p12.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486
  1. /*
  2. * Copyright (c) 2007, Cameron Rich
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions are met:
  8. *
  9. * * Redistributions of source code must retain the above copyright notice,
  10. * this list of conditions and the following disclaimer.
  11. * * Redistributions in binary form must reproduce the above copyright notice,
  12. * this list of conditions and the following disclaimer in the documentation
  13. * and/or other materials provided with the distribution.
  14. * * Neither the name of the axTLS project nor the names of its contributors
  15. * may be used to endorse or promote products derived from this software
  16. * without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  22. * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  23. * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  24. * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  25. * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  26. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  27. * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  28. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. */
  30. /**
  31. * Process PKCS#8/PKCS#12 keys.
  32. *
  33. * The decoding of a PKCS#12 key is fairly specific - this code was tested on a
  34. * key generated with:
  35. *
  36. * openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem
  37. * -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128
  38. * -name "p12_withoutCA" -out axTLS.withoutCA.p12 -password pass:abcd
  39. *
  40. * or with a certificate chain:
  41. *
  42. * openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem
  43. * -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe
  44. * PBE-SHA1-RC4-128 -name "p12_withCA" -out axTLS.withCA.p12 -password pass:abcd
  45. *
  46. * Note that the PBE has to be specified with PBE-SHA1-RC4-128. The
  47. * private/public keys/certs have to use RSA encryption. Both the integrity
  48. * and privacy passwords are the same.
  49. *
  50. * The PKCS#8 files were generated with something like:
  51. *
  52. * PEM format:
  53. * openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1
  54. * PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8
  55. *
  56. * DER format:
  57. * openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER
  58. * -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8
  59. */
  60. #include <stdlib.h>
  61. #include <string.h>
  62. #include <stdio.h>
  63. #include "ssl.h"
  64. /* all commented out if not used */
  65. #ifdef CONFIG_SSL_USE_PKCS12
  66. #define BLOCK_SIZE 64
  67. #define PKCS12_KEY_ID 1
  68. #define PKCS12_IV_ID 2
  69. #define PKCS12_MAC_ID 3
  70. static char *make_uni_pass(const char *password, int *uni_pass_len);
  71. static int p8_decrypt(const char *uni_pass, int uni_pass_len,
  72. const uint8_t *salt, int iter,
  73. uint8_t *priv_key, int priv_key_len, int id);
  74. static int p8_add_key(SSL_CTX *ssl_ctx, uint8_t *priv_key);
  75. static int get_pbe_params(uint8_t *buf, int *offset,
  76. const uint8_t **salt, int *iterations);
  77. /*
  78. * Take a raw pkcs8 block and then decrypt it and turn it into a normal key.
  79. */
  80. int pkcs8_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
  81. {
  82. uint8_t *buf = ssl_obj->buf;
  83. int len, offset = 0;
  84. int iterations;
  85. int ret = SSL_NOT_OK;
  86. uint8_t *version = NULL;
  87. const uint8_t *salt;
  88. uint8_t *priv_key;
  89. int uni_pass_len;
  90. char *uni_pass = make_uni_pass(password, &uni_pass_len);
  91. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0)
  92. {
  93. #ifdef CONFIG_SSL_FULL_MODE
  94. printf("Error: Invalid p8 ASN.1 file\n");
  95. #endif
  96. goto error;
  97. }
  98. /* unencrypted key? */
  99. if (asn1_get_int(buf, &offset, &version) > 0 && *version == 0)
  100. {
  101. ret = p8_add_key(ssl_ctx, buf);
  102. goto error;
  103. }
  104. if (get_pbe_params(buf, &offset, &salt, &iterations) < 0)
  105. goto error;
  106. if ((len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0)
  107. goto error;
  108. priv_key = &buf[offset];
  109. p8_decrypt(uni_pass, uni_pass_len, salt,
  110. iterations, priv_key, len, PKCS12_KEY_ID);
  111. ret = p8_add_key(ssl_ctx, priv_key);
  112. error:
  113. free(version);
  114. free(uni_pass);
  115. return ret;
  116. }
  117. /*
  118. * Take the unencrypted pkcs8 and turn it into a private key
  119. */
  120. static int p8_add_key(SSL_CTX *ssl_ctx, uint8_t *priv_key)
  121. {
  122. uint8_t *buf = priv_key;
  123. int len, offset = 0;
  124. int ret = SSL_NOT_OK;
  125. /* Skip the preamble and go straight to the private key.
  126. We only support rsaEncryption (1.2.840.113549.1.1.1) */
  127. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  128. asn1_skip_obj(buf, &offset, ASN1_INTEGER) < 0 ||
  129. asn1_skip_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  130. (len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0)
  131. goto error;
  132. ret = asn1_get_private_key(&buf[offset], len, &ssl_ctx->rsa_ctx);
  133. error:
  134. return ret;
  135. }
  136. /*
  137. * Create the unicode password
  138. */
  139. static char *make_uni_pass(const char *password, int *uni_pass_len)
  140. {
  141. int pass_len = 0, i;
  142. char *uni_pass;
  143. if (password == NULL)
  144. {
  145. password = "";
  146. }
  147. uni_pass = (char *)malloc((strlen(password)+1)*2);
  148. /* modify the password into a unicode version */
  149. for (i = 0; i < (int)strlen(password); i++)
  150. {
  151. uni_pass[pass_len++] = 0;
  152. uni_pass[pass_len++] = password[i];
  153. }
  154. uni_pass[pass_len++] = 0; /* null terminate */
  155. uni_pass[pass_len++] = 0;
  156. *uni_pass_len = pass_len;
  157. return uni_pass;
  158. }
  159. /*
  160. * Decrypt a pkcs8 block.
  161. */
  162. static int p8_decrypt(const char *uni_pass, int uni_pass_len,
  163. const uint8_t *salt, int iter,
  164. uint8_t *priv_key, int priv_key_len, int id)
  165. {
  166. uint8_t p[BLOCK_SIZE*2];
  167. uint8_t d[BLOCK_SIZE];
  168. uint8_t Ai[SHA1_SIZE];
  169. SHA1_CTX sha_ctx;
  170. RC4_CTX rc4_ctx;
  171. int i;
  172. for (i = 0; i < BLOCK_SIZE; i++)
  173. {
  174. p[i] = salt[i % SALT_SIZE];
  175. p[BLOCK_SIZE+i] = uni_pass[i % uni_pass_len];
  176. d[i] = id;
  177. }
  178. /* get the key - no IV since we are using RC4 */
  179. SHA1_Init(&sha_ctx);
  180. SHA1_Update(&sha_ctx, d, sizeof(d));
  181. SHA1_Update(&sha_ctx, p, sizeof(p));
  182. SHA1_Final(Ai, &sha_ctx);
  183. for (i = 1; i < iter; i++)
  184. {
  185. SHA1_Init(&sha_ctx);
  186. SHA1_Update(&sha_ctx, Ai, SHA1_SIZE);
  187. SHA1_Final(Ai, &sha_ctx);
  188. }
  189. /* do the decryption */
  190. if (id == PKCS12_KEY_ID)
  191. {
  192. RC4_setup(&rc4_ctx, Ai, 16);
  193. RC4_crypt(&rc4_ctx, priv_key, priv_key, priv_key_len);
  194. }
  195. else /* MAC */
  196. memcpy(priv_key, Ai, SHA1_SIZE);
  197. return 0;
  198. }
  199. /*
  200. * Take a raw pkcs12 block and the decrypt it and turn it into a certificate(s)
  201. * and keys.
  202. */
  203. int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
  204. {
  205. uint8_t *buf = ssl_obj->buf;
  206. int all_ok = 0, len, iterations, auth_safes_start,
  207. auth_safes_end, auth_safes_len, key_offset, offset = 0;
  208. int all_certs = 0;
  209. uint8_t *version = NULL, *auth_safes = NULL, *cert, *orig_mac;
  210. uint8_t key[SHA1_SIZE];
  211. uint8_t mac[SHA1_SIZE];
  212. const uint8_t *salt;
  213. int uni_pass_len, ret;
  214. int error_code = SSL_ERROR_NOT_SUPPORTED;
  215. char *uni_pass = make_uni_pass(password, &uni_pass_len);
  216. static const uint8_t pkcs_data[] = /* pkc7 data */
  217. { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 };
  218. static const uint8_t pkcs_encrypted[] = /* pkc7 encrypted */
  219. { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06 };
  220. static const uint8_t pkcs8_key_bag[] = /* 1.2.840.113549.1.12.10.1.2 */
  221. { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02 };
  222. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0)
  223. {
  224. #ifdef CONFIG_SSL_FULL_MODE
  225. printf("Error: Invalid p12 ASN.1 file\n");
  226. #endif
  227. goto error;
  228. }
  229. if (asn1_get_int(buf, &offset, &version) < 0 || *version != 3)
  230. {
  231. error_code = SSL_ERROR_INVALID_VERSION;
  232. goto error;
  233. }
  234. /* remove all the boring pcks7 bits */
  235. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  236. (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
  237. len != sizeof(pkcs_data) ||
  238. memcmp(&buf[offset], pkcs_data, sizeof(pkcs_data)))
  239. goto error;
  240. offset += len;
  241. if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 ||
  242. asn1_next_obj(buf, &offset, ASN1_OCTET_STRING) < 0)
  243. goto error;
  244. /* work out the MAC start/end points (done on AuthSafes) */
  245. auth_safes_start = offset;
  246. auth_safes_end = offset;
  247. if (asn1_skip_obj(buf, &auth_safes_end, ASN1_SEQUENCE) < 0)
  248. goto error;
  249. auth_safes_len = auth_safes_end - auth_safes_start;
  250. auth_safes = malloc(auth_safes_len);
  251. memcpy(auth_safes, &buf[auth_safes_start], auth_safes_len);
  252. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  253. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  254. (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
  255. (len != sizeof(pkcs_encrypted) ||
  256. memcmp(&buf[offset], pkcs_encrypted, sizeof(pkcs_encrypted))))
  257. goto error;
  258. offset += len;
  259. if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 ||
  260. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  261. asn1_skip_obj(buf, &offset, ASN1_INTEGER) < 0 ||
  262. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  263. (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
  264. len != sizeof(pkcs_data) ||
  265. memcmp(&buf[offset], pkcs_data, sizeof(pkcs_data)))
  266. goto error;
  267. offset += len;
  268. /* work out the salt for the certificate */
  269. if (get_pbe_params(buf, &offset, &salt, &iterations) < 0 ||
  270. (len = asn1_next_obj(buf, &offset, ASN1_IMPLICIT_TAG)) < 0)
  271. goto error;
  272. /* decrypt the certificate */
  273. cert = &buf[offset];
  274. if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations, cert,
  275. len, PKCS12_KEY_ID)) < 0)
  276. goto error;
  277. offset += len;
  278. /* load the certificate */
  279. key_offset = 0;
  280. all_certs = asn1_next_obj(cert, &key_offset, ASN1_SEQUENCE);
  281. /* keep going until all certs are loaded */
  282. while (key_offset < all_certs)
  283. {
  284. int cert_offset = key_offset;
  285. if (asn1_skip_obj(cert, &cert_offset, ASN1_SEQUENCE) < 0 ||
  286. asn1_next_obj(cert, &key_offset, ASN1_SEQUENCE) < 0 ||
  287. asn1_skip_obj(cert, &key_offset, ASN1_OID) < 0 ||
  288. asn1_next_obj(cert, &key_offset, ASN1_EXPLICIT_TAG) < 0 ||
  289. asn1_next_obj(cert, &key_offset, ASN1_SEQUENCE) < 0 ||
  290. asn1_skip_obj(cert, &key_offset, ASN1_OID) < 0 ||
  291. asn1_next_obj(cert, &key_offset, ASN1_EXPLICIT_TAG) < 0 ||
  292. (len = asn1_next_obj(cert, &key_offset, ASN1_OCTET_STRING)) < 0)
  293. goto error;
  294. if ((ret = add_cert(ssl_ctx, &cert[key_offset], len)) < 0)
  295. goto error;
  296. key_offset = cert_offset;
  297. }
  298. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  299. (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
  300. len != sizeof(pkcs_data) ||
  301. memcmp(&buf[offset], pkcs_data, sizeof(pkcs_data)))
  302. goto error;
  303. offset += len;
  304. if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 ||
  305. asn1_next_obj(buf, &offset, ASN1_OCTET_STRING) < 0 ||
  306. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  307. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  308. (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
  309. (len != sizeof(pkcs8_key_bag)) ||
  310. memcmp(&buf[offset], pkcs8_key_bag, sizeof(pkcs8_key_bag)))
  311. goto error;
  312. offset += len;
  313. /* work out the salt for the private key */
  314. if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 ||
  315. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  316. get_pbe_params(buf, &offset, &salt, &iterations) < 0 ||
  317. (len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0)
  318. goto error;
  319. /* decrypt the private key */
  320. cert = &buf[offset];
  321. if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations, cert,
  322. len, PKCS12_KEY_ID)) < 0)
  323. goto error;
  324. offset += len;
  325. /* load the private key */
  326. if ((ret = p8_add_key(ssl_ctx, cert)) < 0)
  327. goto error;
  328. /* miss out on friendly name, local key id etc */
  329. if (asn1_skip_obj(buf, &offset, ASN1_SET) < 0)
  330. goto error;
  331. /* work out the MAC */
  332. if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  333. asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  334. asn1_skip_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
  335. (len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0 ||
  336. len != SHA1_SIZE)
  337. goto error;
  338. orig_mac = &buf[offset];
  339. offset += len;
  340. /* get the salt */
  341. if ((len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0 || len != 8)
  342. goto error;
  343. salt = &buf[offset];
  344. /* work out what the mac should be */
  345. if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations,
  346. key, SHA1_SIZE, PKCS12_MAC_ID)) < 0)
  347. goto error;
  348. hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac);
  349. if (memcmp(mac, orig_mac, SHA1_SIZE))
  350. {
  351. error_code = SSL_ERROR_INVALID_HMAC;
  352. goto error;
  353. }
  354. all_ok = 1;
  355. error:
  356. free(version);
  357. free(uni_pass);
  358. free(auth_safes);
  359. return all_ok ? SSL_OK : error_code;
  360. }
  361. /*
  362. * Retrieve the salt/iteration details from a PBE block.
  363. */
  364. static int get_pbe_params(uint8_t *buf, int *offset,
  365. const uint8_t **salt, int *iterations)
  366. {
  367. static const uint8_t pbeSH1RC4[] = /* pbeWithSHAAnd128BitRC4 */
  368. { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x01 };
  369. int i, len;
  370. uint8_t *iter = NULL;
  371. int error_code = SSL_ERROR_NOT_SUPPORTED;
  372. /* Get the PBE type */
  373. if (asn1_next_obj(buf, offset, ASN1_SEQUENCE) < 0 ||
  374. (len = asn1_next_obj(buf, offset, ASN1_OID)) < 0)
  375. goto error;
  376. /* we expect pbeWithSHAAnd128BitRC4 (1.2.840.113549.1.12.1.1)
  377. which is the only algorithm we support */
  378. if (len != sizeof(pbeSH1RC4) ||
  379. memcmp(&buf[*offset], pbeSH1RC4, sizeof(pbeSH1RC4)))
  380. {
  381. #ifdef CONFIG_SSL_FULL_MODE
  382. printf("Error: pkcs8/pkcs12 must use \"PBE-SHA1-RC4-128\"\n");
  383. #endif
  384. goto error;
  385. }
  386. *offset += len;
  387. if (asn1_next_obj(buf, offset, ASN1_SEQUENCE) < 0 ||
  388. (len = asn1_next_obj(buf, offset, ASN1_OCTET_STRING)) < 0 ||
  389. len != 8)
  390. goto error;
  391. *salt = &buf[*offset];
  392. *offset += len;
  393. if ((len = asn1_get_int(buf, offset, &iter)) < 0)
  394. goto error;
  395. *iterations = 0;
  396. for (i = 0; i < len; i++)
  397. {
  398. (*iterations) <<= 8;
  399. (*iterations) += iter[i];
  400. }
  401. free(iter);
  402. error_code = SSL_OK; /* got here - we are ok */
  403. error:
  404. return error_code;
  405. }
  406. #endif