diff options
Diffstat (limited to 'src/daemon/https/x509/privkey_pkcs8.c')
| -rw-r--r-- | src/daemon/https/x509/privkey_pkcs8.c | 102 |
1 files changed, 56 insertions, 46 deletions
diff --git a/src/daemon/https/x509/privkey_pkcs8.c b/src/daemon/https/x509/privkey_pkcs8.c index 741552e1..30f2caae 100644 --- a/src/daemon/https/x509/privkey_pkcs8.c +++ b/src/daemon/https/x509/privkey_pkcs8.c | |||
| @@ -82,7 +82,7 @@ static int decrypt_data (schema_id, ASN1_TYPE pkcs8_asn, const char *root, | |||
| 82 | static int decode_private_key_info (const MHD_gnutls_datum_t * der, | 82 | static int decode_private_key_info (const MHD_gnutls_datum_t * der, |
| 83 | MHD_gnutls_x509_privkey_t pkey); | 83 | MHD_gnutls_x509_privkey_t pkey); |
| 84 | static int readMHD_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, | 84 | static int readMHD_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, |
| 85 | struct pbkdf2_params *params); | 85 | struct pbkdf2_params *params); |
| 86 | 86 | ||
| 87 | #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" | 87 | #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" |
| 88 | #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" | 88 | #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" |
| @@ -106,7 +106,8 @@ check_schema (const char *oid) | |||
| 106 | if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) | 106 | if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) |
| 107 | return PKCS12_RC2_40_SHA1; | 107 | return PKCS12_RC2_40_SHA1; |
| 108 | 108 | ||
| 109 | MHD__gnutls_x509_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid); | 109 | MHD__gnutls_x509_log ("PKCS encryption schema OID '%s' is unsupported.\n", |
| 110 | oid); | ||
| 110 | 111 | ||
| 111 | return GNUTLS_E_UNKNOWN_CIPHER_TYPE; | 112 | return GNUTLS_E_UNKNOWN_CIPHER_TYPE; |
| 112 | } | 113 | } |
| @@ -134,8 +135,8 @@ read_pkcs_schema_params (schema_id schema, const char *password, | |||
| 134 | */ | 135 | */ |
| 135 | if ((result = | 136 | if ((result = |
| 136 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 137 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 137 | "PKIX1.pkcs-5-PBES2-params", | 138 | "PKIX1.pkcs-5-PBES2-params", |
| 138 | &pbes2_asn)) != ASN1_SUCCESS) | 139 | &pbes2_asn)) != ASN1_SUCCESS) |
| 139 | { | 140 | { |
| 140 | MHD_gnutls_assert (); | 141 | MHD_gnutls_assert (); |
| 141 | result = MHD_gtls_asn2err (result); | 142 | result = MHD_gtls_asn2err (result); |
| @@ -197,8 +198,8 @@ read_pkcs_schema_params (schema_id schema, const char *password, | |||
| 197 | 198 | ||
| 198 | if ((result = | 199 | if ((result = |
| 199 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 200 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 200 | "PKIX1.pkcs-12-PbeParams", | 201 | "PKIX1.pkcs-12-PbeParams", |
| 201 | &pbes2_asn)) != ASN1_SUCCESS) | 202 | &pbes2_asn)) != ASN1_SUCCESS) |
| 202 | { | 203 | { |
| 203 | MHD_gnutls_assert (); | 204 | MHD_gnutls_assert (); |
| 204 | result = MHD_gtls_asn2err (result); | 205 | result = MHD_gtls_asn2err (result); |
| @@ -226,9 +227,9 @@ read_pkcs_schema_params (schema_id schema, const char *password, | |||
| 226 | { | 227 | { |
| 227 | result = | 228 | result = |
| 228 | MHD_pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, | 229 | MHD_pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, |
| 229 | kdf_params->salt_size, | 230 | kdf_params->salt_size, |
| 230 | kdf_params->iter_count, password, | 231 | kdf_params->iter_count, password, |
| 231 | enc_params->iv_size, enc_params->iv); | 232 | enc_params->iv_size, enc_params->iv); |
| 232 | if (result < 0) | 233 | if (result < 0) |
| 233 | { | 234 | { |
| 234 | MHD_gnutls_assert (); | 235 | MHD_gnutls_assert (); |
| @@ -270,15 +271,16 @@ decode_pkcs8_key (const MHD_gnutls_datum_t * raw_key, | |||
| 270 | 271 | ||
| 271 | if ((result = | 272 | if ((result = |
| 272 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 273 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 273 | "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", | 274 | "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", |
| 274 | &pkcs8_asn)) != ASN1_SUCCESS) | 275 | &pkcs8_asn)) != ASN1_SUCCESS) |
| 275 | { | 276 | { |
| 276 | MHD_gnutls_assert (); | 277 | MHD_gnutls_assert (); |
| 277 | result = MHD_gtls_asn2err (result); | 278 | result = MHD_gtls_asn2err (result); |
| 278 | goto error; | 279 | goto error; |
| 279 | } | 280 | } |
| 280 | 281 | ||
| 281 | result = MHD__asn1_der_decoding (&pkcs8_asn, raw_key->data, raw_key->size, NULL); | 282 | result = |
| 283 | MHD__asn1_der_decoding (&pkcs8_asn, raw_key->data, raw_key->size, NULL); | ||
| 282 | if (result != ASN1_SUCCESS) | 284 | if (result != ASN1_SUCCESS) |
| 283 | { | 285 | { |
| 284 | MHD_gnutls_assert (); | 286 | MHD_gnutls_assert (); |
| @@ -291,7 +293,7 @@ decode_pkcs8_key (const MHD_gnutls_datum_t * raw_key, | |||
| 291 | len = sizeof (enc_oid); | 293 | len = sizeof (enc_oid); |
| 292 | result = | 294 | result = |
| 293 | MHD__asn1_read_value (pkcs8_asn, "encryptionAlgorithm.algorithm", | 295 | MHD__asn1_read_value (pkcs8_asn, "encryptionAlgorithm.algorithm", |
| 294 | enc_oid, &len); | 296 | enc_oid, &len); |
| 295 | if (result != ASN1_SUCCESS) | 297 | if (result != ASN1_SUCCESS) |
| 296 | { | 298 | { |
| 297 | MHD_gnutls_assert (); | 299 | MHD_gnutls_assert (); |
| @@ -310,9 +312,9 @@ decode_pkcs8_key (const MHD_gnutls_datum_t * raw_key, | |||
| 310 | */ | 312 | */ |
| 311 | result = | 313 | result = |
| 312 | MHD__asn1_der_decoding_startEnd (pkcs8_asn, raw_key->data, | 314 | MHD__asn1_der_decoding_startEnd (pkcs8_asn, raw_key->data, |
| 313 | raw_key->size, | 315 | raw_key->size, |
| 314 | "encryptionAlgorithm.parameters", | 316 | "encryptionAlgorithm.parameters", |
| 315 | ¶ms_start, ¶ms_end); | 317 | ¶ms_start, ¶ms_end); |
| 316 | if (result != ASN1_SUCCESS) | 318 | if (result != ASN1_SUCCESS) |
| 317 | { | 319 | { |
| 318 | MHD_gnutls_assert (); | 320 | MHD_gnutls_assert (); |
| @@ -416,8 +418,8 @@ decode_private_key_info (const MHD_gnutls_datum_t * der, | |||
| 416 | 418 | ||
| 417 | if ((result = | 419 | if ((result = |
| 418 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 420 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 419 | "PKIX1.pkcs-8-PrivateKeyInfo", | 421 | "PKIX1.pkcs-8-PrivateKeyInfo", |
| 420 | &pkcs8_asn)) != ASN1_SUCCESS) | 422 | &pkcs8_asn)) != ASN1_SUCCESS) |
| 421 | { | 423 | { |
| 422 | MHD_gnutls_assert (); | 424 | MHD_gnutls_assert (); |
| 423 | result = MHD_gtls_asn2err (result); | 425 | result = MHD_gtls_asn2err (result); |
| @@ -436,7 +438,8 @@ decode_private_key_info (const MHD_gnutls_datum_t * der, | |||
| 436 | */ | 438 | */ |
| 437 | len = sizeof (oid); | 439 | len = sizeof (oid); |
| 438 | result = | 440 | result = |
| 439 | MHD__asn1_read_value (pkcs8_asn, "privateKeyAlgorithm.algorithm", oid, &len); | 441 | MHD__asn1_read_value (pkcs8_asn, "privateKeyAlgorithm.algorithm", oid, |
| 442 | &len); | ||
| 440 | if (result != ASN1_SUCCESS) | 443 | if (result != ASN1_SUCCESS) |
| 441 | { | 444 | { |
| 442 | MHD_gnutls_assert (); | 445 | MHD_gnutls_assert (); |
| @@ -446,7 +449,7 @@ decode_private_key_info (const MHD_gnutls_datum_t * der, | |||
| 446 | 449 | ||
| 447 | /* we only support RSA and DSA private keys. | 450 | /* we only support RSA and DSA private keys. |
| 448 | */ | 451 | */ |
| 449 | if (strcmp ((const char*) oid, PK_PKIX1_RSA_OID) == 0) | 452 | if (strcmp ((const char *) oid, PK_PKIX1_RSA_OID) == 0) |
| 450 | pkey->pk_algorithm = MHD_GNUTLS_PK_RSA; | 453 | pkey->pk_algorithm = MHD_GNUTLS_PK_RSA; |
| 451 | else | 454 | else |
| 452 | { | 455 | { |
| @@ -502,9 +505,10 @@ error: | |||
| 502 | **/ | 505 | **/ |
| 503 | int | 506 | int |
| 504 | MHD_gnutls_x509_privkey_import_pkcs8 (MHD_gnutls_x509_privkey_t key, | 507 | MHD_gnutls_x509_privkey_import_pkcs8 (MHD_gnutls_x509_privkey_t key, |
| 505 | const MHD_gnutls_datum_t * data, | 508 | const MHD_gnutls_datum_t * data, |
| 506 | MHD_gnutls_x509_crt_fmt_t format, | 509 | MHD_gnutls_x509_crt_fmt_t format, |
| 507 | const char *password, unsigned int flags) | 510 | const char *password, |
| 511 | unsigned int flags) | ||
| 508 | { | 512 | { |
| 509 | int result = 0, need_free = 0; | 513 | int result = 0, need_free = 0; |
| 510 | MHD_gnutls_datum_t _data; | 514 | MHD_gnutls_datum_t _data; |
| @@ -530,13 +534,14 @@ MHD_gnutls_x509_privkey_import_pkcs8 (MHD_gnutls_x509_privkey_t key, | |||
| 530 | */ | 534 | */ |
| 531 | result = | 535 | result = |
| 532 | MHD__gnutls_fbase64_decode (PEM_UNENCRYPTED_PKCS8, | 536 | MHD__gnutls_fbase64_decode (PEM_UNENCRYPTED_PKCS8, |
| 533 | data->data, data->size, &out); | 537 | data->data, data->size, &out); |
| 534 | 538 | ||
| 535 | if (result < 0) | 539 | if (result < 0) |
| 536 | { /* Try the encrypted header | 540 | { /* Try the encrypted header |
| 537 | */ | 541 | */ |
| 538 | result = | 542 | result = |
| 539 | MHD__gnutls_fbase64_decode (PEM_PKCS8, data->data, data->size, &out); | 543 | MHD__gnutls_fbase64_decode (PEM_PKCS8, data->data, data->size, |
| 544 | &out); | ||
| 540 | 545 | ||
| 541 | if (result <= 0) | 546 | if (result <= 0) |
| 542 | { | 547 | { |
| @@ -589,7 +594,8 @@ cleanup: | |||
| 589 | */ | 594 | */ |
| 590 | static int | 595 | static int |
| 591 | read_pbkdf2_params (ASN1_TYPE pbes2_asn, | 596 | read_pbkdf2_params (ASN1_TYPE pbes2_asn, |
| 592 | const MHD_gnutls_datum_t * der, struct pbkdf2_params *params) | 597 | const MHD_gnutls_datum_t * der, |
| 598 | struct pbkdf2_params *params) | ||
| 593 | { | 599 | { |
| 594 | int params_start, params_end; | 600 | int params_start, params_end; |
| 595 | int params_len, len, result; | 601 | int params_len, len, result; |
| @@ -602,7 +608,8 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 602 | */ | 608 | */ |
| 603 | len = sizeof (oid); | 609 | len = sizeof (oid); |
| 604 | result = | 610 | result = |
| 605 | MHD__asn1_read_value (pbes2_asn, "keyDerivationFunc.algorithm", oid, &len); | 611 | MHD__asn1_read_value (pbes2_asn, "keyDerivationFunc.algorithm", oid, |
| 612 | &len); | ||
| 606 | if (result != ASN1_SUCCESS) | 613 | if (result != ASN1_SUCCESS) |
| 607 | { | 614 | { |
| 608 | MHD_gnutls_assert (); | 615 | MHD_gnutls_assert (); |
| @@ -620,8 +627,8 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 620 | 627 | ||
| 621 | result = | 628 | result = |
| 622 | MHD__asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, | 629 | MHD__asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, |
| 623 | "keyDerivationFunc.parameters", | 630 | "keyDerivationFunc.parameters", |
| 624 | ¶ms_start, ¶ms_end); | 631 | ¶ms_start, ¶ms_end); |
| 625 | if (result != ASN1_SUCCESS) | 632 | if (result != ASN1_SUCCESS) |
| 626 | { | 633 | { |
| 627 | MHD_gnutls_assert (); | 634 | MHD_gnutls_assert (); |
| @@ -634,8 +641,8 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 634 | */ | 641 | */ |
| 635 | if ((result = | 642 | if ((result = |
| 636 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 643 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 637 | "PKIX1.pkcs-5-PBKDF2-params", | 644 | "PKIX1.pkcs-5-PBKDF2-params", |
| 638 | &pbkdf2_asn)) != ASN1_SUCCESS) | 645 | &pbkdf2_asn)) != ASN1_SUCCESS) |
| 639 | { | 646 | { |
| 640 | MHD_gnutls_assert (); | 647 | MHD_gnutls_assert (); |
| 641 | return MHD_gtls_asn2err (result); | 648 | return MHD_gtls_asn2err (result); |
| @@ -643,7 +650,7 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 643 | 650 | ||
| 644 | result = | 651 | result = |
| 645 | MHD__asn1_der_decoding (&pbkdf2_asn, &der->data[params_start], | 652 | MHD__asn1_der_decoding (&pbkdf2_asn, &der->data[params_start], |
| 646 | params_len, NULL); | 653 | params_len, NULL); |
| 647 | if (result != ASN1_SUCCESS) | 654 | if (result != ASN1_SUCCESS) |
| 648 | { | 655 | { |
| 649 | MHD_gnutls_assert (); | 656 | MHD_gnutls_assert (); |
| @@ -655,7 +662,7 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 655 | params->salt_size = sizeof (params->salt); | 662 | params->salt_size = sizeof (params->salt); |
| 656 | result = | 663 | result = |
| 657 | MHD__asn1_read_value (pbkdf2_asn, "salt.specified", params->salt, | 664 | MHD__asn1_read_value (pbkdf2_asn, "salt.specified", params->salt, |
| 658 | ¶ms->salt_size); | 665 | ¶ms->salt_size); |
| 659 | if (result != ASN1_SUCCESS) | 666 | if (result != ASN1_SUCCESS) |
| 660 | { | 667 | { |
| 661 | MHD_gnutls_assert (); | 668 | MHD_gnutls_assert (); |
| @@ -668,7 +675,7 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn, | |||
| 668 | */ | 675 | */ |
| 669 | result = | 676 | result = |
| 670 | MHD__gnutls_x509_read_uint (pbkdf2_asn, "iterationCount", | 677 | MHD__gnutls_x509_read_uint (pbkdf2_asn, "iterationCount", |
| 671 | ¶ms->iter_count); | 678 | ¶ms->iter_count); |
| 672 | if (result != ASN1_SUCCESS) | 679 | if (result != ASN1_SUCCESS) |
| 673 | { | 680 | { |
| 674 | MHD_gnutls_assert (); | 681 | MHD_gnutls_assert (); |
| @@ -709,7 +716,8 @@ readMHD_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, struct pbkdf2_params *params) | |||
| 709 | /* read the salt */ | 716 | /* read the salt */ |
| 710 | params->salt_size = sizeof (params->salt); | 717 | params->salt_size = sizeof (params->salt); |
| 711 | result = | 718 | result = |
| 712 | MHD__asn1_read_value (pbes2_asn, "salt", params->salt, ¶ms->salt_size); | 719 | MHD__asn1_read_value (pbes2_asn, "salt", params->salt, |
| 720 | ¶ms->salt_size); | ||
| 713 | if (result != ASN1_SUCCESS) | 721 | if (result != ASN1_SUCCESS) |
| 714 | { | 722 | { |
| 715 | MHD_gnutls_assert (); | 723 | MHD_gnutls_assert (); |
| @@ -794,8 +802,8 @@ read_pbe_enc_params (ASN1_TYPE pbes2_asn, | |||
| 794 | 802 | ||
| 795 | result = | 803 | result = |
| 796 | MHD__asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, | 804 | MHD__asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, |
| 797 | "encryptionScheme.parameters", | 805 | "encryptionScheme.parameters", |
| 798 | ¶ms_start, ¶ms_end); | 806 | ¶ms_start, ¶ms_end); |
| 799 | if (result != ASN1_SUCCESS) | 807 | if (result != ASN1_SUCCESS) |
| 800 | { | 808 | { |
| 801 | MHD_gnutls_assert (); | 809 | MHD_gnutls_assert (); |
| @@ -807,15 +815,16 @@ read_pbe_enc_params (ASN1_TYPE pbes2_asn, | |||
| 807 | */ | 815 | */ |
| 808 | if ((result = | 816 | if ((result = |
| 809 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), | 817 | MHD__asn1_create_element (MHD__gnutls_get_pkix (), |
| 810 | "PKIX1.pkcs-5-des-EDE3-CBC-params", | 818 | "PKIX1.pkcs-5-des-EDE3-CBC-params", |
| 811 | &pbe_asn)) != ASN1_SUCCESS) | 819 | &pbe_asn)) != ASN1_SUCCESS) |
| 812 | { | 820 | { |
| 813 | MHD_gnutls_assert (); | 821 | MHD_gnutls_assert (); |
| 814 | return MHD_gtls_asn2err (result); | 822 | return MHD_gtls_asn2err (result); |
| 815 | } | 823 | } |
| 816 | 824 | ||
| 817 | result = | 825 | result = |
| 818 | MHD__asn1_der_decoding (&pbe_asn, &der->data[params_start], params_len, NULL); | 826 | MHD__asn1_der_decoding (&pbe_asn, &der->data[params_start], params_len, |
| 827 | NULL); | ||
| 819 | if (result != ASN1_SUCCESS) | 828 | if (result != ASN1_SUCCESS) |
| 820 | { | 829 | { |
| 821 | MHD_gnutls_assert (); | 830 | MHD_gnutls_assert (); |
| @@ -899,9 +908,10 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, | |||
| 899 | if (schema == PBES2) | 908 | if (schema == PBES2) |
| 900 | { | 909 | { |
| 901 | result = MHD_gc_pbkdf2_sha1 (password, strlen (password), | 910 | result = MHD_gc_pbkdf2_sha1 (password, strlen (password), |
| 902 | (const char*) kdf_params->salt, kdf_params->salt_size, | 911 | (const char *) kdf_params->salt, |
| 903 | kdf_params->iter_count, | 912 | kdf_params->salt_size, |
| 904 | (char*) key, key_size); | 913 | kdf_params->iter_count, (char *) key, |
| 914 | key_size); | ||
| 905 | 915 | ||
| 906 | if (result != GC_OK) | 916 | if (result != GC_OK) |
| 907 | { | 917 | { |
| @@ -914,9 +924,9 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, | |||
| 914 | { | 924 | { |
| 915 | result = | 925 | result = |
| 916 | MHD_pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, | 926 | MHD_pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, |
| 917 | kdf_params->salt_size, | 927 | kdf_params->salt_size, |
| 918 | kdf_params->iter_count, password, | 928 | kdf_params->iter_count, password, |
| 919 | key_size, key); | 929 | key_size, key); |
| 920 | 930 | ||
| 921 | if (result < 0) | 931 | if (result < 0) |
| 922 | { | 932 | { |