 | |
1423 | hmacRes.data = buf; |
1424 | hmacRes.len = bufLen; |
1425 | |
1426 | /* is the hmac computed the same as the hmac which was decoded? */ |
1427 | rv = SECSuccess; |
1428 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(&hmacRes, &p12dcx->macData.safeMac.digest) != SECEqual) { |
1429 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_INVALID_MAC); |
1430 | rv = SECFailure; |
1431 | } |
1432 | |
1433 | loser: |
1434 | /* close the file and remove it */ |
1435 | if (p12dcx->dClose) { |
1436 | (*p12dcx->dClose)(p12dcx->dArg, PR_TRUE1); |
1437 | p12dcx->dIsOpen = PR_FALSE0; |
1438 | } |
1439 | |
1440 | if (pk11cx) { |
1441 | PK11_DestroyContext(pk11cx, PR_TRUE1); |
1442 | } |
1443 | if (params) { |
1444 | PK11_DestroyPBEParams(params); |
1445 | } |
1446 | if (symKey) { |
1447 | PK11_FreeSymKey(symKey); |
1448 | } |
1449 | PORT_ZFreePORT_ZFree_Util(buf, IN_BUF_LEN1024 + FUDGE128); |
1450 | |
1451 | return rv; |
1452 | } |
1453 | |
1454 | /* SEC_PKCS12DecoderVerify |
1455 | * Verify the macData or the signature of the decoded PKCS 12 PDU. |
1456 | * If the signature or the macData do not match, SECFailure is |
1457 | * returned. |
1458 | * |
1459 | * p12dcx - the decoder context |
1460 | */ |
1461 | SECStatus |
1462 | SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx) |
1463 | { |
1464 | SECStatus rv = SECSuccess; |
1465 | |
1466 | /* make sure that no errors have occurred... */ |
1467 | if (!p12dcx) { |
1468 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1469 | return SECFailure; |
1470 | } |
1471 | if (p12dcx->error) { |
1472 | /* error code is already set! PORT_SetError(p12dcx->errorValue); */ |
1473 | return SECFailure; |
1474 | } |
1475 | |
1476 | rv = SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(p12dcx->pfxA1Dcx); |
1477 | p12dcx->pfxA1Dcx = NULL((void*)0); |
1478 | if (rv != SECSuccess) { |
1479 | return rv; |
1480 | } |
1481 | |
1482 | /* check the signature or the mac depending on the type of |
1483 | * integrity used. |
1484 | */ |
1485 | if (p12dcx->pfx.encodedMacData.len) { |
1486 | rv = SEC_ASN1DecodeItemSEC_ASN1DecodeItem_Util(p12dcx->arena, &p12dcx->macData, |
1487 | sec_PKCS12MacDataTemplate, |
1488 | &p12dcx->pfx.encodedMacData); |
1489 | if (rv == SECSuccess) { |
1490 | return sec_pkcs12_decoder_verify_mac(p12dcx); |
1491 | } |
1492 | return rv; |
1493 | } |
1494 | if (SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner, |
1495 | PR_FALSE0)) { |
1496 | return SECSuccess; |
1497 | } |
1498 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_INVALID_MAC); |
1499 | return SECFailure; |
1500 | } |
1501 | |
1502 | /* SEC_PKCS12DecoderFinish |
1503 | * Free any open ASN1 or PKCS7 decoder contexts and then |
1504 | * free the arena pool which everything should be allocated |
1505 | * from. This function should be called upon completion of |
1506 | * decoding and installing of a pfx pdu. This should be |
1507 | * called even if an error occurs. |
1508 | * |
1509 | * p12dcx - the decoder context |
1510 | */ |
1511 | void |
1512 | SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx) |
1513 | { |
1514 | unsigned int i; |
1515 | |
1516 | if (!p12dcx) { |
1517 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1518 | return; |
1519 | } |
1520 | |
1521 | if (p12dcx->pfxA1Dcx) { |
1522 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(p12dcx->pfxA1Dcx); |
1523 | p12dcx->pfxA1Dcx = NULL((void*)0); |
1524 | } |
1525 | |
1526 | if (p12dcx->aSafeA1Dcx) { |
1527 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(p12dcx->aSafeA1Dcx); |
1528 | p12dcx->aSafeA1Dcx = NULL((void*)0); |
1529 | } |
1530 | |
1531 | /* cleanup any old ASN1 decoder contexts */ |
1532 | for (i = 0; i < p12dcx->safeContentsCnt; ++i) { |
1533 | sec_PKCS12SafeContentsContext *safeContentsCtx, *nested; |
1534 | safeContentsCtx = p12dcx->safeContentsList[i]; |
1535 | if (safeContentsCtx) { |
1536 | nested = safeContentsCtx->nestedSafeContentsCtx; |
1537 | while (nested) { |
1538 | if (nested->safeContentsA1Dcx) { |
1539 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(nested->safeContentsA1Dcx); |
1540 | nested->safeContentsA1Dcx = NULL((void*)0); |
1541 | } |
1542 | nested = nested->nestedSafeContentsCtx; |
1543 | } |
1544 | if (safeContentsCtx->safeContentsA1Dcx) { |
1545 | SEC_ASN1DecoderFinishSEC_ASN1DecoderFinish_Util(safeContentsCtx->safeContentsA1Dcx); |
1546 | safeContentsCtx->safeContentsA1Dcx = NULL((void*)0); |
1547 | } |
1548 | } |
1549 | } |
1550 | |
1551 | if (p12dcx->currentASafeP7Dcx && |
1552 | p12dcx->currentASafeP7Dcx != p12dcx->aSafeP7Dcx) { |
1553 | SEC_PKCS7ContentInfo *cinfo; |
1554 | cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx); |
1555 | if (cinfo) { |
1556 | SEC_PKCS7DestroyContentInfo(cinfo); /* don't leak it */ |
1557 | } |
1558 | } |
1559 | p12dcx->currentASafeP7Dcx = NULL((void*)0); |
1560 | |
1561 | if (p12dcx->aSafeP7Dcx) { |
1562 | SEC_PKCS7ContentInfo *cinfo; |
1563 | cinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx); |
1564 | if (cinfo) { |
1565 | SEC_PKCS7DestroyContentInfo(cinfo); |
1566 | } |
1567 | p12dcx->aSafeP7Dcx = NULL((void*)0); |
1568 | } |
1569 | |
1570 | if (p12dcx->aSafeCinfo) { |
1571 | SEC_PKCS7DestroyContentInfo(p12dcx->aSafeCinfo); |
1572 | p12dcx->aSafeCinfo = NULL((void*)0); |
1573 | } |
1574 | |
1575 | if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL((void*)0)) { |
1576 | SECITEM_FreeItemSECITEM_FreeItem_Util(p12dcx->decitem.der, PR_TRUE1); |
1577 | } |
1578 | if (p12dcx->decitem.friendlyName != NULL((void*)0)) { |
1579 | SECITEM_FreeItemSECITEM_FreeItem_Util(p12dcx->decitem.friendlyName, PR_TRUE1); |
1580 | } |
1581 | |
1582 | if (p12dcx->slot) { |
1583 | PK11_FreeSlot(p12dcx->slot); |
1584 | p12dcx->slot = NULL((void*)0); |
1585 | } |
1586 | |
1587 | if (p12dcx->dIsOpen && p12dcx->dClose) { |
1588 | (*p12dcx->dClose)(p12dcx->dArg, PR_TRUE1); |
1589 | p12dcx->dIsOpen = PR_FALSE0; |
1590 | } |
1591 | |
1592 | if (p12dcx->arena) { |
1593 | PORT_FreeArenaPORT_FreeArena_Util(p12dcx->arena, PR_TRUE1); |
1594 | } |
1595 | } |
1596 | |
1597 | static SECStatus |
1598 | sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag, |
1599 | SECOidTag attributeType, |
1600 | SECItem *attrValue) |
1601 | { |
1602 | int i = 0; |
1603 | SECOidData *oid; |
1604 | |
1605 | if (!bag || !attrValue) { |
1606 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1607 | return SECFailure; |
1608 | } |
1609 | |
1610 | oid = SECOID_FindOIDByTagSECOID_FindOIDByTag_Util(attributeType); |
1611 | if (!oid) { |
1612 | return SECFailure; |
1613 | } |
1614 | |
1615 | if (!bag->attribs) { |
1616 | bag->attribs = |
1617 | PORT_ArenaZNewArray(bag->arena, sec_PKCS12Attribute *, 2)(sec_PKCS12Attribute * *)PORT_ArenaZAlloc_Util(bag->arena, sizeof(sec_PKCS12Attribute *) * (2)); |
1618 | } else { |
1619 | while (bag->attribs[i]) |
1620 | i++; |
1621 | bag->attribs = PORT_ArenaGrowArray(bag->arena, bag->attribs,(sec_PKCS12Attribute * *)PORT_ArenaGrow_Util((bag->arena), (bag->attribs), (i + 1) * sizeof(sec_PKCS12Attribute *), ( i + 2) * sizeof(sec_PKCS12Attribute *)) |
1622 | sec_PKCS12Attribute *, i + 1, i + 2)(sec_PKCS12Attribute * *)PORT_ArenaGrow_Util((bag->arena), (bag->attribs), (i + 1) * sizeof(sec_PKCS12Attribute *), ( i + 2) * sizeof(sec_PKCS12Attribute *)); |
1623 | } |
1624 | |
1625 | if (!bag->attribs) { |
1626 | return SECFailure; |
1627 | } |
1628 | |
1629 | bag->attribs[i] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute)(sec_PKCS12Attribute *)PORT_ArenaZAlloc_Util(bag->arena, sizeof (sec_PKCS12Attribute)); |
1630 | if (!bag->attribs[i]) { |
1631 | return SECFailure; |
1632 | } |
1633 | |
1634 | bag->attribs[i]->attrValue = PORT_ArenaZNewArray(bag->arena, SECItem *, 2)(SECItem * *)PORT_ArenaZAlloc_Util(bag->arena, sizeof(SECItem *) * (2)); |
1635 | if (!bag->attribs[i]->attrValue) { |
1636 | return SECFailure; |
1637 | } |
1638 | |
1639 | bag->attribs[i + 1] = NULL((void*)0); |
1640 | bag->attribs[i]->attrValue[0] = attrValue; |
1641 | bag->attribs[i]->attrValue[1] = NULL((void*)0); |
1642 | |
1643 | return SECITEM_CopyItemSECITEM_CopyItem_Util(bag->arena, &bag->attribs[i]->attrType, &oid->oid); |
1644 | } |
1645 | |
1646 | static SECItem * |
1647 | sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag, |
1648 | SECOidTag attributeType) |
1649 | { |
1650 | int i; |
1651 | |
1652 | if (!bag->attribs) { |
1653 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1654 | return NULL((void*)0); |
1655 | } |
1656 | |
1657 | for (i = 0; bag->attribs[i] != NULL((void*)0); i++) { |
1658 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&bag->attribs[i]->attrType) == attributeType) { |
1659 | return bag->attribs[i]->attrValue[0]; |
1660 | } |
1661 | } |
1662 | return NULL((void*)0); |
1663 | } |
1664 | |
1665 | /* For now, this function will merely remove any ":" |
1666 | * in the nickname which the PK11 functions may have |
1667 | * placed there. This will keep dual certs from appearing |
1668 | * twice under "Your" certificates when imported onto smart |
1669 | * cards. Once with the name "Slot:Cert" and another with |
1670 | * the nickname "Slot:Slot:Cert" |
1671 | */ |
1672 | static void |
1673 | sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick) |
1674 | { |
1675 | char *nickname; |
1676 | char *delimit; |
1677 | int delimitlen; |
1678 | |
1679 | nickname = (char *)nick->data; |
1680 | if ((delimit = PORT_Strchrstrchr(nickname, ':')) != NULL((void*)0)) { |
1681 | char *slotName; |
1682 | int slotNameLen; |
1683 | |
1684 | slotNameLen = delimit - nickname; |
1685 | slotName = PORT_NewArray(char, (slotNameLen + 1))(char *)PORT_Alloc_Util(sizeof(char) * ((slotNameLen + 1))); |
1686 | PORT_Assert(slotName)((slotName)?((void)0):PR_Assert("slotName","p12d.c",1686)); |
1687 | if (slotName == NULL((void*)0)) { |
1688 | /* What else can we do?*/ |
1689 | return; |
1690 | } |
1691 | PORT_Memcpymemcpy(slotName, nickname, slotNameLen); |
1692 | slotName[slotNameLen] = '\0'; |
1693 | if (PORT_Strcmpstrcmp(PK11_GetTokenName(slot), slotName) == 0) { |
1694 | delimitlen = PORT_Strlen(delimit + 1)strlen(delimit + 1); |
1695 | PORT_Memmovememmove(nickname, delimit + 1, delimitlen + 1); |
1696 | nick->len = delimitlen; |
1697 | } |
1698 | PORT_FreePORT_Free_Util(slotName); |
1699 | } |
1700 | } |
1701 | |
1702 | static SECItem * |
1703 | sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag) |
1704 | { |
1705 | SECItem *src, *dest; |
1706 | |
1707 | if (!bag) { |
1708 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1709 | return NULL((void*)0); |
1710 | } |
1711 | |
1712 | src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME); |
1713 | |
1714 | /* The return value src is 16-bit Unicode characters, in big-endian format. |
1715 | * Check if it is NULL or empty name. |
1716 | */ |
1717 | if (!src || !src->data || src->len < 2 || (!src->data[0] && !src->data[1])) { |
1718 | return NULL((void*)0); |
1719 | } |
1720 | |
1721 | dest = (SECItem *)PORT_ZAllocPORT_ZAlloc_Util(sizeof(SECItem)); |
1722 | if (!dest) { |
1723 | goto loser; |
1724 | } |
1725 | if (!sec_pkcs12_convert_item_to_unicode(NULL((void*)0), dest, src, PR_FALSE0, |
1726 | PR_FALSE0, PR_FALSE0)) { |
1727 | goto loser; |
1728 | } |
1729 | |
1730 | sec_pkcs12_sanitize_nickname(bag->slot, dest); |
1731 | |
1732 | return dest; |
1733 | |
1734 | loser: |
1735 | if (dest) { |
1736 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(dest, PR_TRUE1); |
1737 | } |
1738 | |
1739 | bag->problem = PR_TRUE1; |
1740 | bag->error = PORT_GetErrorPORT_GetError_Util(); |
1741 | return NULL((void*)0); |
1742 | } |
1743 | |
1744 | static SECStatus |
1745 | sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name) |
1746 | { |
1747 | sec_PKCS12Attribute *attr = NULL((void*)0); |
1748 | SECOidData *oid = SECOID_FindOIDByTagSECOID_FindOIDByTag_Util(SEC_OID_PKCS9_FRIENDLY_NAME); |
1749 | |
1750 | if (!bag || !bag->arena || !name) { |
1751 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1752 | return SECFailure; |
1753 | } |
1754 | |
1755 | if (!bag->attribs) { |
1756 | if (!oid) { |
1757 | goto loser; |
1758 | } |
1759 | |
1760 | bag->attribs = |
1761 | PORT_ArenaZNewArray(bag->arena, sec_PKCS12Attribute *, 2)(sec_PKCS12Attribute * *)PORT_ArenaZAlloc_Util(bag->arena, sizeof(sec_PKCS12Attribute *) * (2)); |
1762 | if (!bag->attribs) { |
1763 | goto loser; |
1764 | } |
1765 | bag->attribs[0] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute)(sec_PKCS12Attribute *)PORT_ArenaZAlloc_Util(bag->arena, sizeof (sec_PKCS12Attribute)); |
1766 | if (!bag->attribs[0]) { |
1767 | goto loser; |
1768 | } |
1769 | bag->attribs[1] = NULL((void*)0); |
1770 | |
1771 | attr = bag->attribs[0]; |
1772 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(bag->arena, &attr->attrType, &oid->oid) != SECSuccess) { |
1773 | goto loser; |
1774 | } |
1775 | } else { |
1776 | int i; |
1777 | for (i = 0; bag->attribs[i]; i++) { |
1778 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&bag->attribs[i]->attrType) == SEC_OID_PKCS9_FRIENDLY_NAME) { |
1779 | attr = bag->attribs[i]; |
1780 | break; |
1781 | } |
1782 | } |
1783 | if (!attr) { |
1784 | if (!oid) { |
1785 | goto loser; |
1786 | } |
1787 | bag->attribs = PORT_ArenaGrowArray(bag->arena, bag->attribs,(sec_PKCS12Attribute * *)PORT_ArenaGrow_Util((bag->arena), (bag->attribs), (i + 1) * sizeof(sec_PKCS12Attribute *), ( i + 2) * sizeof(sec_PKCS12Attribute *)) |
1788 | sec_PKCS12Attribute *, i + 1, i + 2)(sec_PKCS12Attribute * *)PORT_ArenaGrow_Util((bag->arena), (bag->attribs), (i + 1) * sizeof(sec_PKCS12Attribute *), ( i + 2) * sizeof(sec_PKCS12Attribute *)); |
1789 | if (!bag->attribs) { |
1790 | goto loser; |
1791 | } |
1792 | bag->attribs[i] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute)(sec_PKCS12Attribute *)PORT_ArenaZAlloc_Util(bag->arena, sizeof (sec_PKCS12Attribute)); |
1793 | if (!bag->attribs[i]) { |
1794 | goto loser; |
1795 | } |
1796 | bag->attribs[i + 1] = NULL((void*)0); |
1797 | attr = bag->attribs[i]; |
1798 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(bag->arena, &attr->attrType, &oid->oid) != SECSuccess) { |
1799 | goto loser; |
1800 | } |
1801 | } |
1802 | } |
1803 | |
1804 | PORT_Assert(attr)((attr)?((void)0):PR_Assert("attr","p12d.c",1804)); |
1805 | if (!attr->attrValue) { |
1806 | attr->attrValue = PORT_ArenaZNewArray(bag->arena, SECItem *, 2)(SECItem * *)PORT_ArenaZAlloc_Util(bag->arena, sizeof(SECItem *) * (2)); |
1807 | if (!attr->attrValue) { |
1808 | goto loser; |
1809 | } |
1810 | attr->attrValue[0] = PORT_ArenaZNew(bag->arena, SECItem)(SECItem *)PORT_ArenaZAlloc_Util(bag->arena, sizeof(SECItem )); |
1811 | if (!attr->attrValue[0]) { |
1812 | goto loser; |
1813 | } |
1814 | attr->attrValue[1] = NULL((void*)0); |
1815 | } |
1816 | |
1817 | name->len = PORT_Strlen((char *)name->data)strlen((char *)name->data); |
1818 | if (!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0], |
1819 | name, PR_FALSE0, PR_FALSE0, PR_TRUE1)) { |
1820 | goto loser; |
1821 | } |
1822 | |
1823 | return SECSuccess; |
1824 | |
1825 | loser: |
1826 | bag->problem = PR_TRUE1; |
1827 | bag->error = PORT_GetErrorPORT_GetError_Util(); |
1828 | return SECFailure; |
1829 | } |
1830 | |
1831 | static SECStatus |
1832 | sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) |
1833 | { |
1834 | int i = 0; |
1835 | SECKEYPrivateKeyInfo *pki = NULL((void*)0); |
1836 | |
1837 | if (!key) { |
1838 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1839 | return SECFailure; |
1840 | } |
1841 | |
1842 | /* if the bag does *not* contain an unencrypted PrivateKeyInfo |
1843 | * then we cannot convert the attributes. We are propagating |
1844 | * attributes within the PrivateKeyInfo to the SafeBag level. |
1845 | */ |
1846 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(key->safeBagType)) != |
1847 | SEC_OID_PKCS12_V1_KEY_BAG_ID) { |
1848 | return SECSuccess; |
1849 | } |
1850 | |
1851 | pki = key->safeBagContent.pkcs8KeyBag; |
1852 | |
1853 | if (!pki || !pki->attributes) { |
1854 | return SECSuccess; |
1855 | } |
1856 | |
1857 | while (pki->attributes[i]) { |
1858 | SECOidTag tag = SECOID_FindOIDTagSECOID_FindOIDTag_Util(&pki->attributes[i]->attrType); |
1859 | |
1860 | if (tag == SEC_OID_PKCS9_LOCAL_KEY_ID || |
1861 | tag == SEC_OID_PKCS9_FRIENDLY_NAME) { |
1862 | SECItem *attrValue = sec_pkcs12_get_attribute_value(key, tag); |
1863 | if (!attrValue) { |
1864 | if (sec_pkcs12_decoder_set_attribute_value(key, tag, |
1865 | pki->attributes[i]->attrValue[0]) != SECSuccess) { |
1866 | key->problem = PR_TRUE1; |
1867 | key->error = PORT_GetErrorPORT_GetError_Util(); |
1868 | return SECFailure; |
1869 | } |
1870 | } |
1871 | } |
1872 | i++; |
1873 | } |
1874 | |
1875 | return SECSuccess; |
1876 | } |
1877 | |
1878 | /* retrieve the nickname for the certificate bag. first look |
1879 | * in the cert bag, otherwise get it from the key. |
1880 | */ |
1881 | static SECItem * |
1882 | sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert, |
1883 | sec_PKCS12SafeBag *key) |
1884 | { |
1885 | SECItem *nickname; |
1886 | |
1887 | if (!cert) { |
1888 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1889 | return NULL((void*)0); |
1890 | } |
1891 | |
1892 | nickname = sec_pkcs12_get_nickname(cert); |
1893 | if (nickname) { |
1894 | return nickname; |
1895 | } |
1896 | |
1897 | if (key) { |
1898 | nickname = sec_pkcs12_get_nickname(key); |
1899 | |
1900 | if (nickname && sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) { |
1901 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(nickname, PR_TRUE1); |
1902 | return NULL((void*)0); |
1903 | } |
1904 | } |
1905 | |
1906 | return nickname; |
1907 | } |
1908 | |
1909 | /* set the nickname for the certificate */ |
1910 | static SECStatus |
1911 | sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, |
1912 | sec_PKCS12SafeBag *key, |
1913 | SECItem *nickname) |
1914 | { |
1915 | if (!nickname || !cert) { |
1916 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1917 | return SECFailure; |
1918 | } |
1919 | |
1920 | if (sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) { |
1921 | return SECFailure; |
1922 | } |
1923 | |
1924 | if (key) { |
1925 | if (sec_pkcs12_set_nickname(key, nickname) != SECSuccess) { |
1926 | cert->problem = PR_TRUE1; |
1927 | cert->error = key->error; |
1928 | return SECFailure; |
1929 | } |
1930 | } |
1931 | |
1932 | return SECSuccess; |
1933 | } |
1934 | |
1935 | /* retrieve the DER cert from the cert bag */ |
1936 | static SECItem * |
1937 | sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) |
1938 | { |
1939 | if (!cert) { |
1940 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1941 | return NULL((void*)0); |
1942 | } |
1943 | |
1944 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) { |
1945 | return NULL((void*)0); |
1946 | } |
1947 | |
1948 | /* only support X509 certs not SDSI */ |
1949 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&cert->safeBagContent.certBag->bagID) != SEC_OID_PKCS9_X509_CERT) { |
1950 | return NULL((void*)0); |
1951 | } |
1952 | |
1953 | return SECITEM_DupItemSECITEM_DupItem_Util(&(cert->safeBagContent.certBag->value.x509Cert)); |
1954 | } |
1955 | |
1956 | struct certNickInfo { |
1957 | PLArenaPool *arena; |
1958 | unsigned int nNicks; |
1959 | SECItem **nickList; |
1960 | unsigned int error; |
1961 | }; |
1962 | |
1963 | /* callback for traversing certificates to gather the nicknames |
1964 | * used in a particular traversal. for instance, when using |
1965 | * CERT_TraversePermCertsForSubject, gather the nicknames and |
1966 | * store them in the certNickInfo for a particular DN. |
1967 | * |
1968 | * this handles the case where multiple nicknames are allowed |
1969 | * for the same dn, which is not currently allowed, but may be |
1970 | * in the future. |
1971 | */ |
1972 | static SECStatus |
1973 | gatherNicknames(CERTCertificate *cert, void *arg) |
1974 | { |
1975 | struct certNickInfo *nickArg = (struct certNickInfo *)arg; |
1976 | SECItem tempNick; |
1977 | unsigned int i; |
1978 | |
1979 | if (!cert || !nickArg || nickArg->error) { |
1980 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1981 | return SECFailure; |
1982 | } |
1983 | |
1984 | if (!cert->nickname) { |
1985 | return SECSuccess; |
1986 | } |
1987 | |
1988 | tempNick.data = (unsigned char *)cert->nickname; |
1989 | tempNick.len = PORT_Strlen(cert->nickname)strlen(cert->nickname) + 1; |
1990 | tempNick.type = siAsciiString; |
1991 | |
1992 | /* do we already have the nickname in the list? */ |
1993 | if (nickArg->nNicks > 0) { |
1994 | |
1995 | /* nicknames have been encountered, but there is no list -- bad */ |
1996 | if (!nickArg->nickList) { |
1997 | nickArg->error = SEC_ERROR_INVALID_ARGS; |
1998 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1999 | return SECFailure; |
2000 | } |
2001 | |
2002 | for (i = 0; i < nickArg->nNicks; i++) { |
2003 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(nickArg->nickList[i], &tempNick) == SECEqual) { |
2004 | return SECSuccess; |
2005 | } |
2006 | } |
2007 | } |
2008 | |
2009 | /* add the nickname to the list */ |
2010 | nickArg->nickList = (nickArg->nNicks == 0) |
2011 | ? PORT_ArenaZNewArray(nickArg->arena, SECItem *, 2)(SECItem * *)PORT_ArenaZAlloc_Util(nickArg->arena, sizeof( SECItem *) * (2)) |
2012 | : PORT_ArenaGrowArray(nickArg->arena, nickArg->nickList, SECItem *,(SECItem * *)PORT_ArenaGrow_Util((nickArg->arena), (nickArg ->nickList), (nickArg->nNicks + 1) * sizeof(SECItem *), (nickArg->nNicks + 2) * sizeof(SECItem *)) |
2013 | nickArg->nNicks + 1, nickArg->nNicks + 2)(SECItem * *)PORT_ArenaGrow_Util((nickArg->arena), (nickArg ->nickList), (nickArg->nNicks + 1) * sizeof(SECItem *), (nickArg->nNicks + 2) * sizeof(SECItem *)); |
2014 | |
2015 | if (!nickArg->nickList) { |
2016 | nickArg->error = SEC_ERROR_NO_MEMORY; |
2017 | return SECFailure; |
2018 | } |
2019 | |
2020 | nickArg->nickList[nickArg->nNicks] = |
2021 | PORT_ArenaZNew(nickArg->arena, SECItem)(SECItem *)PORT_ArenaZAlloc_Util(nickArg->arena, sizeof(SECItem )); |
2022 | if (!nickArg->nickList[nickArg->nNicks]) { |
2023 | nickArg->error = PORT_GetErrorPORT_GetError_Util(); |
2024 | return SECFailure; |
2025 | } |
2026 | |
2027 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(nickArg->arena, nickArg->nickList[nickArg->nNicks], |
2028 | &tempNick) != SECSuccess) { |
2029 | nickArg->error = PORT_GetErrorPORT_GetError_Util(); |
2030 | return SECFailure; |
2031 | } |
2032 | |
2033 | nickArg->nNicks++; |
2034 | |
2035 | return SECSuccess; |
2036 | } |
2037 | |
2038 | /* traverses the certs in the data base or in the token for the |
2039 | * DN to see if any certs currently have a nickname set. |
2040 | * If so, return it. |
2041 | */ |
2042 | static SECItem * |
2043 | sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert) |
2044 | { |
2045 | struct certNickInfo *nickArg = NULL((void*)0); |
2046 | SECItem *derCert, *returnDn = NULL((void*)0); |
2047 | PLArenaPool *arena = NULL((void*)0); |
2048 | CERTCertificate *tempCert; |
2049 | |
2050 | if (!cert) { |
2051 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2052 | return NULL((void*)0); |
2053 | } |
2054 | |
2055 | derCert = sec_pkcs12_get_der_cert(cert); |
2056 | if (!derCert) { |
2057 | return NULL((void*)0); |
2058 | } |
2059 | |
2060 | tempCert = CERT_DecodeDERCertificate__CERT_DecodeDERCertificate(derCert, PR_FALSE0, NULL((void*)0)); |
2061 | if (!tempCert) { |
2062 | returnDn = NULL((void*)0); |
2063 | goto loser; |
2064 | } |
2065 | |
2066 | arena = PORT_NewArenaPORT_NewArena_Util(1024); |
2067 | if (!arena) { |
2068 | returnDn = NULL((void*)0); |
2069 | goto loser; |
2070 | } |
2071 | nickArg = PORT_ArenaZNew(arena, struct certNickInfo)(struct certNickInfo *)PORT_ArenaZAlloc_Util(arena, sizeof(struct certNickInfo)); |
2072 | if (!nickArg) { |
2073 | returnDn = NULL((void*)0); |
2074 | goto loser; |
2075 | } |
2076 | nickArg->error = 0; |
2077 | nickArg->nNicks = 0; |
2078 | nickArg->nickList = NULL((void*)0); |
2079 | nickArg->arena = arena; |
2080 | |
2081 | /* if the token is local, first traverse the cert database |
2082 | * then traverse the token. |
2083 | */ |
2084 | if (PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames, |
2085 | (void *)nickArg) != SECSuccess) { |
2086 | returnDn = NULL((void*)0); |
2087 | goto loser; |
2088 | } |
2089 | |
2090 | if (nickArg->error) { |
2091 | /* XXX do we want to set the error? */ |
2092 | returnDn = NULL((void*)0); |
2093 | goto loser; |
2094 | } |
2095 | |
2096 | if (nickArg->nNicks == 0) { |
2097 | returnDn = NULL((void*)0); |
2098 | goto loser; |
2099 | } |
2100 | |
2101 | /* set it to the first name, for now. handle multiple names? */ |
2102 | returnDn = SECITEM_DupItemSECITEM_DupItem_Util(nickArg->nickList[0]); |
2103 | |
2104 | loser: |
2105 | if (arena) { |
2106 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_TRUE1); |
2107 | } |
2108 | |
2109 | if (tempCert) { |
2110 | CERT_DestroyCertificate(tempCert); |
2111 | } |
2112 | |
2113 | if (derCert) { |
2114 | SECITEM_FreeItemSECITEM_FreeItem_Util(derCert, PR_TRUE1); |
2115 | } |
2116 | |
2117 | return (returnDn); |
2118 | } |
2119 | |
2120 | /* counts certificates found for a given traversal function */ |
2121 | static SECStatus |
2122 | countCertificate(CERTCertificate *cert, void *arg) |
2123 | { |
2124 | unsigned int *nCerts = (unsigned int *)arg; |
2125 | |
2126 | if (!cert || !arg) { |
2127 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2128 | return SECFailure; |
2129 | } |
2130 | |
2131 | (*nCerts)++; |
2132 | return SECSuccess; |
2133 | } |
2134 | |
2135 | static PRBool |
2136 | sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot) |
2137 | { |
2138 | unsigned int nCerts = 0; |
2139 | |
2140 | if (!nickname || !slot) { |
2141 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2142 | return PR_TRUE1; |
2143 | } |
2144 | |
2145 | /* we want to check the local database first if we are importing to it */ |
2146 | PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate, |
2147 | (void *)&nCerts); |
2148 | return (PRBool)(nCerts != 0); |
2149 | } |
2150 | |
2151 | /* validate cert nickname such that there is a one-to-one relation |
2152 | * between nicknames and dn's. we want to enforce the case that the |
2153 | * nickname is non-NULL and that there is only one nickname per DN. |
2154 | * |
2155 | * if there is a problem with a nickname or the nickname is not present, |
2156 | * the user will be prompted for it. |
2157 | */ |
2158 | static void |
2159 | sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert, |
2160 | sec_PKCS12SafeBag *key, |
2161 | SEC_PKCS12NicknameCollisionCallback nicknameCb, |
2162 | CERTCertificate *leafCert) |
2163 | { |
2164 | SECItem *certNickname, *existingDNNick; |
2165 | PRBool setNickname = PR_FALSE0, cancel = PR_FALSE0; |
2166 | SECItem *newNickname = NULL((void*)0); |
2167 | |
2168 | if (!cert || !cert->hasKey) { |
2169 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2170 | return; |
2171 | } |
2172 | |
2173 | if (!nicknameCb) { |
2174 | cert->problem = PR_TRUE1; |
2175 | cert->error = SEC_ERROR_INVALID_ARGS; |
2176 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2177 | return; |
2178 | } |
2179 | |
2180 | if (cert->hasKey && !key) { |
2181 | cert->problem = PR_TRUE1; |
2182 | cert->error = SEC_ERROR_INVALID_ARGS; |
2183 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2184 | return; |
2185 | } |
2186 | |
2187 | certNickname = sec_pkcs12_get_nickname_for_cert(cert, key); |
2188 | existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert); |
2189 | |
2190 | /* nickname is already used w/ this dn, so it is safe to return */ |
2191 | if (certNickname && existingDNNick && |
2192 | SECITEM_CompareItemSECITEM_CompareItem_Util(certNickname, existingDNNick) == SECEqual) { |
2193 | goto loser; |
2194 | } |
2195 | |
2196 | /* nickname not set in pkcs 12 bags, but a nick is already used for |
2197 | * this dn. set the nicks in the p12 bags and finish. |
2198 | */ |
2199 | if (existingDNNick) { |
2200 | sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick); |
2201 | goto loser; |
2202 | } |
2203 | |
2204 | /* at this point, we have a certificate for which the DN is not located |
2205 | * on the token. the nickname specified may or may not be NULL. if it |
2206 | * is not null, we need to make sure that there are no other certificates |
2207 | * with this nickname in the token for it to be valid. this imposes a |
2208 | * one to one relationship between DN and nickname. |
2209 | * |
2210 | * if the nickname is null, we need the user to enter a nickname for |
2211 | * the certificate. |
2212 | * |
2213 | * once we have a nickname, we make sure that the nickname is unique |
2214 | * for the DN. if it is not, the user is reprompted to enter a new |
2215 | * nickname. |
2216 | * |
2217 | * in order to exit this loop, the nickname entered is either unique |
2218 | * or the user hits cancel and the certificate is not imported. |
2219 | */ |
2220 | setNickname = PR_FALSE0; |
2221 | while (1) { |
2222 | /* we will use the nickname so long as no other certs have the |
2223 | * same nickname. and the nickname is not NULL. |
2224 | */ |
2225 | if (certNickname && certNickname->data && |
2226 | !sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) { |
2227 | if (setNickname) { |
2228 | sec_pkcs12_set_nickname_for_cert(cert, key, certNickname); |
2229 | } |
2230 | break; |
2231 | } |
2232 | |
2233 | setNickname = PR_FALSE0; |
Value stored to 'setNickname' is never read | |
2234 | newNickname = (*nicknameCb)(certNickname, &cancel, leafCert); |
2235 | if (cancel) { |
2236 | cert->problem = PR_TRUE1; |
2237 | cert->error = SEC_ERROR_USER_CANCELLED; |
2238 | break; |
2239 | } |
2240 | |
2241 | if (!newNickname) { |
2242 | cert->problem = PR_TRUE1; |
2243 | cert->error = PORT_GetErrorPORT_GetError_Util(); |
2244 | break; |
2245 | } |
2246 | |
2247 | /* at this point we have a new nickname, if we have an existing |
2248 | * certNickname, we need to free it and assign the new nickname |
2249 | * to it to avoid a memory leak. happy? |
2250 | */ |
2251 | if (certNickname) { |
2252 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(certNickname, PR_TRUE1); |
2253 | certNickname = NULL((void*)0); |
2254 | } |
2255 | |
2256 | certNickname = newNickname; |
2257 | setNickname = PR_TRUE1; |
2258 | /* go back and recheck the new nickname */ |
2259 | } |
2260 | |
2261 | loser: |
2262 | if (certNickname) { |
2263 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(certNickname, PR_TRUE1); |
2264 | } |
2265 | |
2266 | if (existingDNNick) { |
2267 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(existingDNNick, PR_TRUE1); |
2268 | } |
2269 | } |
2270 | |
2271 | static void |
2272 | sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert, |
2273 | sec_PKCS12SafeBag *key, |
2274 | SEC_PKCS12NicknameCollisionCallback nicknameCb) |
2275 | { |
2276 | CERTCertificate *leafCert; |
2277 | |
2278 | if (!cert) { |
2279 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2280 | return; |
2281 | } |
2282 | |
2283 | cert->validated = PR_TRUE1; |
2284 | |
2285 | if (!nicknameCb) { |
2286 | cert->noInstall = PR_TRUE1; |
2287 | cert->problem = PR_TRUE1; |
2288 | cert->error = SEC_ERROR_INVALID_ARGS; |
2289 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2290 | return; |
2291 | } |
2292 | |
2293 | if (!cert->safeBagContent.certBag) { |
2294 | cert->noInstall = PR_TRUE1; |
2295 | cert->problem = PR_TRUE1; |
2296 | cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; |
2297 | return; |
2298 | } |
2299 | |
2300 | cert->noInstall = PR_FALSE0; |
2301 | cert->unused = PR_FALSE0; |
2302 | cert->problem = PR_FALSE0; |
2303 | cert->error = 0; |
2304 | |
2305 | leafCert = CERT_DecodeDERCertificate__CERT_DecodeDERCertificate( |
2306 | &cert->safeBagContent.certBag->value.x509Cert, PR_FALSE0, NULL((void*)0)); |
2307 | if (!leafCert) { |
2308 | cert->noInstall = PR_TRUE1; |
2309 | cert->problem = PR_TRUE1; |
2310 | cert->error = PORT_GetErrorPORT_GetError_Util(); |
2311 | return; |
2312 | } |
2313 | |
2314 | sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, leafCert); |
2315 | |
2316 | CERT_DestroyCertificate(leafCert); |
2317 | } |
2318 | |
2319 | static void |
2320 | sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key, |
2321 | void *wincx) |
2322 | { |
2323 | CERTCertificate *leafCert; |
2324 | SECKEYPrivateKey *privk; |
2325 | |
2326 | if (!key) { |
2327 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2328 | return; |
2329 | } |
2330 | |
2331 | key->validated = PR_TRUE1; |
2332 | |
2333 | if (!cert) { |
2334 | key->problem = PR_TRUE1; |
2335 | key->noInstall = PR_TRUE1; |
2336 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2337 | return; |
2338 | } |
2339 | |
2340 | leafCert = CERT_DecodeDERCertificate__CERT_DecodeDERCertificate( |
2341 | &(cert->safeBagContent.certBag->value.x509Cert), PR_FALSE0, NULL((void*)0)); |
2342 | if (!leafCert) { |
2343 | key->problem = PR_TRUE1; |
2344 | key->noInstall = PR_TRUE1; |
2345 | key->error = PORT_GetErrorPORT_GetError_Util(); |
2346 | return; |
2347 | } |
2348 | |
2349 | privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx); |
2350 | if (!privk) { |
2351 | privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx); |
2352 | } |
2353 | |
2354 | if (privk) { |
2355 | SECKEY_DestroyPrivateKey(privk); |
2356 | key->noInstall = PR_TRUE1; |
2357 | } |
2358 | |
2359 | CERT_DestroyCertificate(leafCert); |
2360 | } |
2361 | |
2362 | static SECStatus |
2363 | sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx) |
2364 | { |
2365 | SECItem *derCert, *nickName; |
2366 | char *nickData = NULL((void*)0); |
2367 | PRBool isIntermediateCA; |
2368 | SECStatus rv; |
2369 | |
2370 | if (!cert) { |
2371 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2372 | return SECFailure; |
2373 | } |
2374 | |
2375 | if (cert->problem || cert->noInstall || cert->installed) { |
2376 | return SECSuccess; |
2377 | } |
2378 | |
2379 | derCert = &cert->safeBagContent.certBag->value.x509Cert; |
2380 | |
2381 | PORT_Assert(!cert->problem && !cert->noInstall)((!cert->problem && !cert->noInstall)?((void)0) :PR_Assert("!cert->problem && !cert->noInstall" ,"p12d.c",2381)); |
2382 | |
2383 | nickName = sec_pkcs12_get_nickname(cert); |
2384 | if (nickName) { |
2385 | nickData = (char *)nickName->data; |
2386 | } |
2387 | |
2388 | isIntermediateCA = CERT_IsCADERCert(derCert, NULL((void*)0)) && |
2389 | !CERT_IsRootDERCert(derCert); |
2390 | |
2391 | if (keyExists) { |
2392 | CERTCertificate *newCert; |
2393 | |
2394 | newCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), |
2395 | derCert, NULL((void*)0), PR_FALSE0, PR_FALSE0); |
2396 | if (!newCert) { |
2397 | if (nickName) |
2398 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(nickName, PR_TRUE1); |
2399 | cert->error = PORT_GetErrorPORT_GetError_Util(); |
2400 | cert->problem = PR_TRUE1; |
2401 | return SECFailure; |
2402 | } |
2403 | |
2404 | rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData, |
2405 | PR_TRUE1, wincx); |
2406 | CERT_DestroyCertificate(newCert); |
2407 | } else if ((cert->tokenCAs == SECPKCS12TargetTokenNoCAs) || |
2408 | ((cert->tokenCAs == SECPKCS12TargetTokenIntermediateCAs) && |
2409 | !isIntermediateCA)) { |
2410 | SECItem *certList[2]; |
2411 | certList[0] = derCert; |
2412 | certList[1] = NULL((void*)0); |
2413 | |
2414 | rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport, |
2415 | 1, certList, NULL((void*)0), PR_TRUE1, PR_FALSE0, nickData); |
2416 | } else { |
2417 | rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE0, |
2418 | nickData, PR_FALSE0); |
2419 | } |
2420 | if (rv) { |
2421 | cert->problem = 1; |
2422 | cert->error = PORT_GetErrorPORT_GetError_Util(); |
2423 | } |
2424 | cert->installed = PR_TRUE1; |
2425 | if (nickName) |
2426 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(nickName, PR_TRUE1); |
2427 | return rv; |
2428 | } |
2429 | |
2430 | static SECItem * |
2431 | sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, KeyType *type); |
2432 | |
2433 | static SECStatus |
2434 | sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, |
2435 | unsigned int keyUsage, |
2436 | SECItem *nickName, PRBool forceUnicode, void *wincx) |
2437 | { |
2438 | SECStatus rv; |
2439 | SECItem *publicValue = NULL((void*)0); |
2440 | KeyType keyType; |
2441 | |
2442 | /* We should always have values for "key" and "pubKey" |
2443 | so they can be dereferenced later. */ |
2444 | if (!key || !pubKey) { |
2445 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2446 | return SECFailure; |
2447 | } |
2448 | |
2449 | if (key->problem || key->noInstall) { |
2450 | return SECSuccess; |
2451 | } |
2452 | |
2453 | /* get the value and type from the public key */ |
2454 | publicValue = sec_pkcs12_get_public_value_and_type(pubKey, &keyType); |
2455 | if (!publicValue) { |
2456 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2457 | key->problem = PR_TRUE1; |
2458 | return SECFailure; |
2459 | } |
2460 | |
2461 | switch (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&key->safeBagType)) { |
2462 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
2463 | rv = PK11_ImportPrivateKeyInfo(key->slot, |
2464 | key->safeBagContent.pkcs8KeyBag, |
2465 | nickName, publicValue, PR_TRUE1, PR_TRUE1, |
2466 | keyUsage, wincx); |
2467 | break; |
2468 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: { |
2469 | SECItem pwitem = { 0 }; |
2470 | SECAlgorithmID *algid = |
2471 | &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; |
2472 | SECOidTag algorithm = SECOID_GetAlgorithmTagSECOID_GetAlgorithmTag_Util(algid); |
2473 | |
2474 | if (forceUnicode) { |
2475 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &pwitem, key->pwitem) != SECSuccess) { |
2476 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2477 | key->problem = PR_TRUE1; |
2478 | return SECFailure; |
2479 | } |
2480 | } else { |
2481 | if (!sec_pkcs12_decode_password(NULL((void*)0), &pwitem, algorithm, |
2482 | key->pwitem)) { |
2483 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2484 | key->problem = PR_TRUE1; |
2485 | return SECFailure; |
2486 | } |
2487 | } |
2488 | |
2489 | rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, |
2490 | key->safeBagContent.pkcs8ShroudedKeyBag, |
2491 | &pwitem, nickName, publicValue, |
2492 | PR_TRUE1, PR_TRUE1, keyType, keyUsage, |
2493 | wincx); |
2494 | if (pwitem.data) { |
2495 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&pwitem, PR_FALSE0); |
2496 | } |
2497 | break; |
2498 | } |
2499 | default: |
2500 | key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION; |
2501 | key->problem = PR_TRUE1; |
2502 | if (nickName) { |
2503 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(nickName, PR_TRUE1); |
2504 | } |
2505 | return SECFailure; |
2506 | } |
2507 | |
2508 | if (rv != SECSuccess) { |
2509 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2510 | key->problem = PR_TRUE1; |
2511 | } else { |
2512 | /* try to import the public key. Failure to do so is not fatal, |
2513 | * not all tokens can store the public key */ |
2514 | if (pubKey) { |
2515 | PK11_ImportPublicKey(key->slot, pubKey, PR_TRUE1); |
2516 | } |
2517 | key->installed = PR_TRUE1; |
2518 | } |
2519 | |
2520 | return rv; |
2521 | } |
2522 | |
2523 | /* |
2524 | * The correctness of the code in this file ABSOLUTELY REQUIRES |
2525 | * that ALL BAGs share a single common arena. |
2526 | * |
2527 | * This function allocates the bag list from the arena of whatever bag |
2528 | * happens to be passed to it. Each time a new bag is handed to it, |
2529 | * it grows (resizes) the arena of the bag that was handed to it. |
2530 | * If the bags have different arenas, it will grow the wrong arena. |
2531 | * |
2532 | * Worse, if the bags had separate arenas, then while destroying the bags |
2533 | * in a bag list, when the bag whose arena contained the bag list was |
2534 | * destroyed, the baglist itself would be destroyed, making it difficult |
2535 | * or impossible to continue to destroy the bags in the destroyed list. |
2536 | */ |
2537 | static SECStatus |
2538 | sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList, |
2539 | sec_PKCS12SafeBag *bag) |
2540 | { |
2541 | sec_PKCS12SafeBag **newBagList = NULL((void*)0); |
2542 | int i = 0; |
2543 | |
2544 | if (!bagList || !bag) { |
2545 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2546 | return SECFailure; |
2547 | } |
2548 | |
2549 | if (!(*bagList)) { |
2550 | newBagList = PORT_ArenaZNewArray(bag->arena, sec_PKCS12SafeBag *, 2)(sec_PKCS12SafeBag * *)PORT_ArenaZAlloc_Util(bag->arena, sizeof (sec_PKCS12SafeBag *) * (2)); |
2551 | } else { |
2552 | while ((*bagList)[i]) |
2553 | i++; |
2554 | newBagList = PORT_ArenaGrowArray(bag->arena, *bagList,(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((bag->arena), ( *bagList), (i + 1) * sizeof(sec_PKCS12SafeBag *), (i + 2) * sizeof (sec_PKCS12SafeBag *)) |
2555 | sec_PKCS12SafeBag *, i + 1, i + 2)(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((bag->arena), ( *bagList), (i + 1) * sizeof(sec_PKCS12SafeBag *), (i + 2) * sizeof (sec_PKCS12SafeBag *)); |
2556 | } |
2557 | |
2558 | if (!newBagList) { |
2559 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); |
2560 | return SECFailure; |
2561 | } |
2562 | |
2563 | newBagList[i] = bag; |
2564 | newBagList[i + 1] = NULL((void*)0); |
2565 | *bagList = newBagList; |
2566 | |
2567 | return SECSuccess; |
2568 | } |
2569 | |
2570 | static sec_PKCS12SafeBag ** |
2571 | sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags, |
2572 | sec_PKCS12SafeBag *key) |
2573 | { |
2574 | sec_PKCS12SafeBag **certList = NULL((void*)0); |
2575 | SECItem *keyId; |
2576 | int i; |
2577 | |
2578 | if (!safeBags || !safeBags[0]) { |
2579 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2580 | return NULL((void*)0); |
2581 | } |
2582 | |
2583 | keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID); |
2584 | if (!keyId) { |
2585 | return NULL((void*)0); |
2586 | } |
2587 | |
2588 | for (i = 0; safeBags[i]; i++) { |
2589 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(safeBags[i]->safeBagType)) == SEC_OID_PKCS12_V1_CERT_BAG_ID) { |
2590 | SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i], |
2591 | SEC_OID_PKCS9_LOCAL_KEY_ID); |
2592 | |
2593 | if (certKeyId && (SECITEM_CompareItemSECITEM_CompareItem_Util(certKeyId, keyId) == SECEqual)) { |
2594 | if (sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i]) != SECSuccess) { |
2595 | /* This would leak the partial list of safeBags, |
2596 | * but that list is allocated from the arena of |
2597 | * one of the safebags, and will be destroyed when |
2598 | * that arena is destroyed. So this is not a real leak. |
2599 | */ |
2600 | return NULL((void*)0); |
2601 | } |
2602 | } |
2603 | } |
2604 | } |
2605 | |
2606 | return certList; |
2607 | } |
2608 | |
2609 | CERTCertList * |
2610 | SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx) |
2611 | { |
2612 | CERTCertList *certList = NULL((void*)0); |
2613 | sec_PKCS12SafeBag **safeBags; |
2614 | int i; |
2615 | |
2616 | if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) { |
2617 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2618 | return NULL((void*)0); |
2619 | } |
2620 | |
2621 | safeBags = p12dcx->safeBags; |
2622 | certList = CERT_NewCertList(); |
2623 | |
2624 | if (certList == NULL((void*)0)) { |
2625 | return NULL((void*)0); |
2626 | } |
2627 | |
2628 | for (i = 0; safeBags[i]; i++) { |
2629 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(safeBags[i]->safeBagType)) == SEC_OID_PKCS12_V1_CERT_BAG_ID) { |
2630 | SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]); |
2631 | CERTCertificate *tempCert = NULL((void*)0); |
2632 | |
2633 | if (derCert == NULL((void*)0)) |
2634 | continue; |
2635 | tempCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), |
2636 | derCert, NULL((void*)0), |
2637 | PR_FALSE0, PR_TRUE1); |
2638 | |
2639 | if (tempCert) { |
2640 | CERT_AddCertToListTail(certList, tempCert); |
2641 | } |
2642 | SECITEM_FreeItemSECITEM_FreeItem_Util(derCert, PR_TRUE1); |
2643 | } |
2644 | /* fixed an infinite loop here, by ensuring that i gets incremented |
2645 | * if derCert is NULL above. |
2646 | */ |
2647 | } |
2648 | |
2649 | return certList; |
2650 | } |
2651 | static sec_PKCS12SafeBag ** |
2652 | sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags) |
2653 | { |
2654 | int i; |
2655 | sec_PKCS12SafeBag **keyList = NULL((void*)0); |
2656 | SECOidTag bagType; |
2657 | |
2658 | if (!safeBags || !safeBags[0]) { |
2659 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2660 | return NULL((void*)0); |
2661 | } |
2662 | |
2663 | for (i = 0; safeBags[i]; i++) { |
2664 | bagType = SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(safeBags[i]->safeBagType)); |
2665 | switch (bagType) { |
2666 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
2667 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: |
2668 | if (sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i]) != SECSuccess) { |
2669 | /* This would leak, except that keyList is allocated |
2670 | * from the arena shared by all the safeBags. |
2671 | */ |
2672 | return NULL((void*)0); |
2673 | } |
2674 | break; |
2675 | default: |
2676 | break; |
2677 | } |
2678 | } |
2679 | |
2680 | return keyList; |
2681 | } |
2682 | |
2683 | /* This function takes two passes over the bags, validating them |
2684 | * The two passes are intended to mirror exactly the two passes in |
2685 | * sec_pkcs12_install_bags. But they don't. :( |
2686 | */ |
2687 | static SECStatus |
2688 | sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, |
2689 | SEC_PKCS12NicknameCollisionCallback nicknameCb, |
2690 | void *wincx) |
2691 | { |
2692 | sec_PKCS12SafeBag **keyList; |
2693 | int i; |
2694 | |
2695 | if (!safeBags || !nicknameCb) { |
2696 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2697 | return SECFailure; |
2698 | } |
2699 | |
2700 | if (!safeBags[0]) { |
2701 | return SECSuccess; |
2702 | } |
2703 | |
2704 | /* First pass. Find all the key bags. |
2705 | * Find the matching cert(s) for each key. |
2706 | */ |
2707 | keyList = sec_pkcs12_get_key_bags(safeBags); |
2708 | if (keyList) { |
2709 | for (i = 0; keyList[i]; ++i) { |
2710 | sec_PKCS12SafeBag *key = keyList[i]; |
2711 | sec_PKCS12SafeBag **certList = |
2712 | sec_pkcs12_find_certs_for_key(safeBags, key); |
2713 | |
2714 | if (certList) { |
2715 | int j; |
2716 | |
2717 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(key->safeBagType)) == |
2718 | SEC_OID_PKCS12_V1_KEY_BAG_ID) { |
2719 | /* if it is an unencrypted private key then make sure |
2720 | * the attributes are propageted to the appropriate |
2721 | * level |
2722 | */ |
2723 | if (sec_pkcs12_get_key_info(key) != SECSuccess) { |
2724 | return SECFailure; |
2725 | } |
2726 | } |
2727 | |
2728 | sec_pkcs12_validate_key_by_cert(certList[0], key, wincx); |
2729 | for (j = 0; certList[j]; ++j) { |
2730 | sec_PKCS12SafeBag *cert = certList[j]; |
2731 | cert->hasKey = PR_TRUE1; |
2732 | if (key->problem) { |
2733 | cert->problem = PR_TRUE1; |
2734 | cert->error = key->error; |
2735 | continue; |
2736 | } |
2737 | sec_pkcs12_validate_cert(cert, key, nicknameCb); |
2738 | if (cert->problem) { |
2739 | key->problem = cert->problem; |
2740 | key->error = cert->error; |
2741 | } |
2742 | } |
2743 | } |
2744 | } |
2745 | } |
2746 | |
2747 | /* Now take a second pass over the safebags and mark for installation any |
2748 | * certs that were neither installed nor disqualified by the first pass. |
2749 | */ |
2750 | for (i = 0; safeBags[i]; ++i) { |
2751 | sec_PKCS12SafeBag *bag = safeBags[i]; |
2752 | |
2753 | if (!bag->validated) { |
2754 | SECOidTag bagType = SECOID_FindOIDTagSECOID_FindOIDTag_Util(&bag->safeBagType); |
2755 | |
2756 | switch (bagType) { |
2757 | case SEC_OID_PKCS12_V1_CERT_BAG_ID: |
2758 | sec_pkcs12_validate_cert(bag, NULL((void*)0), nicknameCb); |
2759 | break; |
2760 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
2761 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: |
2762 | bag->noInstall = PR_TRUE1; |
2763 | bag->problem = PR_TRUE1; |
2764 | bag->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2765 | break; |
2766 | default: |
2767 | bag->noInstall = PR_TRUE1; |
2768 | } |
2769 | } |
2770 | } |
2771 | |
2772 | return SECSuccess; |
2773 | } |
2774 | |
2775 | SECStatus |
2776 | SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx, |
2777 | SEC_PKCS12NicknameCollisionCallback nicknameCb) |
2778 | { |
2779 | SECStatus rv; |
2780 | int i, probCnt, errorVal = 0; |
2781 | if (!p12dcx || p12dcx->error || !p12dcx->safeBags) { |
2782 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2783 | return SECFailure; |
2784 | } |
2785 | |
2786 | rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx); |
2787 | if (rv == SECSuccess) { |
2788 | p12dcx->bagsVerified = PR_TRUE1; |
2789 | } |
2790 | |
2791 | probCnt = 0; |
2792 | i = 0; |
2793 | while (p12dcx->safeBags[i]) { |
2794 | if (p12dcx->safeBags[i]->problem) { |
2795 | probCnt++; |
2796 | errorVal = p12dcx->safeBags[i]->error; |
2797 | } |
2798 | i++; |
2799 | } |
2800 | |
2801 | if (probCnt) { |
2802 | PORT_SetErrorPORT_SetError_Util(errorVal); |
2803 | return SECFailure; |
2804 | } |
2805 | |
2806 | return rv; |
2807 | } |
2808 | |
2809 | SECStatus |
2810 | SEC_PKCS12DecoderRenameCertNicknames(SEC_PKCS12DecoderContext *p12dcx, |
2811 | SEC_PKCS12NicknameRenameCallback nicknameCb, |
2812 | void *arg) |
2813 | { |
2814 | int i; |
2815 | sec_PKCS12SafeBag *safeBag; |
2816 | CERTCertificate *cert; |
2817 | SECStatus srv; |
2818 | |
2819 | if (!p12dcx || p12dcx->error || !p12dcx->safeBags || !nicknameCb) { |
2820 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2821 | return SECFailure; |
2822 | } |
2823 | |
2824 | for (i = 0; (safeBag = p12dcx->safeBags[i]); i++) { |
2825 | SECItem *newNickname = NULL((void*)0); |
2826 | SECItem *defaultNickname = NULL((void*)0); |
2827 | SECStatus rename_rv; |
2828 | |
2829 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(safeBag->safeBagType)) != |
2830 | SEC_OID_PKCS12_V1_CERT_BAG_ID) { |
2831 | continue; |
2832 | } |
2833 | |
2834 | cert = CERT_DecodeDERCertificate__CERT_DecodeDERCertificate( |
2835 | &safeBag->safeBagContent.certBag->value.x509Cert, |
2836 | PR_FALSE0, NULL((void*)0)); |
2837 | if (!cert) { |
2838 | return SECFailure; |
2839 | } |
2840 | |
2841 | defaultNickname = sec_pkcs12_get_nickname(safeBag); |
2842 | rename_rv = (*nicknameCb)(cert, defaultNickname, &newNickname, arg); |
2843 | |
2844 | CERT_DestroyCertificate(cert); |
2845 | |
2846 | if (defaultNickname) { |
2847 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(defaultNickname, PR_TRUE1); |
2848 | defaultNickname = NULL((void*)0); |
2849 | } |
2850 | |
2851 | if (rename_rv != SECSuccess) { |
2852 | return rename_rv; |
2853 | } |
2854 | |
2855 | if (newNickname) { |
2856 | srv = sec_pkcs12_set_nickname(safeBag, newNickname); |
2857 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(newNickname, PR_TRUE1); |
2858 | newNickname = NULL((void*)0); |
2859 | if (srv != SECSuccess) { |
2860 | return SECFailure; |
2861 | } |
2862 | } |
2863 | } |
2864 | |
2865 | return SECSuccess; |
2866 | } |
2867 | |
2868 | static SECKEYPublicKey * |
2869 | sec_pkcs12_get_public_key_and_usage(sec_PKCS12SafeBag *certBag, |
2870 | unsigned int *usage) |
2871 | { |
2872 | SECKEYPublicKey *pubKey = NULL((void*)0); |
2873 | CERTCertificate *cert = NULL((void*)0); |
2874 | |
2875 | if (!certBag || !usage) { |
2876 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2877 | return NULL((void*)0); |
2878 | } |
2879 | |
2880 | *usage = 0; |
2881 | |
2882 | cert = CERT_DecodeDERCertificate__CERT_DecodeDERCertificate( |
2883 | &certBag->safeBagContent.certBag->value.x509Cert, PR_FALSE0, NULL((void*)0)); |
2884 | if (!cert) { |
2885 | return NULL((void*)0); |
2886 | } |
2887 | |
2888 | *usage = cert->keyUsage; |
2889 | pubKey = CERT_ExtractPublicKey(cert); |
2890 | CERT_DestroyCertificate(cert); |
2891 | return pubKey; |
2892 | } |
2893 | |
2894 | static SECItem * |
2895 | sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, |
2896 | KeyType *type) |
2897 | { |
2898 | SECItem *pubValue = NULL((void*)0); |
2899 | |
2900 | if (!type || !pubKey) { |
2901 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2902 | return NULL((void*)0); |
2903 | } |
2904 | |
2905 | *type = pubKey->keyType; |
2906 | switch (pubKey->keyType) { |
2907 | case dsaKey: |
2908 | pubValue = &pubKey->u.dsa.publicValue; |
2909 | break; |
2910 | case dhKey: |
2911 | pubValue = &pubKey->u.dh.publicValue; |
2912 | break; |
2913 | case rsaKey: |
2914 | pubValue = &pubKey->u.rsa.modulus; |
2915 | break; |
2916 | case ecKey: |
2917 | pubValue = &pubKey->u.ec.publicValue; |
2918 | break; |
2919 | default: |
2920 | pubValue = NULL((void*)0); |
2921 | } |
2922 | |
2923 | return pubValue; |
2924 | } |
2925 | |
2926 | /* This function takes two passes over the bags, installing them in the |
2927 | * desired slot. The two passes are intended to mirror exactly the |
2928 | * two passes in sec_pkcs12_validate_bags. |
2929 | */ |
2930 | static SECStatus |
2931 | sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, PRBool forceUnicode, |
2932 | void *wincx) |
2933 | { |
2934 | sec_PKCS12SafeBag **keyList; |
2935 | int i; |
2936 | int failedKeys = 0; |
2937 | |
2938 | if (!safeBags) { |
2939 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
2940 | return SECFailure; |
2941 | } |
2942 | |
2943 | if (!safeBags[0]) { |
2944 | return SECSuccess; |
2945 | } |
2946 | |
2947 | /* First pass. Find all the key bags. |
2948 | * Try to install them, and any certs associated with them. |
2949 | */ |
2950 | keyList = sec_pkcs12_get_key_bags(safeBags); |
2951 | if (keyList) { |
2952 | for (i = 0; keyList[i]; i++) { |
2953 | SECStatus rv; |
2954 | SECKEYPublicKey *pubKey = NULL((void*)0); |
2955 | SECItem *nickName = NULL((void*)0); |
2956 | sec_PKCS12SafeBag *key = keyList[i]; |
2957 | sec_PKCS12SafeBag **certList; |
2958 | unsigned int keyUsage; |
2959 | |
2960 | if (key->problem) { |
2961 | ++failedKeys; |
2962 | continue; |
2963 | } |
2964 | |
2965 | certList = sec_pkcs12_find_certs_for_key(safeBags, key); |
2966 | if (certList && certList[0]) { |
2967 | pubKey = sec_pkcs12_get_public_key_and_usage(certList[0], |
2968 | &keyUsage); |
2969 | /* use the cert's nickname, if it has one, else use the |
2970 | * key's nickname, else fail. |
2971 | */ |
2972 | nickName = sec_pkcs12_get_nickname_for_cert(certList[0], key); |
2973 | } else { |
2974 | nickName = sec_pkcs12_get_nickname(key); |
2975 | } |
2976 | if (!nickName) { |
2977 | key->error = SEC_ERROR_BAD_NICKNAME; |
2978 | key->problem = PR_TRUE1; |
2979 | rv = SECFailure; |
2980 | } else if (!pubKey) { |
2981 | key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; |
2982 | key->problem = PR_TRUE1; |
2983 | rv = SECFailure; |
2984 | } else { |
2985 | rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, |
2986 | forceUnicode, wincx); |
2987 | } |
2988 | if (pubKey) { |
2989 | SECKEY_DestroyPublicKey(pubKey); |
2990 | pubKey = NULL((void*)0); |
2991 | } |
2992 | if (nickName) { |
2993 | SECITEM_FreeItemSECITEM_FreeItem_Util(nickName, PR_TRUE1); |
2994 | nickName = NULL((void*)0); |
2995 | } |
2996 | if (rv != SECSuccess) { |
2997 | PORT_SetErrorPORT_SetError_Util(key->error); |
2998 | ++failedKeys; |
2999 | } |
3000 | |
3001 | if (certList) { |
3002 | int j; |
3003 | |
3004 | for (j = 0; certList[j]; j++) { |
3005 | sec_PKCS12SafeBag *cert = certList[j]; |
3006 | SECStatus certRv; |
3007 | |
3008 | if (!cert) |
3009 | continue; |
3010 | if (rv != SECSuccess) { |
3011 | cert->problem = key->problem; |
3012 | cert->error = key->error; |
3013 | cert->noInstall = PR_TRUE1; |
3014 | continue; |
3015 | } |
3016 | |
3017 | certRv = sec_pkcs12_add_cert(cert, cert->hasKey, wincx); |
3018 | if (certRv != SECSuccess) { |
3019 | key->problem = cert->problem; |
3020 | key->error = cert->error; |
3021 | PORT_SetErrorPORT_SetError_Util(cert->error); |
3022 | return SECFailure; |
3023 | } |
3024 | } |
3025 | } |
3026 | } |
3027 | } |
3028 | if (failedKeys) |
3029 | return SECFailure; |
3030 | |
3031 | /* Now take a second pass over the safebags and install any certs |
3032 | * that were neither installed nor disqualified by the first pass. |
3033 | */ |
3034 | for (i = 0; safeBags[i]; i++) { |
3035 | sec_PKCS12SafeBag *bag = safeBags[i]; |
3036 | |
3037 | if (!bag->installed && !bag->problem && !bag->noInstall) { |
3038 | SECStatus rv; |
3039 | SECOidTag bagType = SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(bag->safeBagType)); |
3040 | |
3041 | switch (bagType) { |
3042 | case SEC_OID_PKCS12_V1_CERT_BAG_ID: |
3043 | rv = sec_pkcs12_add_cert(bag, bag->hasKey, wincx); |
3044 | if (rv != SECSuccess) { |
3045 | PORT_SetErrorPORT_SetError_Util(bag->error); |
3046 | return SECFailure; |
3047 | } |
3048 | break; |
3049 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
3050 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: |
3051 | default: |
3052 | break; |
3053 | } |
3054 | } |
3055 | } |
3056 | |
3057 | return SECSuccess; |
3058 | } |
3059 | |
3060 | SECStatus |
3061 | SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx) |
3062 | { |
3063 | PRBool forceUnicode = PR_FALSE0; |
3064 | SECStatus rv; |
3065 | |
3066 | if (!p12dcx || p12dcx->error) { |
3067 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3068 | return SECFailure; |
3069 | } |
3070 | |
3071 | if (!p12dcx->bagsVerified) { |
3072 | return SECFailure; |
3073 | } |
3074 | |
3075 | /* We need to check the option here as well as in |
3076 | * SEC_PKCS12DecoderStart, because different PBE's could be used |
3077 | * for PKCS #7 and PKCS #8 */ |
3078 | rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE0x00c, &forceUnicode); |
3079 | if (rv != SECSuccess) { |
3080 | return SECFailure; |
3081 | } |
3082 | |
3083 | return sec_pkcs12_install_bags(p12dcx->safeBags, forceUnicode, |
3084 | p12dcx->wincx); |
3085 | } |
3086 | |
3087 | PRBool |
3088 | sec_pkcs12_bagHasKey(SEC_PKCS12DecoderContext *p12dcx, sec_PKCS12SafeBag *bag) |
3089 | { |
3090 | int i; |
3091 | SECItem *keyId; |
3092 | SECItem *certKeyId; |
3093 | |
3094 | certKeyId = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_LOCAL_KEY_ID); |
3095 | if (certKeyId == NULL((void*)0)) { |
3096 | return PR_FALSE0; |
3097 | } |
3098 | |
3099 | for (i = 0; p12dcx->keyList && p12dcx->keyList[i]; i++) { |
3100 | keyId = sec_pkcs12_get_attribute_value(p12dcx->keyList[i], |
3101 | SEC_OID_PKCS9_LOCAL_KEY_ID); |
3102 | if (!keyId) { |
3103 | continue; |
3104 | } |
3105 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(certKeyId, keyId) == SECEqual) { |
3106 | return PR_TRUE1; |
3107 | } |
3108 | } |
3109 | return PR_FALSE0; |
3110 | } |
3111 | |
3112 | SECItem * |
3113 | sec_pkcs12_get_friendlyName(sec_PKCS12SafeBag *bag) |
3114 | { |
3115 | SECItem *friendlyName; |
3116 | SECItem *tempnm; |
3117 | |
3118 | tempnm = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME); |
3119 | friendlyName = (SECItem *)PORT_ZAllocPORT_ZAlloc_Util(sizeof(SECItem)); |
3120 | if (friendlyName) { |
3121 | if (!sec_pkcs12_convert_item_to_unicode(NULL((void*)0), friendlyName, |
3122 | tempnm, PR_TRUE1, PR_FALSE0, PR_FALSE0)) { |
3123 | SECITEM_FreeItemSECITEM_FreeItem_Util(friendlyName, PR_TRUE1); |
3124 | friendlyName = NULL((void*)0); |
3125 | } |
3126 | } |
3127 | return friendlyName; |
3128 | } |
3129 | |
3130 | /* Following two functions provide access to selected portions of the safe bags. |
3131 | * Iteration is implemented per decoder context and may be accessed after |
3132 | * SEC_PKCS12DecoderVerify() returns success. |
3133 | * When ...DecoderIterateNext() returns SUCCESS a decoder item has been returned |
3134 | * where item.type is always set; item.friendlyName is set if it is non-null; |
3135 | * item.der, item.hasKey are set only for SEC_OID_PKCS12_V1_CERT_BAG_ID items. |
3136 | * ...DecoderIterateNext() returns FAILURE when the list is exhausted or when |
3137 | * arguments are invalid; PORT_GetError() is 0 at end-of-list. |
3138 | * Caller has read-only access to decoder items. Any SECItems generated are |
3139 | * owned by the decoder context and are freed by ...DecoderFinish(). |
3140 | */ |
3141 | SECStatus |
3142 | SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx) |
3143 | { |
3144 | if (!p12dcx || p12dcx->error) { |
3145 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3146 | return SECFailure; |
3147 | } |
3148 | |
3149 | p12dcx->iteration = 0; |
3150 | return SECSuccess; |
3151 | } |
3152 | |
3153 | SECStatus |
3154 | SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, |
3155 | const SEC_PKCS12DecoderItem **ipp) |
3156 | { |
3157 | sec_PKCS12SafeBag *bag; |
3158 | |
3159 | if (!p12dcx || p12dcx->error) { |
3160 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3161 | return SECFailure; |
3162 | } |
3163 | |
3164 | if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL((void*)0)) { |
3165 | SECITEM_FreeItemSECITEM_FreeItem_Util(p12dcx->decitem.der, PR_TRUE1); |
3166 | } |
3167 | if (p12dcx->decitem.shroudAlg != NULL((void*)0)) { |
3168 | SECOID_DestroyAlgorithmIDSECOID_DestroyAlgorithmID_Util(p12dcx->decitem.shroudAlg, PR_TRUE1); |
3169 | } |
3170 | if (p12dcx->decitem.friendlyName != NULL((void*)0)) { |
3171 | SECITEM_FreeItemSECITEM_FreeItem_Util(p12dcx->decitem.friendlyName, PR_TRUE1); |
3172 | } |
3173 | p12dcx->decitem.type = 0; |
3174 | p12dcx->decitem.der = NULL((void*)0); |
3175 | p12dcx->decitem.shroudAlg = NULL((void*)0); |
3176 | p12dcx->decitem.friendlyName = NULL((void*)0); |
3177 | p12dcx->decitem.hasKey = PR_FALSE0; |
3178 | *ipp = NULL((void*)0); |
3179 | if (p12dcx->keyList == NULL((void*)0)) { |
3180 | p12dcx->keyList = sec_pkcs12_get_key_bags(p12dcx->safeBags); |
3181 | } |
3182 | |
3183 | for (; p12dcx->iteration < p12dcx->safeBagCount; p12dcx->iteration++) { |
3184 | bag = p12dcx->safeBags[p12dcx->iteration]; |
3185 | if (bag == NULL((void*)0) || bag->problem) { |
3186 | continue; |
3187 | } |
3188 | p12dcx->decitem.type = SECOID_FindOIDTagSECOID_FindOIDTag_Util(&(bag->safeBagType)); |
3189 | switch (p12dcx->decitem.type) { |
3190 | case SEC_OID_PKCS12_V1_CERT_BAG_ID: |
3191 | p12dcx->decitem.der = sec_pkcs12_get_der_cert(bag); |
3192 | p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); |
3193 | p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag); |
3194 | break; |
3195 | case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: |
3196 | p12dcx->decitem.shroudAlg = PORT_ZNew(SECAlgorithmID)(SECAlgorithmID *)PORT_ZAlloc_Util(sizeof(SECAlgorithmID)); |
3197 | if (p12dcx->decitem.shroudAlg) { |
3198 | SECOID_CopyAlgorithmIDSECOID_CopyAlgorithmID_Util(NULL((void*)0), p12dcx->decitem.shroudAlg, |
3199 | &bag->safeBagContent.pkcs8ShroudedKeyBag->algorithm); |
3200 | } |
3201 | /* fall through */ |
3202 | case SEC_OID_PKCS12_V1_KEY_BAG_ID: |
3203 | p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); |
3204 | break; |
3205 | default: |
3206 | /* return these even though we don't expect them */ |
3207 | break; |
3208 | case SEC_OID_UNKNOWN: |
3209 | /* ignore these */ |
3210 | continue; |
3211 | } |
3212 | *ipp = &p12dcx->decitem; |
3213 | p12dcx->iteration++; |
3214 | break; /* end for() */ |
3215 | } |
3216 | |
3217 | PORT_SetErrorPORT_SetError_Util(0); /* end-of-list is SECFailure with no PORT error */ |
3218 | return ((p12dcx->decitem.type == 0) ? SECFailure : SECSuccess); |
3219 | } |
3220 | |
3221 | static SECStatus |
3222 | sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx, |
3223 | sec_PKCS12SafeBag *bag) |
3224 | { |
3225 | if (!p12dcx || p12dcx->error) { |
3226 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3227 | return SECFailure; |
3228 | } |
3229 | |
3230 | p12dcx->safeBags = !p12dcx->safeBagCount |
3231 | ? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, 2)(sec_PKCS12SafeBag * *)PORT_ArenaZAlloc_Util(p12dcx->arena , sizeof(sec_PKCS12SafeBag *) * (2)) |
3232 | : PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeBags,(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)) |
3233 | sec_PKCS12SafeBag *, p12dcx->safeBagCount + 1,(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)) |
3234 | p12dcx->safeBagCount + 2)(sec_PKCS12SafeBag * *)PORT_ArenaGrow_Util((p12dcx->arena) , (p12dcx->safeBags), (p12dcx->safeBagCount + 1) * sizeof (sec_PKCS12SafeBag *), (p12dcx->safeBagCount + 2) * sizeof (sec_PKCS12SafeBag *)); |
3235 | |
3236 | if (!p12dcx->safeBags) { |
3237 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); |
3238 | return SECFailure; |
3239 | } |
3240 | |
3241 | p12dcx->safeBags[p12dcx->safeBagCount] = bag; |
3242 | p12dcx->safeBags[p12dcx->safeBagCount + 1] = NULL((void*)0); |
3243 | p12dcx->safeBagCount++; |
3244 | |
3245 | return SECSuccess; |
3246 | } |
3247 | |
3248 | static sec_PKCS12SafeBag * |
3249 | sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx, |
3250 | void *key, PRBool isEspvk) |
3251 | { |
3252 | sec_PKCS12SafeBag *keyBag; |
3253 | SECOidData *oid; |
3254 | SECOidTag keyTag; |
3255 | SECItem *keyID, *nickName, *newNickName; |
3256 | |
3257 | if (!p12dcx || p12dcx->error || !key) { |
3258 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3259 | return NULL((void*)0); |
3260 | } |
3261 | |
3262 | newNickName = PORT_ArenaZNew(p12dcx->arena, SECItem)(SECItem *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof(SECItem )); |
3263 | keyBag = PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag)(sec_PKCS12SafeBag *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof (sec_PKCS12SafeBag)); |
3264 | if (!keyBag || !newNickName) { |
3265 | return NULL((void*)0); |
3266 | } |
3267 | |
3268 | keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes; |
3269 | keyBag->slot = p12dcx->slot; |
3270 | keyBag->arena = p12dcx->arena; |
3271 | keyBag->pwitem = p12dcx->pwitem; |
3272 | keyBag->tokenCAs = p12dcx->tokenCAs; |
3273 | keyBag->oldBagType = PR_TRUE1; |
3274 | |
3275 | keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID : SEC_OID_PKCS12_V1_KEY_BAG_ID; |
3276 | oid = SECOID_FindOIDByTagSECOID_FindOIDByTag_Util(keyTag); |
3277 | if (!oid) { |
3278 | return NULL((void*)0); |
3279 | } |
3280 | |
3281 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(p12dcx->arena, &keyBag->safeBagType, &oid->oid) != SECSuccess) { |
3282 | return NULL((void*)0); |
3283 | } |
3284 | |
3285 | if (isEspvk) { |
3286 | SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key; |
3287 | keyBag->safeBagContent.pkcs8ShroudedKeyBag = |
3288 | espvk->espvkCipherText.pkcs8KeyShroud; |
3289 | nickName = &(espvk->espvkData.uniNickName); |
3290 | if (!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) { |
3291 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE); |
3292 | return NULL((void*)0); |
3293 | } |
3294 | keyID = &espvk->espvkData.assocCerts[0]->digest; |
3295 | } else { |
3296 | SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key; |
3297 | keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data; |
3298 | nickName = &(pk->pvkData.uniNickName); |
3299 | if (!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) { |
3300 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE); |
3301 | return NULL((void*)0); |
3302 | } |
3303 | keyID = &pk->pvkData.assocCerts[0]->digest; |
3304 | } |
3305 | |
3306 | if (nickName->len) { |
3307 | if (nickName->len >= 2) { |
3308 | if (nickName->data[0] && nickName->data[1]) { |
3309 | if (!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, |
3310 | nickName, PR_FALSE0, PR_FALSE0, PR_TRUE1)) { |
3311 | return NULL((void*)0); |
3312 | } |
3313 | nickName = newNickName; |
3314 | } else if (nickName->data[0] && !nickName->data[1]) { |
3315 | unsigned int j = 0; |
3316 | unsigned char t; |
3317 | for (j = 0; j < nickName->len; j += 2) { |
3318 | t = nickName->data[j + 1]; |
3319 | nickName->data[j + 1] = nickName->data[j]; |
3320 | nickName->data[j] = t; |
3321 | } |
3322 | } |
3323 | } else { |
3324 | if (!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, |
3325 | nickName, PR_FALSE0, PR_FALSE0, PR_TRUE1)) { |
3326 | return NULL((void*)0); |
3327 | } |
3328 | nickName = newNickName; |
3329 | } |
3330 | } |
3331 | |
3332 | if (sec_pkcs12_decoder_set_attribute_value(keyBag, |
3333 | SEC_OID_PKCS9_FRIENDLY_NAME, |
3334 | nickName) != SECSuccess) { |
3335 | return NULL((void*)0); |
3336 | } |
3337 | |
3338 | if (sec_pkcs12_decoder_set_attribute_value(keyBag, SEC_OID_PKCS9_LOCAL_KEY_ID, |
3339 | keyID) != SECSuccess) { |
3340 | return NULL((void*)0); |
3341 | } |
3342 | |
3343 | return keyBag; |
3344 | } |
3345 | |
3346 | static sec_PKCS12SafeBag * |
3347 | sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx, |
3348 | SECItem *derCert) |
3349 | { |
3350 | sec_PKCS12SafeBag *certBag; |
3351 | SECOidData *oid; |
3352 | SGNDigestInfo *digest; |
3353 | SECItem *keyId; |
3354 | SECStatus rv; |
3355 | |
3356 | if (!p12dcx || p12dcx->error || !derCert) { |
3357 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3358 | return NULL((void*)0); |
3359 | } |
3360 | |
3361 | keyId = PORT_ArenaZNew(p12dcx->arena, SECItem)(SECItem *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof(SECItem )); |
3362 | if (!keyId) { |
3363 | return NULL((void*)0); |
3364 | } |
3365 | |
3366 | digest = sec_pkcs12_compute_thumbprint(derCert); |
3367 | if (!digest) { |
3368 | return NULL((void*)0); |
3369 | } |
3370 | |
3371 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(p12dcx->arena, keyId, &digest->digest); |
3372 | SGN_DestroyDigestInfoSGN_DestroyDigestInfo_Util(digest); |
3373 | if (rv != SECSuccess) { |
3374 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); |
3375 | return NULL((void*)0); |
3376 | } |
3377 | |
3378 | oid = SECOID_FindOIDByTagSECOID_FindOIDByTag_Util(SEC_OID_PKCS12_V1_CERT_BAG_ID); |
3379 | certBag = PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag)(sec_PKCS12SafeBag *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof (sec_PKCS12SafeBag)); |
3380 | if (!certBag || !oid || (SECITEM_CopyItemSECITEM_CopyItem_Util(p12dcx->arena, &certBag->safeBagType, &oid->oid) != SECSuccess)) { |
3381 | return NULL((void*)0); |
3382 | } |
3383 | |
3384 | certBag->slot = p12dcx->slot; |
3385 | certBag->pwitem = p12dcx->pwitem; |
3386 | certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes; |
3387 | certBag->arena = p12dcx->arena; |
3388 | certBag->tokenCAs = p12dcx->tokenCAs; |
3389 | |
3390 | oid = SECOID_FindOIDByTagSECOID_FindOIDByTag_Util(SEC_OID_PKCS9_X509_CERT); |
3391 | certBag->safeBagContent.certBag = |
3392 | PORT_ArenaZNew(p12dcx->arena, sec_PKCS12CertBag)(sec_PKCS12CertBag *)PORT_ArenaZAlloc_Util(p12dcx->arena, sizeof (sec_PKCS12CertBag)); |
3393 | if (!certBag->safeBagContent.certBag || !oid || |
3394 | (SECITEM_CopyItemSECITEM_CopyItem_Util(p12dcx->arena, |
3395 | &certBag->safeBagContent.certBag->bagID, |
3396 | &oid->oid) != SECSuccess)) { |
3397 | return NULL((void*)0); |
3398 | } |
3399 | |
3400 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(p12dcx->arena, |
3401 | &(certBag->safeBagContent.certBag->value.x509Cert), |
3402 | derCert) != SECSuccess) { |
3403 | return NULL((void*)0); |
3404 | } |
3405 | |
3406 | if (sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID, |
3407 | keyId) != SECSuccess) { |
3408 | return NULL((void*)0); |
3409 | } |
3410 | |
3411 | return certBag; |
3412 | } |
3413 | |
3414 | static sec_PKCS12SafeBag ** |
3415 | sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx, |
3416 | SEC_PKCS12CertAndCRL *oldCert) |
3417 | { |
3418 | sec_PKCS12SafeBag **certList; |
3419 | SECItem **derCertList; |
3420 | int i, j; |
3421 | |
3422 | if (!p12dcx || p12dcx->error || !oldCert) { |
3423 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3424 | return NULL((void*)0); |
3425 | } |
3426 | |
3427 | derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL); |
3428 | if (!derCertList) { |
3429 | return NULL((void*)0); |
3430 | } |
3431 | |
3432 | i = 0; |
3433 | while (derCertList[i]) |
3434 | i++; |
3435 | |
3436 | certList = PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, (i + 1))(sec_PKCS12SafeBag * *)PORT_ArenaZAlloc_Util(p12dcx->arena , sizeof(sec_PKCS12SafeBag *) * ((i + 1))); |
3437 | if (!certList) { |
3438 | return NULL((void*)0); |
3439 | } |
3440 | |
3441 | for (j = 0; j < i; j++) { |
3442 | certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]); |
3443 | if (!certList[j]) { |
3444 | return NULL((void*)0); |
3445 | } |
3446 | } |
3447 | |
3448 | return certList; |
3449 | } |
3450 | |
3451 | static SECStatus |
3452 | sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx, |
3453 | void *oldKey, PRBool isEspvk, |
3454 | SEC_PKCS12SafeContents *safe, |
3455 | SEC_PKCS12Baggage *baggage) |
3456 | { |
3457 | sec_PKCS12SafeBag *key, **certList; |
3458 | SEC_PKCS12CertAndCRL *oldCert; |
3459 | SEC_PKCS12PVKSupportingData *pvkData; |
3460 | int i; |
3461 | SECItem *keyName; |
3462 | |
3463 | if (!p12dcx || !oldKey) { |
3464 | return SECFailure; |
3465 | } |
3466 | |
3467 | if (isEspvk) { |
3468 | pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData; |
3469 | } else { |
3470 | pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData; |
3471 | } |
3472 | |
3473 | if (!pvkData->assocCerts || !pvkData->assocCerts[0]) { |
3474 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE); |
3475 | return SECFailure; |
3476 | } |
3477 | |
3478 | oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage, |
3479 | SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL((void*)0), |
3480 | pvkData->assocCerts[0]); |
3481 | if (!oldCert) { |
3482 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE); |
3483 | return SECFailure; |
3484 | } |
3485 | |
3486 | key = sec_pkcs12_decoder_convert_old_key(p12dcx, oldKey, isEspvk); |
3487 | certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert); |
3488 | if (!key || !certList) { |
3489 | return SECFailure; |
3490 | } |
3491 | |
3492 | if (sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) { |
3493 | return SECFailure; |
3494 | } |
3495 | |
3496 | keyName = sec_pkcs12_get_nickname(key); |
3497 | if (!keyName) { |
3498 | return SECFailure; |
3499 | } |
3500 | |
3501 | i = 0; |
3502 | while (certList[i]) { |
3503 | if (sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i]) != SECSuccess) { |
3504 | return SECFailure; |
3505 | } |
3506 | i++; |
3507 | } |
3508 | |
3509 | certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key); |
3510 | if (!certList) { |
3511 | return SECFailure; |
3512 | } |
3513 | |
3514 | i = 0; |
3515 | while (certList[i] != 0) { |
3516 | if (sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) { |
3517 | return SECFailure; |
3518 | } |
3519 | i++; |
3520 | } |
3521 | |
3522 | return SECSuccess; |
3523 | } |
3524 | |
3525 | static SECStatus |
3526 | sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx, |
3527 | SEC_PKCS12SafeContents *safe, |
3528 | SEC_PKCS12Baggage *baggage) |
3529 | { |
3530 | SECStatus rv; |
3531 | |
3532 | if (!p12dcx || p12dcx->error) { |
3533 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3534 | return SECFailure; |
3535 | } |
3536 | |
3537 | if (safe && safe->contents) { |
3538 | int i = 0; |
3539 | while (safe->contents[i] != NULL((void*)0)) { |
3540 | if (SECOID_FindOIDTagSECOID_FindOIDTag_Util(&safe->contents[i]->safeBagType) == SEC_OID_PKCS12_KEY_BAG_ID) { |
3541 | int j = 0; |
3542 | SEC_PKCS12PrivateKeyBag *privBag = |
3543 | safe->contents[i]->safeContent.keyBag; |
3544 | |
3545 | while (privBag->privateKeys[j] != NULL((void*)0)) { |
3546 | SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j]; |
3547 | rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, pk, |
3548 | PR_FALSE0, safe, baggage); |
3549 | if (rv != SECSuccess) { |
3550 | goto loser; |
3551 | } |
3552 | j++; |
3553 | } |
3554 | } |
3555 | i++; |
3556 | } |
3557 | } |
3558 | |
3559 | if (baggage && baggage->bags) { |
3560 | int i = 0; |
3561 | while (baggage->bags[i] != NULL((void*)0)) { |
3562 | SEC_PKCS12BaggageItem *bag = baggage->bags[i]; |
3563 | int j = 0; |
3564 | |
3565 | if (!bag->espvks) { |
3566 | i++; |
3567 | continue; |
3568 | } |
3569 | |
3570 | while (bag->espvks[j] != NULL((void*)0)) { |
3571 | SEC_PKCS12ESPVKItem *espvk = bag->espvks[j]; |
3572 | rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk, |
3573 | PR_TRUE1, safe, baggage); |
3574 | if (rv != SECSuccess) { |
3575 | goto loser; |
3576 | } |
3577 | j++; |
3578 | } |
3579 | i++; |
3580 | } |
3581 | } |
3582 | |
3583 | return SECSuccess; |
3584 | |
3585 | loser: |
3586 | return SECFailure; |
3587 | } |
3588 | |
3589 | SEC_PKCS12DecoderContext * |
3590 | sec_PKCS12ConvertOldSafeToNew(PLArenaPool *arena, PK11SlotInfo *slot, |
3591 | PRBool swapUnicode, SECItem *pwitem, |
3592 | void *wincx, SEC_PKCS12SafeContents *safe, |
3593 | SEC_PKCS12Baggage *baggage) |
3594 | { |
3595 | SEC_PKCS12DecoderContext *p12dcx; |
3596 | |
3597 | if (!arena || !slot || !pwitem) { |
3598 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3599 | return NULL((void*)0); |
3600 | } |
3601 | |
3602 | if (!safe && !baggage) { |
3603 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3604 | return NULL((void*)0); |
3605 | } |
3606 | |
3607 | p12dcx = PORT_ArenaZNew(arena, SEC_PKCS12DecoderContext)(SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc_Util(arena, sizeof (SEC_PKCS12DecoderContext)); |
3608 | if (!p12dcx) { |
3609 | return NULL((void*)0); |
3610 | } |
3611 | |
3612 | p12dcx->arena = arena; |
3613 | p12dcx->slot = PK11_ReferenceSlot(slot); |
3614 | p12dcx->wincx = wincx; |
3615 | p12dcx->error = PR_FALSE0; |
3616 | p12dcx->swapUnicodeBytes = swapUnicode; |
3617 | p12dcx->pwitem = pwitem; |
3618 | p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs; |
3619 | |
3620 | if (sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage) != SECSuccess) { |
3621 | p12dcx->error = PR_TRUE1; |
3622 | return NULL((void*)0); |
3623 | } |
3624 | |
3625 | return p12dcx; |
3626 | } |