diff options
Diffstat (limited to 'lib/x509/privkey_pkcs8.c')
-rw-r--r-- | lib/x509/privkey_pkcs8.c | 3106 |
1 files changed, 1630 insertions, 1476 deletions
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 1e16df7541..0e1e021327 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -54,49 +54,51 @@ #define PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" #define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" -struct pbkdf2_params { - opaque salt[32]; - int salt_size; - unsigned int iter_count; - unsigned int key_size; +struct pbkdf2_params +{ + opaque salt[32]; + int salt_size; + unsigned int iter_count; + unsigned int key_size; }; -struct pbe_enc_params { - gnutls_cipher_algorithm_t cipher; - opaque iv[8]; - int iv_size; +struct pbe_enc_params +{ + gnutls_cipher_algorithm_t cipher; + opaque iv[8]; + int iv_size; }; -static int generate_key(schema_id schema, const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, - gnutls_datum_t * key); -static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbkdf2_params *params); -static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, +static int generate_key (schema_id schema, const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, + gnutls_datum_t * key); +static int read_pbkdf2_params (ASN1_TYPE pbes2_asn, const gnutls_datum_t * der, - struct pbe_enc_params *params); -static int decrypt_data(schema_id, ASN1_TYPE pkcs8_asn, const char *root, - const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data); -static int decode_private_key_info(const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey, - ASN1_TYPE * out); -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params); -static int encrypt_data(const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted); - -static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params); -static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *params); + struct pbkdf2_params *params); +static int read_pbe_enc_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params); +static int decrypt_data (schema_id, ASN1_TYPE pkcs8_asn, const char *root, + const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data); +static int decode_private_key_info (const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey, + ASN1_TYPE * out); +static int write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params); +static int encrypt_data (const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted); + +static int read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + struct pbkdf2_params *params); +static int write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *params); #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" @@ -104,25 +106,25 @@ static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, /* Returns a negative error code if the encryption schema in * the OID is not supported. The schema ID is returned. */ -inline static int check_schema(const char *oid) +inline static int +check_schema (const char *oid) { - if (strcmp(oid, PBES2_OID) == 0) - return PBES2; + if (strcmp (oid, PBES2_OID) == 0) + return PBES2; - if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) - return PKCS12_3DES_SHA1; + if (strcmp (oid, PKCS12_PBE_3DES_SHA1_OID) == 0) + return PKCS12_3DES_SHA1; - if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) - return PKCS12_ARCFOUR_SHA1; + if (strcmp (oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) + return PKCS12_ARCFOUR_SHA1; - if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) - return PKCS12_RC2_40_SHA1; + if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) + return PKCS12_RC2_40_SHA1; - _gnutls_x509_log("PKCS encryption schema OID '%s' is unsupported.\n", - oid); + _gnutls_x509_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } /* @@ -130,247 +132,265 @@ inline static int check_schema(const char *oid) * info. The output will be allocated and stored into der. Also * the ASN1_TYPE of private key info will be returned. */ -static int encode_to_private_key_info(gnutls_x509_privkey_t pkey, - gnutls_datum_t * der, - ASN1_TYPE * pkey_info) +static int +encode_to_private_key_info (gnutls_x509_privkey_t pkey, + gnutls_datum_t * der, ASN1_TYPE * pkey_info) { - int result, len; - size_t size; - opaque *data = NULL; - opaque null = 0; - - if (pkey->pk_algorithm != GNUTLS_PK_RSA) { - gnutls_assert(); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - pkey_info)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the version. - */ - result = asn1_write_value(*pkey_info, "version", &null, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the privateKeyAlgorithm - * fields. (OID+NULL data) - */ - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", - PK_PKIX1_RSA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", - NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the raw private key - */ - size = 0; - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, NULL, &size); - if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { - gnutls_assert(); - goto error; - } - - data = gnutls_alloca(size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - - result = - gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, data, &size); - if (result < 0) { - gnutls_assert(); - goto error; - } - - result = asn1_write_value(*pkey_info, "privateKey", data, size); - - gnutls_afree(data); - data = NULL; - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Append an empty Attributes field. - */ - result = asn1_write_value(*pkey_info, "attributes", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* DER Encode the generated private key info. - */ - len = 0; - result = asn1_der_coding(*pkey_info, "", NULL, &len, NULL); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* allocate data for the der - */ - der->size = len; - der->data = gnutls_malloc(len); - if (der->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + int result, len; + size_t size; + opaque *data = NULL; + opaque null = 0; + + if (pkey->pk_algorithm != GNUTLS_PK_RSA) + { + gnutls_assert (); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-PrivateKeyInfo", + pkey_info)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the version. + */ + result = asn1_write_value (*pkey_info, "version", &null, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* write the privateKeyAlgorithm + * fields. (OID+NULL data) + */ + result = + asn1_write_value (*pkey_info, "privateKeyAlgorithm.algorithm", + PK_PKIX1_RSA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = + asn1_write_value (*pkey_info, "privateKeyAlgorithm.parameters", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the raw private key + */ + size = 0; + result = + gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, NULL, &size); + if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + gnutls_assert (); + goto error; + } + + data = gnutls_alloca (size); + if (data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + + result = + gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, data, &size); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + result = asn1_write_value (*pkey_info, "privateKey", data, size); + + gnutls_afree (data); + data = NULL; + + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Append an empty Attributes field. + */ + result = asn1_write_value (*pkey_info, "attributes", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* DER Encode the generated private key info. + */ + len = 0; + result = asn1_der_coding (*pkey_info, "", NULL, &len, NULL); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* allocate data for the der + */ + der->size = len; + der->data = gnutls_malloc (len); + if (der->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding (*pkey_info, "", der->data, &len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + return 0; + +error: + asn1_delete_structure (pkey_info); + if (data != NULL) + { + gnutls_afree (data); } - - result = asn1_der_coding(*pkey_info, "", der->data, &len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - return 0; - - error: - asn1_delete_structure(pkey_info); - if (data != NULL) { - gnutls_afree(data); - } - return result; + return result; } /* Converts a PKCS #8 private key info to * a PKCS #8 EncryptedPrivateKeyInfo. */ -static -int encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, - const char *password, ASN1_TYPE * out) +static int +encode_to_pkcs8_key (schema_id schema, const gnutls_datum_t * der_key, + const char *password, ASN1_TYPE * out) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) + { case PBES2: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Generate a symmetric key. - */ + /* Generate a symmetric key. + */ - result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; + result = generate_key (schema, password, &kdf_params, &enc_params, &key); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = - write_schema_params(schema, pkcs8_asn, - "encryptionAlgorithm.parameters", &kdf_params, - &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = + write_schema_params (schema, pkcs8_asn, + "encryptionAlgorithm.parameters", &kdf_params, + &enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data(der_key, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data (der_key, &enc_params, &key, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* write the encrypted data. - */ - result = - asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* write the encrypted data. + */ + result = asn1_write_value (pkcs8_asn, "encryptedData", tmp.data, tmp.size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_free_datum (&tmp); + _gnutls_free_datum (&key); - *out = pkcs8_asn; + *out = pkcs8_asn; - return 0; + return 0; - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs8_asn); - return result; +error: + _gnutls_free_datum (&key); + _gnutls_free_datum (&tmp); + asn1_delete_structure (&pkcs8_asn); + return result; } @@ -405,198 +425,220 @@ int encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, * returned, and 0 on success. * **/ -int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags, - void *output_data, - size_t * output_data_size) +int +gnutls_x509_privkey_export_pkcs8 (gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + const char *password, + unsigned int flags, + void *output_data, + size_t * output_data_size) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum_t tmp; - schema_id schema; - - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info(key, &tmp, &pkey_info); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) - schema = PKCS12_3DES_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - schema = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - schema = PKCS12_RC2_40_SHA1; - else - schema = PBES2; - - - if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) { - _gnutls_free_datum(&tmp); - - ret = - _gnutls_x509_export_int(pkey_info, format, - PEM_UNENCRYPTED_PKCS8, - *output_data_size, output_data, - output_data_size); - - asn1_delete_structure(&pkey_info); - } else { - asn1_delete_structure(&pkey_info); /* we don't need it */ - - ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum(&tmp); - - if (ret < 0) { - gnutls_assert(); - return ret; + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum_t tmp; + schema_id schema; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info (key, &tmp, &pkey_info); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + if (flags & GNUTLS_PKCS_USE_PKCS12_3DES) + schema = PKCS12_3DES_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + schema = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + schema = PKCS12_RC2_40_SHA1; + else + schema = PBES2; + + + if ((flags & GNUTLS_PKCS_PLAIN) || password == NULL) + { + _gnutls_free_datum (&tmp); + + ret = + _gnutls_x509_export_int (pkey_info, format, + PEM_UNENCRYPTED_PKCS8, + *output_data_size, output_data, + output_data_size); + + asn1_delete_structure (&pkey_info); + } + else + { + asn1_delete_structure (&pkey_info); /* we don't need it */ + + ret = encode_to_pkcs8_key (schema, &tmp, password, &pkcs8_asn); + _gnutls_free_datum (&tmp); + + if (ret < 0) + { + gnutls_assert (); + return ret; } - ret = - _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, - *output_data_size, output_data, - output_data_size); + ret = + _gnutls_x509_export_int (pkcs8_asn, format, PEM_PKCS8, + *output_data_size, output_data, + output_data_size); - asn1_delete_structure(&pkcs8_asn); + asn1_delete_structure (&pkcs8_asn); } - return ret; + return ret; } /* Read the parameters cipher, IV, salt etc using the given * schema ID. */ -static -int read_pkcs_schema_params(schema_id schema, const char *password, - const opaque * data, int data_size, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params) +static int +read_pkcs_schema_params (schema_id schema, const char *password, + const opaque * data, int data_size, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params) { - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int result; - gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int result; + gnutls_datum_t tmp; - switch (schema) { + switch (schema) + { case PBES2: - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Decode the parameters. - */ - result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Decode the parameters. + */ + result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - tmp.data = (opaque *) data; - tmp.size = data_size; + tmp.data = (opaque *) data; + tmp.size = data_size; - result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = read_pbkdf2_params (pbes2_asn, &tmp, kdf_params); + if (result < 0) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); - if (result < 0) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = read_pbe_enc_params (pbes2_asn, &tmp, enc_params); + if (result < 0) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - asn1_delete_structure(&pbes2_asn); - return 0; - break; + asn1_delete_structure (&pbes2_asn); + return 0; + break; case PKCS12_3DES_SHA1: case PKCS12_ARCFOUR_SHA1: case PKCS12_RC2_40_SHA1: - if ((schema) == PKCS12_3DES_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - enc_params->iv_size = 8; - } else if ((schema) == PKCS12_ARCFOUR_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - enc_params->iv_size = 0; - } else if ((schema) == PKCS12_RC2_40_SHA1) { - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - enc_params->iv_size = 8; + if ((schema) == PKCS12_3DES_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + enc_params->iv_size = 8; + } + else if ((schema) == PKCS12_ARCFOUR_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + enc_params->iv_size = 0; + } + else if ((schema) == PKCS12_RC2_40_SHA1) + { + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + enc_params->iv_size = 8; } - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Decode the parameters. - */ - result = asn1_der_decoding(&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Decode the parameters. + */ + result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = read_pkcs12_kdf_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - if (enc_params->iv_size) { - result = - _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, enc_params->iv); - if (result < 0) { - gnutls_assert(); - goto error; + if (enc_params->iv_size) + { + result = + _pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (result < 0) + { + gnutls_assert (); + goto error; } } - asn1_delete_structure(&pbes2_asn); + asn1_delete_structure (&pbes2_asn); - return 0; - break; + return 0; + break; } /* switch */ - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - error: - asn1_delete_structure(&pbes2_asn); - return result; +error: + asn1_delete_structure (&pbes2_asn); + return result; } @@ -604,202 +646,216 @@ int read_pkcs_schema_params(schema_id schema, const char *password, * an internal structure (gnutls_private_key) * (normally a PKCS #1 encoded RSA key) */ -static -int decode_pkcs8_key(const gnutls_datum_t * raw_key, - const char *password, - gnutls_x509_privkey_t pkey, ASN1_TYPE * out) +static int +decode_pkcs8_key (const gnutls_datum_t * raw_key, + const char *password, + gnutls_x509_privkey_t pkey, ASN1_TYPE * out) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = - asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, - raw_key->size, - "encryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &raw_key->data[params_start], - params_len, &kdf_params, &enc_params); - - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - result = - decrypt_data(schema, pkcs8_asn, "encryptedData", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pkcs8_asn); - - result = decode_private_key_info(&tmp, pkey, &ret_asn); - _gnutls_free_datum(&tmp); - - if (result < 0) { - gnutls_assert(); - goto error; - } - - *out = ret_asn; - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs8_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = asn1_der_decoding (&pkcs8_asn, raw_key->data, raw_key->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof (enc_oid); + result = + asn1_read_value (pkcs8_asn, "encryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + + if ((result = check_schema (enc_oid)) < 0) + { + gnutls_assert (); + goto error; + } + + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd (pkcs8_asn, raw_key->data, + raw_key->size, + "encryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params (schema, password, + &raw_key->data[params_start], + params_len, &kdf_params, &enc_params); + + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + result = + decrypt_data (schema, pkcs8_asn, "encryptedData", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + asn1_delete_structure (&pkcs8_asn); + + result = decode_private_key_info (&tmp, pkey, &ret_asn); + _gnutls_free_datum (&tmp); + + if (result < 0) + { + gnutls_assert (); + goto error; + } + + *out = ret_asn; + + return 0; + +error: + asn1_delete_structure (&pbes2_asn); + asn1_delete_structure (&pkcs8_asn); + return result; } -static -int decode_private_key_info(const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey, ASN1_TYPE * out) +static int +decode_private_key_info (const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey, ASN1_TYPE * out) { - int result, len; - opaque oid[64], *data = NULL; - gnutls_datum_t tmp; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - ASN1_TYPE ret_asn; - int data_size; + int result, len; + opaque oid[64], *data = NULL; + gnutls_datum_t tmp; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + ASN1_TYPE ret_asn; + int data_size; - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-8-PrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-8-PrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + result = asn1_der_decoding (&pkcs8_asn, der->data, der->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - /* Check the private key algorithm OID - */ - len = sizeof(oid); - result = - asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", - oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Check the private key algorithm OID + */ + len = sizeof (oid); + result = + asn1_read_value (pkcs8_asn, "privateKeyAlgorithm.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* we only support RSA private keys. - */ - if (strcmp(oid, PK_PKIX1_RSA_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 private key OID '%s' is unsupported.\n", oid); - result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; - goto error; + /* we only support RSA private keys. + */ + if (strcmp (oid, PK_PKIX1_RSA_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log + ("PKCS #8 private key OID '%s' is unsupported.\n", oid); + result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + goto error; } - /* Get the DER encoding of the actual private key. - */ - data_size = 0; - result = asn1_read_value(pkcs8_asn, "privateKey", NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* Get the DER encoding of the actual private key. + */ + data_size = 0; + result = asn1_read_value (pkcs8_asn, "privateKey", NULL, &data_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - data = gnutls_alloca(data_size); - if (data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; + data = gnutls_alloca (data_size); + if (data == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; } - result = asn1_read_value(pkcs8_asn, "privateKey", data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = asn1_read_value (pkcs8_asn, "privateKey", data, &data_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - asn1_delete_structure(&pkcs8_asn); + asn1_delete_structure (&pkcs8_asn); - tmp.data = data; - tmp.size = data_size; + tmp.data = data; + tmp.size = data_size; - pkey->pk_algorithm = GNUTLS_PK_RSA; + pkey->pk_algorithm = GNUTLS_PK_RSA; - ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); - if (ret_asn == NULL) { - gnutls_assert(); + ret_asn = _gnutls_privkey_decode_pkcs1_rsa_key (&tmp, pkey); + if (ret_asn == NULL) + { + gnutls_assert (); } - *out = ret_asn; + *out = ret_asn; - return 0; + return 0; - error: - asn1_delete_structure(&pkcs8_asn); - if (data != NULL) { - gnutls_afree(data); +error: + asn1_delete_structure (&pkcs8_asn); + if (data != NULL) + { + gnutls_afree (data); } - return result; + return result; } @@ -826,1122 +882,1220 @@ int decode_private_key_info(const gnutls_datum_t * der, * Returns 0 on success. * **/ -int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags) +int +gnutls_x509_privkey_import_pkcs8 (gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + const char *password, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - int encrypted; + int result = 0, need_free = 0; + gnutls_datum_t _data; + int encrypted; - if (key == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - key->pk_algorithm = GNUTLS_PK_UNKNOWN; + key->pk_algorithm = GNUTLS_PK_UNKNOWN; - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) { - opaque *out; + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) + { + opaque *out; - /* Try the first header - */ - result = - _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, - data->data, data->size, &out); - encrypted = 0; + /* Try the first header + */ + result = + _gnutls_fbase64_decode (PEM_UNENCRYPTED_PKCS8, + data->data, data->size, &out); + encrypted = 0; - if (result < 0) { /* Try the encrypted header + if (result < 0) + { /* Try the encrypted header */ - result = - _gnutls_fbase64_decode(PEM_PKCS8, data->data, - data->size, &out); - - if (result <= 0) { - if (result == 0) - result = GNUTLS_E_INTERNAL_ERROR; - gnutls_assert(); - return result; + result = + _gnutls_fbase64_decode (PEM_PKCS8, data->data, data->size, &out); + + if (result <= 0) + { + if (result == 0) + result = GNUTLS_E_INTERNAL_ERROR; + gnutls_assert (); + return result; } - encrypted = 1; + encrypted = 1; } - _data.data = out; - _data.size = result; + _data.data = out; + _data.size = result; - need_free = 1; + need_free = 1; } - if (flags & GNUTLS_PKCS_PLAIN) { - result = decode_private_key_info(&_data, key, &key->key); - } else { /* encrypted. */ - result = decode_pkcs8_key(&_data, password, key, &key->key); + if (flags & GNUTLS_PKCS_PLAIN) + { + result = decode_private_key_info (&_data, key, &key->key); + } + else + { /* encrypted. */ + result = decode_pkcs8_key (&_data, password, key, &key->key); } - if (result < 0) { - gnutls_assert(); - goto cleanup; + if (result < 0) + { + gnutls_assert (); + goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); + if (need_free) + _gnutls_free_datum (&_data); - /* The key has now been decoded. - */ + /* The key has now been decoded. + */ - return 0; + return 0; - cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum(&_data); - return result; +cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum (&_data); + return result; } /* Reads the PBKDF2 parameters. */ -static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbkdf2_params *params) +static int +read_pbkdf2_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, struct pbkdf2_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the key derivation algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); - - if (strcmp(oid, PBKDF2_OID) != 0) { - gnutls_assert(); - _gnutls_x509_log - ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "keyDerivationFunc.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); - - /* read the keylength, if it is set. - */ - result = - _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", ¶ms->key_size); - if (result < 0) { - params->key_size = 0; - } - _gnutls_hard_log("keyLength: %d\n", params->key_size); - - /* We don't read the PRF. We only use the default. - */ - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset (params, 0, sizeof (params)); + + /* Check the key derivation algorithm + */ + len = sizeof (oid); + result = + asn1_read_value (pbes2_asn, "keyDerivationFunc.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + _gnutls_hard_log ("keyDerivationFunc.algorithm: %s\n", oid); + + if (strcmp (oid, PBKDF2_OID) != 0) + { + gnutls_assert (); + _gnutls_x509_log + ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, + "keyDerivationFunc.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + params_len = params_end - params_start + 1; + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding (&pbkdf2_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* read the salt */ + params->salt_size = sizeof (params->salt); + result = + asn1_read_value (pbkdf2_asn, "salt.specified", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.specified.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint (pbkdf2_asn, "iterationCount", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); + + /* read the keylength, if it is set. + */ + result = + _gnutls_x509_read_uint (pbkdf2_asn, "keyLength", ¶ms->key_size); + if (result < 0) + { + params->key_size = 0; + } + _gnutls_hard_log ("keyLength: %d\n", params->key_size); + + /* We don't read the PRF. We only use the default. + */ + + return 0; + +error: + asn1_delete_structure (&pbkdf2_asn); + return result; } /* Reads the PBE parameters from PKCS-12 schemas (*&#%*&#% RSA). */ -static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params) +static int +read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, struct pbkdf2_params *params) { - int result; + int result; - memset(params, 0, sizeof(params)); + memset (params, 0, sizeof (params)); - /* read the salt */ - params->salt_size = sizeof(params->salt); - result = - asn1_read_value(pbes2_asn, "salt", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* read the salt */ + params->salt_size = sizeof (params->salt); + result = + asn1_read_value (pbes2_asn, "salt", params->salt, ¶ms->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_hard_log("salt.size: %d\n", params->salt_size); + _gnutls_hard_log ("salt.size: %d\n", params->salt_size); - /* read the iteration count - */ - result = - _gnutls_x509_read_uint(pbes2_asn, "iterations", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; + /* read the iteration count + */ + result = + _gnutls_x509_read_uint (pbes2_asn, "iterations", ¶ms->iter_count); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; } - _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); - params->key_size = 0; + params->key_size = 0; - return 0; + return 0; - error: - return result; +error: + return result; } /* Writes the PBE parameters for PKCS-12 schemas. */ -static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +static int +write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - - /* write the salt - */ - result = - asn1_write_value(pbes2_asn, "salt", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - result = - _gnutls_x509_write_uint32(pbes2_asn, "iterations", - kdf_params->iter_count); - if (result < 0) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - return 0; - - error: - return result; + int result; + + /* write the salt + */ + result = + asn1_write_value (pbes2_asn, "salt", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + result = + _gnutls_x509_write_uint32 (pbes2_asn, "iterations", + kdf_params->iter_count); + if (result < 0) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); + + return 0; + +error: + return result; } /* Converts an OID to a gnutls cipher type. */ -inline - static int oid2cipher(const char *oid, - gnutls_cipher_algorithm_t * algo) +inline static int +oid2cipher (const char *oid, gnutls_cipher_algorithm_t * algo) { - *algo = 0; + *algo = 0; - if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_3DES_CBC; - return 0; + if (strcmp (oid, DES_EDE3_CBC_OID) == 0) + { + *algo = GNUTLS_CIPHER_3DES_CBC; + return 0; } - if (strcmp(oid, DES_CBC_OID) == 0) { - *algo = GNUTLS_CIPHER_DES_CBC; - return 0; + if (strcmp (oid, DES_CBC_OID) == 0) + { + *algo = GNUTLS_CIPHER_DES_CBC; + return 0; } - _gnutls_x509_log("PKCS #8 encryption OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + _gnutls_x509_log ("PKCS #8 encryption OID '%s' is unsupported.\n", oid); + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } -static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbe_enc_params *params) +static int +read_pbe_enc_params (ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset(params, 0, sizeof(params)); - - /* Check the encryption algorithm - */ - len = sizeof(oid); - result = - asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, - &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); - - if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { - gnutls_assert(); - goto error; - } - - result = - asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, - "encryptionScheme.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - params_len = params_end - params_start + 1; - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = - asn1_der_decoding(&pbe_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* read the IV */ - params->iv_size = sizeof(params->iv); - result = asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset (params, 0, sizeof (params)); + + /* Check the encryption algorithm + */ + len = sizeof (oid); + result = + asn1_read_value (pbes2_asn, "encryptionScheme.algorithm", oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", oid); + + if ((result = oid2cipher (oid, ¶ms->cipher)) < 0) + { + gnutls_assert (); + goto error; + } + + result = + asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, + "encryptionScheme.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + params_len = params_end - params_start + 1; + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = + asn1_der_decoding (&pbe_asn, &der->data[params_start], params_len, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* read the IV */ + params->iv_size = sizeof (params->iv); + result = asn1_read_value (pbe_asn, "", params->iv, ¶ms->iv_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("IV.size: %d\n", params->iv_size); + + return 0; + +error: + asn1_delete_structure (&pbe_asn); + return result; } -static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *root, const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data) +static int +decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *root, const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data) { - int result; - int data_size; - opaque *data = NULL, *key = NULL; - gnutls_datum_t dkey, d_iv; - cipher_hd_t ch = NULL; - int key_size; - - data_size = 0; - result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); - if (result != ASN1_MEM_ERROR) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - data = gnutls_malloc(data_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value(pkcs8_asn, root, data, &data_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - if (kdf_params->key_size == 0) { - key_size = gnutls_cipher_get_key_size(enc_params->cipher); - } else - key_size = kdf_params->key_size; - - key = gnutls_alloca(key_size); - if (key == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - /* generate the key - */ - if (schema == PBES2) { - result = gc_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, key, key_size); - - if (result != GC_OK) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; + int result; + int data_size; + opaque *data = NULL, *key = NULL; + gnutls_datum_t dkey, d_iv; + cipher_hd_t ch = NULL; + int key_size; + + data_size = 0; + result = asn1_read_value (pkcs8_asn, root, NULL, &data_size); + if (result != ASN1_MEM_ERROR) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + data = gnutls_malloc (data_size); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value (pkcs8_asn, root, data, &data_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + if (kdf_params->key_size == 0) + { + key_size = gnutls_cipher_get_key_size (enc_params->cipher); + } + else + key_size = kdf_params->key_size; + + key = gnutls_alloca (key_size); + if (key == NULL) + { + gnutls_assert (); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* generate the key + */ + if (schema == PBES2) + { + result = gc_pbkdf2_sha1 (password, strlen (password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, key, key_size); + + if (result != GC_OK) + { + gnutls_assert (); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } - } else { - result = - _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - key_size, key); - - if (result < 0) { - gnutls_assert(); - goto error; + } + else + { + result = + _pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + key_size, key); + + if (result < 0) + { + gnutls_assert (); + goto error; } } - /* do the decryption. - */ - dkey.data = key; - dkey.size = key_size; + /* do the decryption. + */ + dkey.data = key; + dkey.size = key_size; - d_iv.data = (opaque *) enc_params->iv; - d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, &dkey, &d_iv); + d_iv.data = (opaque *) enc_params->iv; + d_iv.size = enc_params->iv_size; + ch = _gnutls_cipher_init (enc_params->cipher, &dkey, &d_iv); - gnutls_afree(key); - key = NULL; + gnutls_afree (key); + key = NULL; - if (ch == NULL) { - gnutls_assert(); - result = GNUTLS_E_DECRYPTION_FAILED; - goto error; + if (ch == NULL) + { + gnutls_assert (); + result = GNUTLS_E_DECRYPTION_FAILED; + goto error; } - result = _gnutls_cipher_decrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_cipher_decrypt (ch, data, data_size); + if (result < 0) + { + gnutls_assert (); + goto error; } - decrypted_data->data = data; + decrypted_data->data = data; - if (_gnutls_cipher_get_block_size(enc_params->cipher) != 1) - decrypted_data->size = data_size - data[data_size - 1]; - else - decrypted_data->size = data_size; + if (_gnutls_cipher_get_block_size (enc_params->cipher) != 1) + decrypted_data->size = data_size - data[data_size - 1]; + else + decrypted_data->size = data_size; - _gnutls_cipher_deinit(ch); + _gnutls_cipher_deinit (ch); - return 0; + return 0; - error: - gnutls_free(data); - gnutls_afree(key); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; +error: + gnutls_free (data); + gnutls_afree (key); + if (ch != NULL) + _gnutls_cipher_deinit (ch); + return result; } /* Writes the PBKDF2 parameters. */ -static int write_pbkdf2_params(ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +static int +write_pbkdf2_params (ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - opaque tmp[64]; - - /* Write the key derivation algorithm - */ - result = - asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", - PBKDF2_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* Now write the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* write the salt - */ - result = - asn1_write_value(pbkdf2_asn, "salt.specified", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("salt.specified.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - _gnutls_write_uint32(kdf_params->iter_count, tmp); - - result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); - - /* write the keylength, if it is set. - */ - result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* We write an emptry prf. - */ - result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* now encode them an put the DER output - * in the keyDerivationFunc.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", - pbes2_asn, - "keyDerivationFunc.parameters", - 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbkdf2_asn); - return result; + int result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + opaque tmp[64]; + + /* Write the key derivation algorithm + */ + result = + asn1_write_value (pbes2_asn, "keyDerivationFunc.algorithm", + PBKDF2_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + /* Now write the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = asn1_write_value (pbkdf2_asn, "salt", "specified", 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* write the salt + */ + result = + asn1_write_value (pbkdf2_asn, "salt.specified", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("salt.specified.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + _gnutls_write_uint32 (kdf_params->iter_count, tmp); + + result = asn1_write_value (pbkdf2_asn, "iterationCount", tmp, 4); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); + + /* write the keylength, if it is set. + */ + result = asn1_write_value (pbkdf2_asn, "keyLength", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* We write an emptry prf. + */ + result = asn1_write_value (pbkdf2_asn, "prf", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* now encode them an put the DER output + * in the keyDerivationFunc.parameters + */ + result = _gnutls_x509_der_encode_and_copy (pbkdf2_asn, "", + pbes2_asn, + "keyDerivationFunc.parameters", + 0); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + return 0; + +error: + asn1_delete_structure (&pbkdf2_asn); + return result; } -static int write_pbe_enc_params(ASN1_TYPE pbes2_asn, - const struct pbe_enc_params *params) +static int +write_pbe_enc_params (ASN1_TYPE pbes2_asn, + const struct pbe_enc_params *params) { - int result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - - /* Write the encryption algorithm - */ - result = - asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", - DES_EDE3_CBC_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - goto error; - } - _gnutls_hard_log("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-des-EDE3-CBC-params", - &pbe_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - /* read the salt */ - result = asn1_write_value(pbe_asn, "", params->iv, params->iv_size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - _gnutls_hard_log("IV.size: %d\n", params->iv_size); - - /* now encode them an put the DER output - * in the encryptionScheme.parameters - */ - result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", - pbes2_asn, - "encryptionScheme.parameters", - 0); - if (result < 0) { - gnutls_assert(); - goto error; - } - - return 0; - - error: - asn1_delete_structure(&pbe_asn); - return result; + int result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + + /* Write the encryption algorithm + */ + result = + asn1_write_value (pbes2_asn, "encryptionScheme.algorithm", + DES_EDE3_CBC_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + goto error; + } + _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", DES_EDE3_CBC_OID); + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-des-EDE3-CBC-params", + &pbe_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + /* read the salt */ + result = asn1_write_value (pbe_asn, "", params->iv, params->iv_size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + _gnutls_hard_log ("IV.size: %d\n", params->iv_size); + + /* now encode them an put the DER output + * in the encryptionScheme.parameters + */ + result = _gnutls_x509_der_encode_and_copy (pbe_asn, "", + pbes2_asn, + "encryptionScheme.parameters", + 0); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + return 0; + +error: + asn1_delete_structure (&pbe_asn); + return result; } /* Generates a key and also stores the key parameters. */ -static int generate_key(schema_id schema, - const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, - gnutls_datum_t * key) +static int +generate_key (schema_id schema, + const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, gnutls_datum_t * key) { - opaque rnd[2]; - int ret; - - /* We should use the flags here to use different - * encryption algorithms etc. - */ - - if (schema == PKCS12_ARCFOUR_SHA1) - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - else if (schema == PKCS12_3DES_SHA1) - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - else if (schema == PKCS12_RC2_40_SHA1) - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - - if (gc_pseudo_random (rnd, 2) != GC_OK) { - gnutls_assert(); + opaque rnd[2]; + int ret; + + /* We should use the flags here to use different + * encryption algorithms etc. + */ + + if (schema == PKCS12_ARCFOUR_SHA1) + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + else if (schema == PKCS12_3DES_SHA1) + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + else if (schema == PKCS12_RC2_40_SHA1) + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + + if (gc_pseudo_random (rnd, 2) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - /* generate salt */ + /* generate salt */ - if (schema == PBES2) - kdf_params->salt_size = - MIN(sizeof(kdf_params->salt), (uint) (10 + (rnd[1] % 10))); - else - kdf_params->salt_size = 8; + if (schema == PBES2) + kdf_params->salt_size = + MIN (sizeof (kdf_params->salt), (uint) (10 + (rnd[1] % 10))); + else + kdf_params->salt_size = 8; - if (gc_pseudo_random (kdf_params->salt, kdf_params->salt_size) != GC_OK) { - gnutls_assert(); + if (gc_pseudo_random (kdf_params->salt, kdf_params->salt_size) != GC_OK) + { + gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; } - kdf_params->iter_count = 256 + rnd[0]; - key->size = kdf_params->key_size = - gnutls_cipher_get_key_size(enc_params->cipher); + kdf_params->iter_count = 256 + rnd[0]; + key->size = kdf_params->key_size = + gnutls_cipher_get_key_size (enc_params->cipher); - enc_params->iv_size = _gnutls_cipher_get_iv_size(enc_params->cipher); + enc_params->iv_size = _gnutls_cipher_get_iv_size (enc_params->cipher); - key->data = gnutls_secure_malloc(key->size); - if (key->data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + key->data = gnutls_secure_malloc (key->size); + if (key->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - /* now generate the key. - */ + /* now generate the key. + */ - if (schema == PBES2) { + if (schema == PBES2) + { - ret = gc_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, - key->data, kdf_params->key_size); - if (ret != GC_OK) { - gnutls_assert(); - return GNUTLS_E_ENCRYPTION_FAILED; + ret = gc_pbkdf2_sha1 (password, strlen (password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, + key->data, kdf_params->key_size); + if (ret != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_ENCRYPTION_FAILED; } - if (enc_params->iv_size && - gc_nonce (enc_params->iv, enc_params->iv_size) != GC_OK) { - gnutls_assert(); - return GNUTLS_E_RANDOM_FAILED; + if (enc_params->iv_size && + gc_nonce (enc_params->iv, enc_params->iv_size) != GC_OK) + { + gnutls_assert (); + return GNUTLS_E_RANDOM_FAILED; } - } else { /* PKCS12 schemas */ - ret = - _pkcs12_string_to_key(1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - kdf_params->key_size, key->data); - if (ret < 0) { - gnutls_assert(); - return ret; + } + else + { /* PKCS12 schemas */ + ret = + _pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + kdf_params->key_size, key->data); + if (ret < 0) + { + gnutls_assert (); + return ret; } - /* Now generate the IV - */ - if (enc_params->iv_size) { - ret = - _pkcs12_string_to_key(2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, enc_params->iv); - if (ret < 0) { - gnutls_assert(); - return ret; + /* Now generate the IV + */ + if (enc_params->iv_size) + { + ret = + _pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, password, + enc_params->iv_size, enc_params->iv); + if (ret < 0) + { + gnutls_assert (); + return ret; } } } - return 0; + return 0; } /* Encodes the parameters to be written in the encryptionAlgorithm.parameters * part. */ -static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params) +static int +write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params) { - int result; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - - if (schema == PBES2) { - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); + int result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + + if (schema == PBES2) + { + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); } - result = write_pbkdf2_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pbkdf2_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = write_pbe_enc_params(pbes2_asn, enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pbe_enc_params (pbes2_asn, enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - asn1_delete_structure(&pbes2_asn); - } else { /* PKCS12 schemas */ + asn1_delete_structure (&pbes2_asn); + } + else + { /* PKCS12 schemas */ - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_pkcs12_kdf_params (pbes2_asn, kdf_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", + pkcs8_asn, where, 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - asn1_delete_structure(&pbes2_asn); + asn1_delete_structure (&pbes2_asn); } - return 0; + return 0; - error: - asn1_delete_structure(&pbes2_asn); - return result; +error: + asn1_delete_structure (&pbes2_asn); + return result; } -static int encrypt_data(const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted) +static int +encrypt_data (const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted) { - int result; - int data_size; - opaque *data = NULL; - gnutls_datum_t d_iv; - cipher_hd_t ch = NULL; - opaque pad, pad_size; + int result; + int data_size; + opaque *data = NULL; + gnutls_datum_t d_iv; + cipher_hd_t ch = NULL; + opaque pad, pad_size; - pad_size = _gnutls_cipher_get_block_size(enc_params->cipher); + pad_size = _gnutls_cipher_get_block_size (enc_params->cipher); - if (pad_size == 1) /* stream */ - pad_size = 0; + if (pad_size == 1) /* stream */ + pad_size = 0; - data = gnutls_malloc(plain->size + pad_size); - if (data == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + data = gnutls_malloc (plain->size + pad_size); + if (data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } - memcpy(data, plain->data, plain->size); + memcpy (data, plain->data, plain->size); - if (pad_size > 0) { - pad = pad_size - (plain->size % pad_size); - if (pad == 0) - pad = pad_size; - memset(&data[plain->size], pad, pad); - } else - pad = 0; + if (pad_size > 0) + { + pad = pad_size - (plain->size % pad_size); + if (pad == 0) + pad = pad_size; + memset (&data[plain->size], pad, pad); + } + else + pad = 0; - data_size = plain->size + pad; + data_size = plain->size + pad; - d_iv.data = (opaque *) enc_params->iv; - d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init(enc_params->cipher, key, &d_iv); + d_iv.data = (opaque *) enc_params->iv; + d_iv.size = enc_params->iv_size; + ch = _gnutls_cipher_init (enc_params->cipher, key, &d_iv); - if (ch == GNUTLS_CIPHER_FAILED) { - gnutls_assert(); - result = GNUTLS_E_ENCRYPTION_FAILED; - goto error; + if (ch == GNUTLS_CIPHER_FAILED) + { + gnutls_assert (); + result = GNUTLS_E_ENCRYPTION_FAILED; + goto error; } - result = _gnutls_cipher_encrypt(ch, data, data_size); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_cipher_encrypt (ch, data, data_size); + if (result < 0) + { + gnutls_assert (); + goto error; } - encrypted->data = data; - encrypted->size = data_size; + encrypted->data = data; + encrypted->size = data_size; - _gnutls_cipher_deinit(ch); + _gnutls_cipher_deinit (ch); - return 0; + return 0; - error: - gnutls_free(data); - if (ch != NULL) - _gnutls_cipher_deinit(ch); - return result; +error: + gnutls_free (data); + if (ch != NULL) + _gnutls_cipher_deinit (ch); + return result; } /* Decrypts a PKCS #7 encryptedData. The output is allocated * and stored in dec. */ -int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data, - const char *password, gnutls_datum_t * dec) +int +_gnutls_pkcs7_decrypt_data (const gnutls_datum_t * data, + const char *password, gnutls_datum_t * dec) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - result = asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof(enc_oid); - result = - asn1_read_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - if ((result = check_schema(enc_oid)) < 0) { - gnutls_assert(); - goto error; - } - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params(schema, password, - &data->data[params_start], - params_len, &kdf_params, &enc_params); - if (result < ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - - result = - decrypt_data(schema, pkcs7_asn, - "encryptedContentInfo.encryptedContent", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; - } - - asn1_delete_structure(&pkcs7_asn); - - *dec = tmp; - - return 0; - - error: - asn1_delete_structure(&pbes2_asn); - asn1_delete_structure(&pkcs7_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + result = asn1_der_decoding (&pkcs7_asn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof (enc_oid); + result = + asn1_read_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + if ((result = check_schema (enc_oid)) < 0) + { + gnutls_assert (); + goto error; + } + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd (pkcs7_asn, data->data, data->size, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params (schema, password, + &data->data[params_start], + params_len, &kdf_params, &enc_params); + if (result < ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + + result = + decrypt_data (schema, pkcs7_asn, + "encryptedContentInfo.encryptedContent", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; + } + + asn1_delete_structure (&pkcs7_asn); + + *dec = tmp; + + return 0; + +error: + asn1_delete_structure (&pbes2_asn); + asn1_delete_structure (&pkcs7_asn); + return result; } /* Encrypts to a PKCS #7 encryptedData. The output is allocated * and stored in enc. */ -int _gnutls_pkcs7_encrypt_data(schema_id schema, - const gnutls_datum_t * data, - const char *password, gnutls_datum_t * enc) +int +_gnutls_pkcs7_encrypt_data (schema_id schema, + const gnutls_datum_t * data, + const char *password, gnutls_datum_t * enc) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; - } - - /* Write the encryption schema OID - */ - switch (schema) { + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; + } + + /* Write the encryption schema OID + */ + switch (schema) + { case PBES2: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PBES2_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PBES2_OID, 1); + break; case PKCS12_3DES_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_3DES_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_3DES_SHA1_OID, 1); + break; case PKCS12_ARCFOUR_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_ARCFOUR_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_ARCFOUR_SHA1_OID, 1); + break; case PKCS12_RC2_40_SHA1: - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - PKCS12_PBE_RC2_40_SHA1_OID, 1); - break; + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + PKCS12_PBE_RC2_40_SHA1_OID, 1); + break; } - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Generate a symmetric key. - */ + /* Generate a symmetric key. + */ - result = - generate_key(schema, password, &kdf_params, &enc_params, &key); - if (result < 0) { - gnutls_assert(); - goto error; + result = generate_key (schema, password, &kdf_params, &enc_params, &key); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = write_schema_params(schema, pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) { - gnutls_assert(); - goto error; + result = write_schema_params (schema, pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data(data, &enc_params, &key, &tmp); - if (result < 0) { - gnutls_assert(); - goto error; + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data (data, &enc_params, &key, &tmp); + if (result < 0) + { + gnutls_assert (); + goto error; } - /* write the encrypted data. - */ - result = - asn1_write_value(pkcs7_asn, - "encryptedContentInfo.encryptedContent", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + /* write the encrypted data. + */ + result = + asn1_write_value (pkcs7_asn, + "encryptedContentInfo.encryptedContent", tmp.data, + tmp.size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_free_datum (&tmp); + _gnutls_free_datum (&key); - /* Now write the rest of the pkcs-7 stuff. - */ + /* Now write the rest of the pkcs-7 stuff. + */ - result = _gnutls_x509_write_uint32(pkcs7_asn, "version", 0); - if (result < 0) { - gnutls_assert(); - goto error; + result = _gnutls_x509_write_uint32 (pkcs7_asn, "version", 0); + if (result < 0) + { + gnutls_assert (); + goto error; } - result = - asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", - DATA_OID, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = + asn1_write_value (pkcs7_asn, "encryptedContentInfo.contentType", + DATA_OID, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - result = asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - result = _gnutls_asn2err(result); - goto error; + result = asn1_write_value (pkcs7_asn, "unprotectedAttrs", NULL, 0); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + result = _gnutls_asn2err (result); + goto error; } - /* Now encode and copy the DER stuff. - */ - result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0); + /* Now encode and copy the DER stuff. + */ + result = _gnutls_x509_der_encode (pkcs7_asn, "", enc, 0); - asn1_delete_structure(&pkcs7_asn); + asn1_delete_structure (&pkcs7_asn); - if (result < 0) { - gnutls_assert(); - goto error; + if (result < 0) + { + gnutls_assert (); + goto error; } - error: - _gnutls_free_datum(&key); - _gnutls_free_datum(&tmp); - asn1_delete_structure(&pkcs7_asn); - return result; +error: + _gnutls_free_datum (&key); + _gnutls_free_datum (&tmp); + asn1_delete_structure (&pkcs7_asn); + return result; } |