diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-10-25 20:49:18 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-10-25 23:20:24 +0200 |
| commit | dc18e91405903607a7c5c8a9b185f8c286c244b6 (patch) | |
| tree | 6daddc29e47dcbb07ca78f9dec63d8c8cfdcc2ff /lib | |
| parent | ac0d81e93315fc3ac5595396a179b0d31189a7ef (diff) | |
| download | gnutls-dc18e91405903607a7c5c8a9b185f8c286c244b6.tar.gz | |
Added GNUTLS_BAG_SECRET that adds support for storing a randomly generated key
into a PKCS-12 structure. This is a gnutls extension, since PKCS-12 does not
specify what should be in the secret bag. What we do is store the key as
OCTET string and specify an OID of the PKCS-9 random nonce.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/includes/gnutls/pkcs12.h | 4 | ||||
| -rw-r--r-- | lib/pkix.asn | 5 | ||||
| -rw-r--r-- | lib/pkix_asn1_tab.c | 5 | ||||
| -rw-r--r-- | lib/x509/pkcs12.c | 7 | ||||
| -rw-r--r-- | lib/x509/pkcs12_bag.c | 253 | ||||
| -rw-r--r-- | lib/x509/x509_int.h | 1 |
6 files changed, 180 insertions, 95 deletions
diff --git a/lib/includes/gnutls/pkcs12.h b/lib/includes/gnutls/pkcs12.h index d0d94cb695..c9b250cfb4 100644 --- a/lib/includes/gnutls/pkcs12.h +++ b/lib/includes/gnutls/pkcs12.h @@ -68,6 +68,10 @@ extern "C" GNUTLS_BAG_PKCS8_KEY, GNUTLS_BAG_CERTIFICATE, GNUTLS_BAG_CRL, + GNUTLS_BAG_SECRET, /* secret data. Underspecified in pkcs-12, gnutls extension. We use + * the PKCS-9 random nonce ID (1.2.840.113549.1.9.25.3) to store randomly + * generated keys. + */ GNUTLS_BAG_ENCRYPTED = 10, GNUTLS_BAG_UNKNOWN = 20 } gnutls_pkcs12_bag_type_t; diff --git a/lib/pkix.asn b/lib/pkix.asn index 51cd729951..8b3993aa54 100644 --- a/lib/pkix.asn +++ b/lib/pkix.asn @@ -591,6 +591,11 @@ pkcs-12-CRLBag ::= SEQUENCE { crlValue [0] EXPLICIT ANY DEFINED BY crlId } +pkcs-12-SecretBag ::= SEQUENCE { + secretTypeId OBJECT IDENTIFIER, + secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId +} + -- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}} -- DER-encoded X.509 CRL stored in OCTET STRING diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index 1139a5f93f..bbba01ff7b 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -478,6 +478,11 @@ const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { { "crlValue", 541073421, NULL }, { NULL, 1073743880, "0"}, { "crlId", 1, NULL }, + { "pkcs-12-SecretBag", 1610612741, NULL }, + { "secretTypeId", 1073741836, NULL }, + { "secretValue", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "secretTypeId", 1, NULL }, { "pkcs-12-PKCS12Attribute", 1073741826, "Attribute"}, { "pkcs-7-Data", 1073741831, NULL }, { "pkcs-7-EncryptedData", 1610612741, NULL }, diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 3434e7fd7a..6bfb402175 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -301,6 +301,8 @@ oid2bag (const char *oid) return GNUTLS_BAG_CERTIFICATE; if (strcmp (oid, BAG_CRL) == 0) return GNUTLS_BAG_CRL; + if (strcmp (oid, BAG_SECRET) == 0) + return GNUTLS_BAG_SECRET; return GNUTLS_BAG_UNKNOWN; } @@ -318,6 +320,8 @@ bag_to_oid (int bag) return BAG_CERTIFICATE; case GNUTLS_BAG_CRL: return BAG_CRL; + case GNUTLS_BAG_SECRET: + return BAG_SECRET; } return NULL; } @@ -423,7 +427,7 @@ _pkcs12_decode_safe_contents (const gnutls_datum_t * content, goto cleanup; } - if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL) + if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL || bag_type == GNUTLS_BAG_SECRET) { gnutls_datum_t tmp = bag->element[i].data; @@ -1276,6 +1280,7 @@ _pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents, */ if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || + bag->element[i].type == GNUTLS_BAG_SECRET || bag->element[i].type == GNUTLS_BAG_CRL) { gnutls_datum_t tmp; diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index 4e28348968..9ed23af347 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -173,6 +173,7 @@ gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t bag, int indx, #define X509_CERT_OID "1.2.840.113549.1.9.22.1" #define X509_CRL_OID "1.2.840.113549.1.9.23.1" +#define RANDOM_NONCE_OID "1.2.840.113549.1.9.25.3" int _pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, @@ -181,58 +182,90 @@ _pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, int ret; ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (type == GNUTLS_BAG_CERTIFICATE) + switch(type) { - if ((ret = asn1_create_element (_gnutls_get_pkix (), + case GNUTLS_BAG_CERTIFICATE: + if ((ret = asn1_create_element (_gnutls_get_pkix (), "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value (c2, "certValue", out, 1); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - } - else - { /* CRL */ - if ((ret = asn1_create_element (_gnutls_get_pkix (), + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_der_decoding (&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_read_value (c2, "certValue", out, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + case GNUTLS_BAG_CRL: + if ((ret = asn1_create_element (_gnutls_get_pkix (), "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_read_value (c2, "crlValue", out, 1); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_der_decoding (&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_read_value (c2, "crlValue", out, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + case GNUTLS_BAG_SECRET: + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-SecretBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_der_decoding (&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_read_value (c2, "secretValue", out, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + default: + gnutls_assert(); + asn1_delete_structure (&c2); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } asn1_delete_structure (&c2); @@ -254,58 +287,90 @@ _pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type, int ret; ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - if (type == GNUTLS_BAG_CERTIFICATE) + switch(type) { - if ((ret = asn1_create_element (_gnutls_get_pkix (), + case GNUTLS_BAG_CERTIFICATE: + if ((ret = asn1_create_element (_gnutls_get_pkix (), "PKIX1.pkcs-12-CertBag", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value (c2, "certValue", raw, 1); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - } - else - { /* CRL */ - if ((ret = asn1_create_element (_gnutls_get_pkix (), + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_write_value (c2, "certValue", raw, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + case GNUTLS_BAG_CRL: + if ((ret = asn1_create_element (_gnutls_get_pkix (), "PKIX1.pkcs-12-CRLBag", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_value (c2, "crlValue", raw, 1); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_write_value (c2, "crlValue", raw, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + case GNUTLS_BAG_SECRET: + if ((ret = asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-SecretBag", + &c2)) != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = asn1_write_value (c2, "secretTypeId", RANDOM_NONCE_OID, 1); + if (ret != ASN1_SUCCESS) + { + gnutls_assert (); + ret = _gnutls_asn2err (ret); + goto cleanup; + } + + ret = _gnutls_x509_write_value (c2, "secretValue", raw, 1); + if (ret < 0) + { + gnutls_assert (); + goto cleanup; + } + break; + + default: + gnutls_assert(); + asn1_delete_structure (&c2); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; } ret = _gnutls_x509_der_encode (c2, "", out, 0); diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index dac7b1f513..c749123a07 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -328,6 +328,7 @@ typedef struct gnutls_pkcs12_bag_int #define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2" #define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3" #define BAG_CRL "1.2.840.113549.1.12.10.1.4" +#define BAG_SECRET "1.2.840.113549.1.12.10.1.5" /* PKCS #7 */ |