Check PKCS7 structures in PKCS#12 files are of type data.
[openssl.git] / crypto / pkcs12 / p12_kiss.c
index f49d2e5..c2ee2cc 100644 (file)
@@ -80,27 +80,24 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
  * passed unitialised.
  */
 
-int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
             STACK_OF(X509) **ca)
 {
 
        /* Check for NULL PKCS12 structure */
 
-       if(!p12)
-               {
+       if(!p12) {
                PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
                return 0;
-               }
+       }
 
        /* Allocate stack for ca certificates if needed */
-       if ((ca != NULL) && (*ca == NULL))
-               {
-               if (!(*ca = sk_X509_new(NULL)))
-                       {
+       if ((ca != NULL) && (*ca == NULL)) {
+               if (!(*ca = sk_X509_new_null())) {
                        PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
                        return 0;
-                       }
                }
+       }
 
        if(pkey) *pkey = NULL;
        if(cert) *cert = NULL;
@@ -135,55 +132,56 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 
  err:
 
-       if (pkey && *pkey) EVP_PKEY_free (*pkey);
-       if (cert && *cert) X509_free (*cert);
-       if (ca) sk_X509_pop_free (*ca, X509_free);
+       if (pkey && *pkey) EVP_PKEY_free(*pkey);
+       if (cert && *cert) X509_free(*cert);
+       if (ca) sk_X509_pop_free(*ca, X509_free);
        return 0;
 
 }
 
 /* Parse the outer PKCS#12 structure */
 
-static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
             EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
 {
-       STACK *asafes;
+       STACK_OF(PKCS7) *asafes;
        STACK_OF(PKCS12_SAFEBAG) *bags;
        int i, bagnid;
        PKCS7 *p7;
        ASN1_OCTET_STRING *keyid = NULL;
+
        char keymatch = 0;
-       if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
-       for (i = 0; i < sk_num (asafes); i++) {
-               p7 = (PKCS7 *) sk_value (asafes, i);
+       if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;
+       for (i = 0; i < sk_PKCS7_num (asafes); i++) {
+               p7 = sk_PKCS7_value (asafes, i);
                bagnid = OBJ_obj2nid (p7->type);
                if (bagnid == NID_pkcs7_data) {
-                       bags = M_PKCS12_unpack_p7data (p7);
+                       bags = PKCS12_unpack_p7data(p7);
                } else if (bagnid == NID_pkcs7_encrypted) {
-                       bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+                       bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
                } else continue;
                if (!bags) {
-                       sk_pop_free (asafes, (void(*)(void *)) PKCS7_free);
+                       sk_PKCS7_pop_free(asafes, PKCS7_free);
                        return 0;
                }
                if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
                                                         &keyid, &keymatch)) {
                        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-                       sk_pop_free(asafes, (void(*)(void *)) PKCS7_free);
+                       sk_PKCS7_pop_free(asafes, PKCS7_free);
                        return 0;
                }
                sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
        }
-       sk_pop_free(asafes, (void(*)(void *)) PKCS7_free);
+       sk_PKCS7_pop_free(asafes, PKCS7_free);
        if (keyid) M_ASN1_OCTET_STRING_free(keyid);
        return 1;
 }
 
 
-static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
-                      int passlen, EVP_PKEY **pkey, X509 **cert,
-                      STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
-                      char *keymatch)
+static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
+                     int passlen, EVP_PKEY **pkey, X509 **cert,
+                     STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
+                     char *keymatch)
 {
        int i;
        for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
@@ -199,18 +197,23 @@ static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
 #define MATCH_ALL  0x3
 
 static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
-                     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
-                     ASN1_OCTET_STRING **keyid,
-            char *keymatch)
+                    EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+                    ASN1_OCTET_STRING **keyid,
+                    char *keymatch)
 {
        PKCS8_PRIV_KEY_INFO *p8;
        X509 *x509;
-       ASN1_OCTET_STRING *lkey = NULL;
+       ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
        ASN1_TYPE *attrib;
+       ASN1_BMPSTRING *fname = NULL;
 
+       if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
+               fname = attrib->value.bmpstring;
 
-       if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
-                                           lkey = attrib->value.octet_string;
+       if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) {
+               lkey = attrib->value.octet_string;
+               ckid = lkey;
+       }
 
        /* Check for any local key id matching (if needed) */
        if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
@@ -218,7 +221,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
                        if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
                } else {
                        if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
-                               PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+                               PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
                                return 0;
                    }
                }
@@ -234,7 +237,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 
        case NID_pkcs8ShroudedKeyBag:
                if (!lkey || !pkey) return 1;   
-               if (!(p8 = M_PKCS12_decrypt_skey(bag, pass, passlen)))
+               if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
                                return 0;
                *pkey = EVP_PKCS82PKEY(p8);
                PKCS8_PRIV_KEY_INFO_free(p8);
@@ -245,10 +248,35 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
        case NID_certBag:
                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
                                                                 return 1;
-               if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+               if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
+               if(ckid)
+                       {
+                       if (!X509_keyid_set1(x509, ckid->data, ckid->length))
+                               {
+                               X509_free(x509);
+                               return 0;
+                               }
+                       }
+               if(fname) {
+                       int len, r;
+                       unsigned char *data;
+                       len = ASN1_STRING_to_UTF8(&data, fname);
+                       if(len > 0) {
+                               r = X509_alias_set1(x509, data, len);
+                               OPENSSL_free(data);
+                               if (!r)
+                                       {
+                                       X509_free(x509);
+                                       return 0;
+                                       }
+                       }
+               }
+
+
                if (lkey) {
                        *keymatch |= MATCH_CERT;
                        if (cert) *cert = x509;
+                       else X509_free(x509);
                } else {
                        if(ca) sk_X509_push (*ca, x509);
                        else X509_free(x509);