2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
14 #include "internal/nelem.h"
16 #include <openssl/pkcs12.h>
17 #include <openssl/x509.h>
18 #include <openssl/x509v3.h>
19 #include <openssl/pem.h>
22 #include "pkcs12_helper.h"
24 DEFINE_STACK_OF(PKCS7)
25 DEFINE_STACK_OF(PKCS12_SAFEBAG)
27 /* Set this to > 0 write test data to file */
30 /* -------------------------------------------------------------------------
31 * Local function declarations
34 static X509 *load_cert(const unsigned char *bytes, int len);
35 static EVP_PKEY *load_pkey(const unsigned char *bytes, int len);
37 static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs);
39 static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
40 static int write_p12(PKCS12 *p12, const char *outfile);
42 static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac);
43 static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac);
44 static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac);
45 static int check_asn1_string(const ASN1_TYPE *av, const char *txt);
46 static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs);
49 /* --------------------------------------------------------------------------
50 * Test data load functions
53 static X509 *load_cert(const unsigned char *bytes, int len)
57 cert = d2i_X509(NULL, &bytes, len);
64 static EVP_PKEY *load_pkey(const unsigned char *bytes, int len)
66 EVP_PKEY *pkey = NULL;
68 pkey = d2i_AutoPrivateKey(NULL, &bytes, len);
76 /* -------------------------------------------------------------------------
80 PKCS12_BUILDER *new_pkcs12_builder(const char *filename)
82 PKCS12_BUILDER *pb = OPENSSL_malloc(sizeof(PKCS12_BUILDER));
86 pb->filename = filename;
91 int end_pkcs12_builder(PKCS12_BUILDER *pb)
93 int result = pb->success;
100 void start_pkcs12(PKCS12_BUILDER *pb)
106 void end_pkcs12(PKCS12_BUILDER *pb)
110 generate_p12(pb, NULL);
114 void end_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
118 generate_p12(pb, mac);
122 /* Generate the PKCS12 encoding and write to memory bio */
123 static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
130 pb->p12bio = BIO_new(BIO_s_mem());
131 if (!TEST_ptr(pb->p12bio)) {
135 p12 = PKCS12_add_safes(pb->safes, 0);
136 if (!TEST_ptr(p12)) {
140 sk_PKCS7_pop_free(pb->safes, PKCS7_free);
143 if (!TEST_true(PKCS12_set_mac(p12, mac->pass, strlen(mac->pass),
144 NULL, 0, mac->iter, EVP_get_digestbynid(mac->nid)))) {
149 i2d_PKCS12_bio(pb->p12bio, p12);
151 /* Can write to file here for debug */
153 write_p12(p12, pb->filename);
159 static int write_p12(PKCS12 *p12, const char *outfile)
162 BIO *out = BIO_new_file(outfile, "w");
167 if (!TEST_int_eq(i2d_PKCS12_bio(out, p12), 1))
175 static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac)
179 p12 = d2i_PKCS12_bio(bio, NULL);
184 if (!TEST_false(PKCS12_mac_present(p12)))
187 if (!check_p12_mac(p12, mac))
197 /* For use with existing files */
198 static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac)
201 BIO *in = BIO_new_file(infile, "r");
205 p12 = d2i_PKCS12_bio(in, NULL);
210 if (!TEST_false(PKCS12_mac_present(p12)))
213 if (!check_p12_mac(p12, mac))
222 static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac)
224 return TEST_true(PKCS12_mac_present(p12))
225 && TEST_true(PKCS12_verify_mac(p12, mac->pass, strlen(mac->pass)));
229 /* -------------------------------------------------------------------------
230 * PKCS7 content info builder
233 void start_contentinfo(PKCS12_BUILDER *pb)
239 void end_contentinfo(PKCS12_BUILDER *pb)
242 if (pb->bags && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, -1, 0, NULL))) {
247 sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
252 void end_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
256 && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, enc->nid, enc->iter, enc->pass))) {
261 sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
266 static STACK_OF(PKCS12_SAFEBAG) *decode_contentinfo(STACK_OF(PKCS7) *safes, int idx, const PKCS12_ENC *enc)
268 STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
269 PKCS7 *p7 = sk_PKCS7_value(safes, idx);
270 int bagnid = OBJ_obj2nid(p7->type);
273 if (!TEST_int_eq(bagnid, NID_pkcs7_encrypted))
275 /* TODO: Check algorithm (iterations?) against what we originally set */
276 bags = PKCS12_unpack_p7encdata(p7, enc->pass, strlen(enc->pass));
278 if (!TEST_int_eq(bagnid, NID_pkcs7_data))
280 bags = PKCS12_unpack_p7data(p7);
291 /* -------------------------------------------------------------------------
292 * PKCS12 safeBag/attribute builder
295 static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs)
299 const PKCS12_ATTR *p_attr = attrs;
304 while (p_attr->oid != NULL) {
305 TEST_info("Adding attribute %s = %s", p_attr->oid, p_attr->value);
306 attr_nid = OBJ_txt2nid(p_attr->oid);
308 if (attr_nid == NID_friendlyName) {
309 if (!TEST_true(PKCS12_add_friendlyname(bag, p_attr->value, -1)))
311 } else if (attr_nid == NID_localKeyID) {
312 if (!TEST_true(PKCS12_add_localkeyid(bag, (unsigned char *)p_attr->value,
313 strlen(p_attr->value))))
316 /* Custom attribute values limited to ASCII in these tests */
317 if (!TEST_true(PKCS12_add1_attr_by_txt(bag, p_attr->oid, MBSTRING_ASC,
318 (unsigned char *)p_attr->value,
319 strlen(p_attr->value))))
329 void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
330 const PKCS12_ATTR *attrs)
332 PKCS12_SAFEBAG *bag = NULL;
339 cert = load_cert(bytes, len);
340 if (!TEST_ptr(cert)) {
345 name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
346 TEST_info("Adding certificate <%s>", name);
349 bag = PKCS12_add_cert(&pb->bags, cert);
350 if (!TEST_ptr(bag)) {
355 if (!TEST_true(add_attributes(bag, attrs))) {
363 void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
364 const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
366 PKCS12_SAFEBAG *bag = NULL;
367 EVP_PKEY *pkey = NULL;
372 TEST_info("Adding key");
374 pkey = load_pkey(bytes, len);
375 if (!TEST_ptr(pkey)) {
380 bag = PKCS12_add_key(&pb->bags, pkey, 0 /*keytype*/, enc->iter, enc->nid, enc->pass);
381 if (!TEST_ptr(bag)) {
385 if (!add_attributes(bag, attrs))
391 void add_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret,
392 const PKCS12_ATTR *attrs)
394 PKCS12_SAFEBAG *bag = NULL;
399 TEST_info("Adding secret <%s>", secret);
401 bag = PKCS12_add_secret(&pb->bags, secret_nid, (const unsigned char *)secret, strlen(secret));
402 if (!TEST_ptr(bag)) {
406 if (!add_attributes(bag, attrs))
411 /* -------------------------------------------------------------------------
412 * PKCS12 structure checking
415 static int check_asn1_string(const ASN1_TYPE *av, const char *txt)
424 case V_ASN1_BMPSTRING:
425 value = OPENSSL_uni2asc(av->value.bmpstring->data,
426 av->value.bmpstring->length);
427 if (!TEST_str_eq(txt, (char *)value))
431 case V_ASN1_UTF8STRING:
432 if (!TEST_str_eq(txt, (char *)av->value.utf8string->data))
436 case V_ASN1_OCTET_STRING:
437 if (!TEST_str_eq(txt, (char *)av->value.octet_string->data))
442 /* Tests do not support other attribute types currently */
451 static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs)
454 X509_ATTRIBUTE *attr;
459 for (i = 0; i < sk_X509_ATTRIBUTE_num(bag_attrs); i++) {
460 const PKCS12_ATTR *p_attr = attrs;
461 ASN1_OBJECT *attr_obj;
463 attr = sk_X509_ATTRIBUTE_value(bag_attrs, i);
464 attr_obj = X509_ATTRIBUTE_get0_object(attr);
465 OBJ_obj2txt(attr_txt, 100, attr_obj, 0);
467 while(p_attr->oid != NULL) {
468 /* Find a matching attribute type */
469 if (strcmp(p_attr->oid, attr_txt) == 0) {
471 /* TODO: Handle multi-value attributes */
472 if (!TEST_int_eq(X509_ATTRIBUTE_count(attr), 1))
475 for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
477 av = X509_ATTRIBUTE_get0_type(attr, j);
478 if (!TEST_true(check_asn1_string(av, p_attr->value)))
491 void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
492 const PKCS12_ATTR *attrs)
495 X509 *ref_x509 = NULL;
496 const PKCS12_SAFEBAG *bag;
501 bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
502 if (!TEST_ptr(bag)) {
506 if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
507 || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_certBag)
508 || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), NID_x509Certificate)) {
512 x509 = PKCS12_SAFEBAG_get1_cert(bag);
513 if (!TEST_ptr(x509)) {
517 ref_x509 = load_cert(bytes, len);
518 if (!TEST_false(X509_cmp(x509, ref_x509)))
525 void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
526 const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
528 EVP_PKEY *pkey = NULL;
529 EVP_PKEY *ref_pkey = NULL;
530 PKCS8_PRIV_KEY_INFO *p8;
531 const PKCS8_PRIV_KEY_INFO *p8c;
532 const PKCS12_SAFEBAG *bag;
537 bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
538 if (!TEST_ptr(bag)) {
543 if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)) {
548 switch (PKCS12_SAFEBAG_get_nid(bag)) {
550 p8c = PKCS12_SAFEBAG_get0_p8inf(bag);
551 if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8c))) {
555 /* TODO: handle key attributes */
556 /* PKCS8_pkey_get0_attrs(p8c); */
559 case NID_pkcs8ShroudedKeyBag:
560 if (!TEST_ptr(p8 = PKCS12_decrypt_skey(bag, enc->pass, strlen(enc->pass)))) {
564 if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8))) {
565 PKCS8_PRIV_KEY_INFO_free(p8);
569 /* TODO: handle key attributes */
570 /* PKCS8_pkey_get0_attrs(p8); */
571 PKCS8_PRIV_KEY_INFO_free(p8);
579 /* PKEY compare returns 1 for match */
580 ref_pkey = load_pkey(bytes, len);
581 if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey)))
585 EVP_PKEY_free(ref_pkey);
588 void check_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret, const PKCS12_ATTR *attrs)
590 const PKCS12_SAFEBAG *bag;
595 bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
596 if (!TEST_ptr(bag)) {
601 if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
602 || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_secretBag)
603 || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), secret_nid)
604 || !TEST_true(check_asn1_string(PKCS12_SAFEBAG_get0_bag_obj(bag), secret)))
609 void start_check_pkcs12(PKCS12_BUILDER *pb)
611 PKCS12 *p12 = from_bio_p12(pb->p12bio, NULL);
612 if (!TEST_ptr(p12)) {
616 pb->safes = PKCS12_unpack_authsafes(p12);
617 if (!TEST_ptr(pb->safes))
624 void start_check_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
626 PKCS12 *p12 = from_bio_p12(pb->p12bio, mac);
627 if (!TEST_ptr(p12)) {
631 pb->safes = PKCS12_unpack_authsafes(p12);
632 if (!TEST_ptr(pb->safes))
639 void start_check_pkcs12_file(PKCS12_BUILDER *pb)
641 PKCS12 *p12 = read_p12(pb->filename, NULL);
642 if (!TEST_ptr(p12)) {
646 pb->safes = PKCS12_unpack_authsafes(p12);
647 if (!TEST_ptr(pb->safes))
654 void start_check_pkcs12_file_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
656 PKCS12 *p12 = read_p12(pb->filename, mac);
657 if (!TEST_ptr(p12)) {
661 pb->safes = PKCS12_unpack_authsafes(p12);
662 if (!TEST_ptr(pb->safes))
669 void end_check_pkcs12(PKCS12_BUILDER *pb)
671 sk_PKCS7_pop_free(pb->safes, PKCS7_free);
675 void start_check_contentinfo(PKCS12_BUILDER *pb)
678 pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, NULL);
679 if (!TEST_ptr(pb->bags)) {
683 TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
686 void start_check_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
689 pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, enc);
690 if (!TEST_ptr(pb->bags)) {
694 TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
698 void end_check_contentinfo(PKCS12_BUILDER *pb)
700 if (!TEST_int_eq(sk_PKCS12_SAFEBAG_num(pb->bags), pb->bag_idx))
702 sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);