/* unwrap and decrypt PKCS#7 envelopedData object, return decoded size */
CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz)
{
int recipFound = 0;
int ret, version, length;
word32 savedIdx = 0, idx = 0;
word32 contentType, encOID;
byte issuerHash[SHA_DIGEST_SIZE];
mp_int serialNum;
int encryptedKeySz, keySz;
byte tmpIv[DES_BLOCK_SIZE];
byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
byte* decryptedKey = NULL;
RsaKey privKey;
int encryptedContentSz;
byte padLen;
byte* encryptedContent = NULL;
if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL ||
pkcs7->privateKeySz == 0)
return BAD_FUNC_ARG;
if (pkiMsg == NULL || pkiMsgSz == 0 ||
output == NULL || outputSz == 0)
return BAD_FUNC_ARG;
/* load private key */
ret = InitRsaKey(&privKey, 0);
if (ret != 0) return ret;
ret = RsaPrivateKeyDecode(pkcs7->privateKey, &idx, &privKey,
pkcs7->privateKeySz);
if (ret != 0) {
CYASSL_MSG("Failed to decode RSA private key");
return ret;
}
idx = 0;
/* read past ContentInfo, verify type is envelopedData */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (contentType != ENVELOPED_DATA) {
CYASSL_MSG("PKCS#7 input not of type EnvelopedData");
return PKCS7_OID_E;
}
if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* remove EnvelopedData and version */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (GetMyVersion(pkiMsg, &idx, &version) < 0)
return ASN_PARSE_E;
if (version != 0) {
CYASSL_MSG("PKCS#7 envelopedData needs to be of version 0");
return ASN_VERSION_E;
}
/* walk through RecipientInfo set, find correct recipient */
if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
savedIdx = idx;
recipFound = 0;
/* when looking for next recipient, use first sequence and version to
* indicate there is another, if not, move on */
while(recipFound == 0) {
/* remove RecipientInfo, if we don't have a SEQUENCE, back up idx to
* last good saved one */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
idx = savedIdx;
break;
}
if (GetMyVersion(pkiMsg, &idx, &version) < 0) {
idx = savedIdx;
break;
}
if (version != 0)
return ASN_VERSION_E;
/* remove IssuerAndSerialNumber */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (GetNameHash(pkiMsg, &idx, issuerHash, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* if we found correct recipient, issuer hashes will match */
if (XMEMCMP(issuerHash, pkcs7->issuerHash, SHA_DIGEST_SIZE) == 0) {
recipFound = 1;
}
if (GetInt(&serialNum, pkiMsg, &idx, pkiMsgSz) < 0)
return ASN_PARSE_E;
mp_clear(&serialNum);
if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* key encryption algorithm must be RSA for now */
if (encOID != RSAk)
return ALGO_ID_E;
/* read encryptedKey */
if (pkiMsg[idx++] != ASN_OCTET_STRING)
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &encryptedKeySz, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (recipFound == 1)
XMEMCPY(encryptedKey, &pkiMsg[idx], encryptedKeySz);
idx += encryptedKeySz;
/* update good idx */
savedIdx = idx;
}
if (recipFound == 0) {
CYASSL_MSG("No recipient found in envelopedData that matches input");
return PKCS7_RECIP_E;
}
/* remove EncryptedContentInfo */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* get block cipher IV, stored in OPTIONAL parameter of AlgoID */
if (pkiMsg[idx++] != ASN_OCTET_STRING)
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (length != DES_BLOCK_SIZE) {
CYASSL_MSG("Incorrect IV length, must be of DES_BLOCK_SIZE");
return ASN_PARSE_E;
}
XMEMCPY(tmpIv, &pkiMsg[idx], length);
idx += length;
/* read encryptedContent, cont[0] */
if (pkiMsg[idx++] != (ASN_CONTEXT_SPECIFIC | 0))
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) < 0)
return ASN_PARSE_E;
encryptedContent = XMALLOC(encryptedContentSz, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
XMEMCPY(encryptedContent, &pkiMsg[idx], encryptedContentSz);
/* decrypt encryptedKey */
keySz = RsaPrivateDecryptInline(encryptedKey, encryptedKeySz,
&decryptedKey, &privKey);
FreeRsaKey(&privKey);
if (keySz <= 0)
return keySz;
/* decrypt encryptedContent */
if (encOID == DESb) {
Des des;
ret = Des_SetKey(&des, decryptedKey, tmpIv, DES_DECRYPTION);
if (ret == 0)
Des_CbcDecrypt(&des, encryptedContent, encryptedContent,
encryptedContentSz);
if (ret != 0) {
XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
}
else if (encOID == DES3b) {
Des3 des;
ret = Des3_SetKey(&des, decryptedKey, tmpIv, DES_DECRYPTION);
if (ret == 0)
ret = Des3_CbcDecrypt(&des, encryptedContent, encryptedContent,
encryptedContentSz);
if (ret != 0) {
XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
} else {
CYASSL_MSG("Unsupported content encryption OID type");
return ALGO_ID_E;
}
padLen = encryptedContent[encryptedContentSz-1];
/* copy plaintext to output */
XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
/* free memory, zero out keys */
XMEMSET(encryptedKey, 0, MAX_ENCRYPTED_KEY_SZ);
XMEMSET(encryptedContent, 0, encryptedContentSz);
XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return encryptedContentSz - padLen;
}
/* Finds the certificates in the message and saves it. */
int PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz)
{
word32 idx, contentType;
int length, version, ret;
byte* content = NULL;
byte* sig = NULL;
byte* cert = NULL;
byte* signedAttr = NULL;
int contentSz = 0, sigSz = 0, certSz = 0, signedAttrSz = 0;
(void)signedAttr; /* not used yet, just set */
(void)signedAttrSz;
if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0)
return BAD_FUNC_ARG;
idx = 0;
/* Get the contentInfo sequence */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Get the contentInfo contentType */
if (GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (contentType != SIGNED_DATA) {
CYASSL_MSG("PKCS#7 input not of type SignedData");
return PKCS7_OID_E;
}
/* get the ContentInfo content */
if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Get the signedData sequence */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Get the version */
if (GetMyVersion(pkiMsg, &idx, &version) < 0)
return ASN_PARSE_E;
if (version != 1) {
CYASSL_MSG("PKCS#7 signedData needs to be of version 1");
return ASN_VERSION_E;
}
/* Get the set of DigestAlgorithmIdentifiers */
if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Skip the set. */
idx += length;
/* Get the inner ContentInfo sequence */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Get the inner ContentInfo contentType */
if (GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (contentType != DATA) {
CYASSL_MSG("PKCS#7 inner input not of type Data");
return PKCS7_OID_E;
}
if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (pkiMsg[idx++] != ASN_OCTET_STRING)
return ASN_PARSE_E;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Save the inner data as the content. */
if (length > 0) {
/* Local pointer for calculating hashes later */
pkcs7->content = content = &pkiMsg[idx];
pkcs7->contentSz = contentSz = length;
idx += length;
}
/* Get the implicit[0] set of certificates */
if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
idx++;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (length > 0) {
/* At this point, idx is at the first certificate in
* a set of certificates. There may be more than one,
* or none, or they may be a PKCS 6 extended
* certificate. We want to save the first cert if it
* is X.509. */
word32 certIdx = idx;
if (pkiMsg[certIdx++] == (ASN_CONSTRUCTED | ASN_SEQUENCE)) {
if (GetLength(pkiMsg, &certIdx, &certSz, pkiMsgSz) < 0)
return ASN_PARSE_E;
cert = &pkiMsg[idx];
certSz += (certIdx - idx);
}
PKCS7_InitWithCert(pkcs7, cert, certSz);
}
idx += length;
}
/* Get the implicit[1] set of crls */
if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
idx++;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Skip the set */
idx += length;
}
/* Get the set of signerInfos */
if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
if (length > 0) {
RsaKey key;
word32 scratch = 0;
int plainSz = 0;
byte digest[MAX_SEQ_SZ+MAX_ALGO_SZ+MAX_OCTET_STR_SZ+SHA_DIGEST_SIZE];
/* Get the sequence of the first signerInfo */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Get the version */
if (GetMyVersion(pkiMsg, &idx, &version) < 0)
return ASN_PARSE_E;
if (version != 1) {
CYASSL_MSG("PKCS#7 signerInfo needs to be of version 1");
return ASN_VERSION_E;
}
/* Get the sequence of IssuerAndSerialNumber */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Skip it */
idx += length;
/* Get the sequence of digestAlgorithm */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Skip it */
idx += length;
/* Get the IMPLICIT[0] SET OF signedAttributes */
if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
idx++;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* save pointer and length */
signedAttr = &pkiMsg[idx];
signedAttrSz = length;
idx += length;
}
/* Get the sequence of digestEncryptionAlgorithm */
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* Skip it */
idx += length;
/* Get the signature */
if (pkiMsg[idx] == ASN_OCTET_STRING) {
idx++;
if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
/* save pointer and length */
sig = &pkiMsg[idx];
sigSz = length;
idx += length;
}
XMEMSET(digest, 0, sizeof(digest));
pkcs7->content = content;
pkcs7->contentSz = contentSz;
ret = InitRsaKey(&key, NULL);
if (ret != 0) return ret;
if (RsaPublicKeyDecode(pkcs7->publicKey, &scratch, &key,
pkcs7->publicKeySz) < 0) {
CYASSL_MSG("ASN RSA key decode error");
return PUBLIC_KEY_E;
}
plainSz = RsaSSL_Verify(sig, sigSz, digest, sizeof(digest), &key);
FreeRsaKey(&key);
if (plainSz < 0)
return plainSz;
}
return 0;
}
/* Convert DER format stored in der buffer to WC_PKCS12 struct
* Puts the raw contents of Content Info into structure without completly
* parsing or decoding.
* der : pointer to der buffer holding PKCS12
* derSz : size of der buffer
* pkcs12 : non-null pkcs12 pointer
*/
int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12)
{
word32 idx = 0;
word32 totalSz = 0;
int ret;
int size = 0;
int version = 0;
WOLFSSL_ENTER("wolfSSL_d2i_PKCS12_bio");
if (der == NULL || pkcs12 == NULL) {
return BAD_FUNC_ARG;
}
totalSz = derSz;
if ((ret = GetSequence(der, &idx, &size, totalSz)) <= 0) {
WOLFSSL_MSG("Failed to get PKCS12 sequence");
return ret;
}
/* get version */
if ((ret = GetMyVersion(der, &idx, &version, totalSz)) < 0) {
return ret;
}
#ifdef WOLFSSL_DEBUG_PKCS12
printf("\nBEGIN: PKCS12 size = %d\n", totalSz);
printf("version = %d\n", version);
#endif
if (version != 3) {
WOLFSSL_MSG("PKCS12 unsupported version!");
return ASN_VERSION_E;
}
if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
return ret;
}
#ifdef WOLFSSL_DEBUG_PKCS12
printf("\tSEQUENCE: AuthenticatedSafe size = %d\n", size);
#endif
if ((ret = GetSafeContent(pkcs12, der, &idx, size + idx)) < 0) {
WOLFSSL_MSG("GetSafeContent error");
return ret;
}
/* if more buffer left check for MAC data */
if (idx < totalSz) {
if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
WOLFSSL_MSG("Ignoring unknown data at end of PKCS12 DER buffer");
}
else {
#ifdef WOLFSSL_DEBUG_PKCS12
printf("\tSEQUENCE: Signature size = %d\n", size);
#endif
if ((ret = GetSignData(pkcs12, der, &idx, totalSz)) < 0) {
return ASN_PARSE_E;
}
}
}
#ifdef WOLFSSL_DEBUG_PKCS12
printf("END: PKCS12\n");
#endif
return 1;
}
