pki_pkcs12::pki_pkcs12(const QString fname)
:pki_base(fname)
{
FILE *fp;
Passwd pass;
EVP_PKEY *mykey = NULL;
X509 *mycert = NULL;
key=NULL; cert=NULL;
class_name="pki_pkcs12";
certstack = sk_X509_new_null();
pass_info p(XCA_TITLE, tr("Please enter the password to decrypt the PKCS#12 file:\n%1").arg(compressFilename(fname)));
fp = fopen(QString2filename(fname), "rb");
if (fp) {
PKCS12 *pkcs12 = d2i_PKCS12_fp(fp, NULL);
fclose(fp);
if (ign_openssl_error()) {
if (pkcs12)
PKCS12_free(pkcs12);
throw errorEx(tr("Unable to load the PKCS#12 (pfx) file %1.").arg(fname));
}
if (PKCS12_verify_mac(pkcs12, "", 0) || PKCS12_verify_mac(pkcs12, NULL, 0))
pass.clear();
else if (PwDialog::execute(&p, &pass) != 1) {
/* cancel pressed */
PKCS12_free(pkcs12);
throw errorEx("","", E_PASSWD);
}
PKCS12_parse(pkcs12, pass.constData(), &mykey, &mycert, &certstack);
int error = ERR_peek_error();
if (ERR_GET_REASON(error) == PKCS12_R_MAC_VERIFY_FAILURE) {
ign_openssl_error();
PKCS12_free(pkcs12);
throw errorEx(getClassName(), tr("The supplied password was wrong (%1)").arg(ERR_reason_error_string(error)), E_PASSWD);
}
ign_openssl_error();
if (mycert) {
if (mycert->aux && mycert->aux->alias) {
alias = asn1ToQString(mycert->aux->alias);
alias = QString::fromUtf8(alias.toAscii());
}
cert = new pki_x509(mycert);
if (alias.isEmpty()) {
cert->autoIntName();
} else {
cert->setIntName(alias);
}
alias = cert->getIntName();
}
if (mykey) {
key = new pki_evp(mykey);
key->setIntName(alias + "_key");
key->bogusEncryptKey();
}
PKCS12_free(pkcs12);
} else
fopen_error(fname);
}
void pki_pkcs7::signBio(pki_x509 *crt, BIO *bio)
{
pki_key *privkey;
EVP_PKEY *pk;
STACK_OF(X509) *certstack;
if (!crt)
return;
privkey = crt->getRefKey();
if (!privkey)
throw errorEx("No private key for signing found", getClassName());
certstack = sk_X509_new_null();
pki_x509 *signer = crt->getSigner();
if (signer == crt)
signer = NULL;
while (signer != NULL ) {
sk_X509_push(certstack, signer->getCert());
openssl_error();
if (signer == signer->getSigner() )
signer = NULL;
else
signer = signer->getSigner();
}
if (p7)
PKCS7_free(p7);
pk = privkey->decryptKey();
p7 = PKCS7_sign(crt->getCert(), pk, certstack, bio, PKCS7_BINARY);
EVP_PKEY_free(pk);
openssl_error();
sk_X509_free(certstack);
}
void pki_x509req::fload(const QString fname)
{
FILE *fp = fopen_read(fname);
X509_REQ *_req;
int ret = 0;
if (fp != NULL) {
_req = PEM_read_X509_REQ(fp, NULL, NULL, NULL);
if (!_req) {
pki_ign_openssl_error();
rewind(fp);
_req = d2i_X509_REQ_fp(fp, NULL);
}
fclose(fp);
if (ret || pki_ign_openssl_error()) {
if (_req)
X509_REQ_free(_req);
throw errorEx(tr("Unable to load the certificate request in file %1. Tried PEM, DER and SPKAC format.").arg(fname));
}
} else {
fopen_error(fname);
return;
}
if (_req) {
X509_REQ_free(request);
request = _req;
}
autoIntName();
if (getIntName().isEmpty())
setIntName(rmslashdot(fname));
openssl_error(fname);
}
void pki_base::my_error(const QString error) const
{
if (!error.isEmpty()) {
fprintf(stderr, "%s\n", CCHAR(tr("Error: ") + error));
throw errorEx(error, class_name);
}
}
void pki_crl::fload(const QString fname)
{
FILE *fp = fopen(QString2filename(fname), "r");
X509_CRL *_crl;
if (fp != NULL) {
_crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
if (!_crl) {
pki_ign_openssl_error();
rewind(fp);
_crl = d2i_X509_CRL_fp(fp, NULL);
}
fclose(fp);
if (pki_ign_openssl_error()) {
if (_crl)
X509_CRL_free(_crl);
throw errorEx(tr("Unable to load the revokation list in file %1. Tried PEM and DER formatted CRL.").arg(fname));
}
if (crl)
X509_CRL_free(crl);
crl = _crl;
setIntName(rmslashdot(fname));
pki_openssl_error();
} else
fopen_error(fname);
}
void pki_multi::fromPEM_BIO(BIO *bio, QString name)
{
QString text;
pki_base *item = NULL;
char buf[BUFLEN];
int len, startpos;
for (;;) {
try {
int pos = BIO_tell(bio);
len = BIO_read(bio, buf, BUFLEN-1);
buf[len] = '\0';
text = buf;
item = pkiByPEM(text, &startpos);
if (!item) {
if (startpos <= 0)
break;
if (BIO_seek(bio, pos + startpos) == -1)
throw errorEx(tr("Seek failed"));
continue;
}
pos += startpos;
if (BIO_seek(bio, pos) == -1)
throw errorEx(tr("Seek failed"));
item->fromPEM_BIO(bio, name);
if (pos == BIO_tell(bio)) {
/* No progress, do it manually */
if (BIO_seek(bio, pos + 1))
throw errorEx(tr("Seek failed"));
printf("Could not load: %s\n",
CCHAR(item->getClassName()));
delete item;
continue;
}
openssl_error();
multi.append(item);
} catch (errorEx &err) {
MainWindow::Error(err);
if (item)
delete item;
item = NULL;
}
}
if (multi.size() == 0)
throw errorEx(tr("No known PEM encoded items found"));
}
void db_key::__setOwnPass(enum pki_key::passType x)
{
pki_evp *targetKey;
if (!currentIdx.isValid())
return;
targetKey = static_cast<pki_evp*>(currentIdx.internalPointer());
if (targetKey->isToken()) {
throw errorEx(tr("Tried to change password of a token"));
}
targetKey->setOwnPass(x);
updatePKI(targetKey);
}
void db_key::changeSoPin()
{
pki_scard *scard;
if (!currentIdx.isValid())
return;
scard = static_cast<pki_scard*>(currentIdx.internalPointer());
try {
if (!scard->isToken()) {
throw errorEx(tr("Tried to change SO PIN of a key"));
}
scard->changeSoPin();
} catch (errorEx &err) {
mainwin->Error(err);
}
}
void db::rename(enum pki_type type, QString name, QString n)
{
qint64 ret;
first();
if (find(type, n) == 0) {
throw errorEx(QObject::tr("DB: Rename: '%1' already in use").arg(n));
}
first();
if (find(type, name) != 0) {
throw errorEx(QObject::tr("DB: Entry to rename not found: %1").arg(name));
}
strncpy(head.name, n.toUtf8(), NAMELEN);
head.name[NAMELEN-1] = '\0';
file.seek(head_offset);
ret = file.write((char*)&head, sizeof(head));
if (ret < 0) {
fileIOerr("write");
}
if (ret != sizeof head) {
throw errorEx(QObject::tr("DB: Write error %1 - %2"
).arg(ret).arg(sizeof(head)));
}
}
void _openssl_error(const QString txt, const char *file, int line)
{
QString error;
while (int i = ERR_get_error() ) {
error += QString(ERR_error_string(i, NULL)) + "\n";
fputs(CCHAR(QString("OpenSSL error (%1:%2) : %3\n").
arg(file).arg(line).arg(ERR_error_string(i, NULL))),
stderr);
}
if (!error.isEmpty()) {
if (!txt.isEmpty())
error = txt + "\n" + error + "\n" +
QString("(%1:%2)").arg(file).arg(line);
throw errorEx(error);
}
}
void pki_pkcs7::fload(const QString fname)
{
PKCS7 *_p7;
XFile file(fname);
file.open_read();
_p7 = PEM_read_PKCS7(file.fp(), NULL, NULL, NULL);
if (!_p7) {
ign_openssl_error();
file.retry_read();
_p7 = d2i_PKCS7_fp(file.fp(), NULL);
}
if (ign_openssl_error()) {
if (_p7)
PKCS7_free(_p7);
throw errorEx(tr("Unable to load the PKCS#7 file %1. Tried PEM and DER format.").arg(fname));
}
if (p7)
PKCS7_free(p7);
p7 = _p7;
}
int read_dump(const char *filename, db_base **dbs, char *md5, int md5_len)
{
char *p;
int ret = -1, retlen = 0;
int kv=0;
bool md5sum = false;
pki_base *pki = NULL;
db_base *db;
QFile file;
QString line;
file.setFileName(filename);
if (! file.open(QIODevice::ReadOnly)) {
throw errorEx(filename, strerror(errno));
return -1;
}
for (;;) {
line = readLine(&file);
//printf("Line: '%s'\n", CCHAR(line));
if (line.isNull()) {
ret = 0;
break;
}
//printf("FIRST char = '%c'\n", CCHAR(line)[0]);
if (line[0] == ' ') {
if (database >= 0 && database < 5)
db = dbs[database];
else
db = NULL;
kv ^= 1;
p = read_data(CCHAR(line.trimmed()), &retlen);
if (db && !md5) {
if (kv) {
pki = db->newPKI();
if (!pki) {
break;
}
pki->setIntName(p);
} else {
try {
pki->oldFromData((unsigned char*)p, retlen);
db->insert(pki);
} catch (errorEx &err) {
printf("Error catched for '%s'\n", CCHAR(pki->getIntName()));
}
}
} else if (md5) {
if (database == 5) {
p = read_data(CCHAR(line.trimmed()), &retlen);
if (kv)
md5sum = (!strcmp(p, "pwhash")) ? true : false;
if (!kv && md5sum) {
strncpy(md5, p, md5_len);
ret = 0;
break;
}
}
}
free(p);
} else {
if (kv) {
printf("Binary value expected\n");
break;
}
handle_option(line);
}
}
file.close();
if (ret <0) {
throw errorEx(filename, strerror(errno));
return -1;
}
return 0;
}
void db::fileIOerr(QString s)
{
errstr = QString("DB ") + s + "() '" + file.fileName() + "'";
dberrno = errno;
throw errorEx(errstr, strerror(errno));
}
void pki_evp::encryptKey(const char *password)
{
int outl, keylen;
EVP_PKEY *pkey1 = NULL;
EVP_CIPHER_CTX ctx;
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
unsigned char iv[EVP_MAX_IV_LENGTH], *punenc, *punenc1;
unsigned char ckey[EVP_MAX_KEY_LENGTH];
char ownPassBuf[MAX_PASS_LENGTH];
/* This key has its own, private password */
if (ownPass == ptPrivate) {
int ret;
pass_info p(XCA_TITLE, tr("Please enter the password to protect the private key: '%1'").
arg(getIntName()));
ret = MainWindow::passWrite(ownPassBuf, MAX_PASS_LENGTH, 0, &p);
if (ret < 0)
throw errorEx("Password input aborted", class_name);
} else if (ownPass == ptBogus) { // BOGUS password
ownPassBuf[0] = '\0';
} else {
if (password) {
/* use the password parameter if this is a common password */
strncpy(ownPassBuf, password, MAX_PASS_LENGTH);
} else {
int ret = 0;
memcpy(ownPassBuf, passwd, MAX_PASS_LENGTH);
pass_info p(XCA_TITLE, tr("Please enter the database password for encrypting the key"));
while (md5passwd(ownPassBuf) != passHash &&
sha512passwd(ownPassBuf, passHash) != passHash )
{
ret = MainWindow::passRead(ownPassBuf, MAX_PASS_LENGTH, 0,&p);
if (ret < 0)
throw errorEx("Password input aborted", class_name);
}
}
}
/* Prepare Encryption */
memset(iv, 0, EVP_MAX_IV_LENGTH);
RAND_pseudo_bytes(iv,8); /* Generate a salt */
EVP_BytesToKey(cipher, EVP_sha1(), iv, (unsigned char *)ownPassBuf,
strlen(ownPassBuf), 1, ckey, NULL);
EVP_CIPHER_CTX_init (&ctx);
pki_openssl_error();
/* reserve space for unencrypted and encrypted key */
keylen = i2d_PrivateKey(key, NULL);
encKey.resize(keylen + EVP_MAX_KEY_LENGTH + 8);
punenc1 = punenc = (unsigned char *)OPENSSL_malloc(keylen);
check_oom(punenc);
keylen = i2d_PrivateKey(key, &punenc1);
pki_openssl_error();
memcpy(encKey.data(), iv, 8); /* store the iv */
/*
* Now DER version of privkey is in punenc
* and privkey is still in key
*/
/* do the encryption */
/* store key right after the iv */
EVP_EncryptInit(&ctx, cipher, ckey, iv);
unsigned char *penc = (unsigned char *)encKey.data() +8;
EVP_EncryptUpdate(&ctx, penc, &outl, punenc, keylen);
int encKey_len = outl;
EVP_EncryptFinal(&ctx, penc + encKey_len, &outl);
encKey.resize(encKey_len + outl +8);
/* Cleanup */
EVP_CIPHER_CTX_cleanup(&ctx);
/* wipe out the memory */
memset(punenc, 0, keylen);
OPENSSL_free(punenc);
pki_openssl_error();
pkey1 = priv2pub(key);
check_oom(pkey1);
EVP_PKEY_free(key);
key = pkey1;
pki_openssl_error();
//CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
//printf("Encrypt: encKey_len=%d\n", encKey_len);
return;
}
EVP_PKEY *pki_evp::decryptKey() const
{
unsigned char *p;
const unsigned char *p1;
int outl, decsize;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char ckey[EVP_MAX_KEY_LENGTH];
EVP_PKEY *tmpkey;
EVP_CIPHER_CTX ctx;
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
char ownPassBuf[MAX_PASS_LENGTH] = "";
if (isPubKey()) {
unsigned char *q;
outl = i2d_PUBKEY(key, NULL);
p = q = (unsigned char *)OPENSSL_malloc(outl);
check_oom(q);
i2d_PUBKEY(key, &p);
p = q;
tmpkey = d2i_PUBKEY(NULL, (const unsigned char**)&p, outl);
OPENSSL_free(q);
return tmpkey;
}
/* This key has its own password */
if (ownPass == ptPrivate) {
int ret;
pass_info pi(XCA_TITLE, qApp->translate("MainWindow",
"Please enter the password to decrypt the private key: '%1'").arg(getIntName()));
ret = MainWindow::passRead(ownPassBuf, MAX_PASS_LENGTH, 0, &pi);
if (ret < 0)
throw errorEx(tr("Password input aborted"), class_name);
} else if (ownPass == ptBogus) { // BOGUS pass
ownPassBuf[0] = '\0';
} else {
memcpy(ownPassBuf, passwd, MAX_PASS_LENGTH);
//printf("Orig password: '******' len:%d\n", passwd, strlen(passwd));
while (md5passwd(ownPassBuf) != passHash &&
sha512passwd(ownPassBuf, passHash) != passHash)
{
int ret;
//printf("Passhash= '%s', new hash= '%s', passwd= '%s'\n",
//CCHAR(passHash), CCHAR(md5passwd(ownPassBuf)), ownPassBuf);
pass_info p(XCA_TITLE, tr("Please enter the database password for decrypting the key '%1'").arg(getIntName()));
ret = MainWindow::passRead(ownPassBuf, MAX_PASS_LENGTH, 0, &p);
if (ret < 0)
throw errorEx(tr("Password input aborted"), class_name);
}
}
//printf("Using decrypt Pass: %s\n", ownPassBuf);
p = (unsigned char *)OPENSSL_malloc(encKey.count());
check_oom(p);
pki_openssl_error();
p1 = p;
memset(iv, 0, EVP_MAX_IV_LENGTH);
memcpy(iv, encKey.constData(), 8); /* recover the iv */
/* generate the key */
EVP_BytesToKey(cipher, EVP_sha1(), iv, (unsigned char *)ownPassBuf,
strlen(ownPassBuf), 1, ckey,NULL);
/* we use sha1 as message digest,
* because an md5 version of the password is
* stored in the database...
*/
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit(&ctx, cipher, ckey, iv);
EVP_DecryptUpdate(&ctx, p , &outl,
(const unsigned char*)encKey.constData() +8, encKey.count() -8);
decsize = outl;
EVP_DecryptFinal(&ctx, p + decsize , &outl);
decsize += outl;
//printf("Decrypt decsize=%d, encKey_len=%d\n", decsize, encKey_len);
pki_openssl_error();
tmpkey = d2i_PrivateKey(key->type, NULL, &p1, decsize);
pki_openssl_error();
OPENSSL_free(p);
EVP_CIPHER_CTX_cleanup(&ctx);
pki_openssl_error();
if (EVP_PKEY_type(tmpkey->type) == EVP_PKEY_RSA)
RSA_blinding_on(tmpkey->pkey.rsa, NULL);
return tmpkey;
}
void pki_evp::fload(const QString fname)
{
pass_info p(XCA_TITLE, qApp->translate("MainWindow",
"Please enter the password to decrypt the private key: '%1'").
arg(fname));
pem_password_cb *cb = MainWindow::passRead;
FILE *fp = fopen(QString2filename(fname), "r");
EVP_PKEY *pkey;
pki_ign_openssl_error();
if (!fp) {
fopen_error(fname);
return;
}
pkey = PEM_read_PrivateKey(fp, NULL, cb, &p);
if (!pkey) {
if (ERR_get_error() == 0x06065064) {
fclose(fp);
pki_ign_openssl_error();
throw errorEx(tr("Failed to decrypt the key (bad password) ") +
fname, class_name);
}
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PrivateKey_fp(fp, NULL);
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PKCS8PrivateKey_fp(fp, NULL, cb, &p);
}
if (!pkey) {
PKCS8_PRIV_KEY_INFO *p8inf;
pki_ign_openssl_error();
rewind(fp);
p8inf = d2i_PKCS8_PRIV_KEY_INFO_fp(fp, NULL);
if (p8inf) {
pkey = EVP_PKCS82PKEY(p8inf);
PKCS8_PRIV_KEY_INFO_free(p8inf);
}
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = PEM_read_PUBKEY(fp, NULL, cb, &p);
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PUBKEY_fp(fp, NULL);
}
fclose(fp);
if (pki_ign_openssl_error()) {
if (pkey)
EVP_PKEY_free(pkey);
throw errorEx(tr("Unable to load the private key in file %1. Tried PEM and DER private, public and PKCS#8 key types.").arg(fname));
}
if (pkey){
if (pkey->type == EVP_PKEY_EC)
search_ec_oid(pkey->pkey.ec);
if (key)
EVP_PKEY_free(key);
key = pkey;
if (EVP_PKEY_isPrivKey(key))
bogusEncryptKey();
setIntName(rmslashdot(fname));
}
}
