Exemplo n.º 1
0
/**
 * gnutls_pkcs12_simple_parse:
 * @p12: A pkcs12 type
 * @password: optional password used to decrypt the structure, bags and keys.
 * @key: a structure to store the parsed private key.
 * @chain: the corresponding to key certificate chain (may be %NULL)
 * @chain_len: will be updated with the number of additional (may be %NULL)
 * @extra_certs: optional pointer to receive an array of additional
 *	       certificates found in the PKCS12 structure (may be %NULL).
 * @extra_certs_len: will be updated with the number of additional
 *		   certs (may be %NULL).
 * @crl: an optional structure to store the parsed CRL (may be %NULL).
 * @flags: should be zero or one of GNUTLS_PKCS12_SP_*
 *
 * This function parses a PKCS12 structure in @pkcs12 and extracts the
 * private key, the corresponding certificate chain, any additional
 * certificates and a CRL. The structures in @key, @chain @crl, and @extra_certs
 * must not be initialized.
 *
 * The @extra_certs and @extra_certs_len parameters are optional
 * and both may be set to %NULL. If either is non-%NULL, then both must
 * be set. The value for @extra_certs is allocated
 * using gnutls_malloc().
 * 
 * Encrypted PKCS12 bags and PKCS8 private keys are supported, but
 * only with password based security and the same password for all
 * operations.
 *
 * Note that a PKCS12 structure may contain many keys and/or certificates,
 * and there is no way to identify which key/certificate pair you want.
 * For this reason this function is useful for PKCS12 files that contain 
 * only one key/certificate pair and/or one CRL.
 *
 * If the provided structure has encrypted fields but no password
 * is provided then this function returns %GNUTLS_E_DECRYPTION_FAILED.
 *
 * Note that normally the chain constructed does not include self signed
 * certificates, to comply with TLS' requirements. If, however, the flag 
 * %GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED is specified then
 * self signed certificates will be included in the chain.
 *
 * Prior to using this function the PKCS #12 structure integrity must
 * be verified using gnutls_pkcs12_verify_mac().
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 *
 * Since: 3.1.0
 **/
int
gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12,
			   const char *password,
			   gnutls_x509_privkey_t * key,
			   gnutls_x509_crt_t ** chain,
			   unsigned int *chain_len,
			   gnutls_x509_crt_t ** extra_certs,
			   unsigned int *extra_certs_len,
			   gnutls_x509_crl_t * crl, unsigned int flags)
{
	gnutls_pkcs12_bag_t bag = NULL;
	gnutls_x509_crt_t *_extra_certs = NULL;
	unsigned int _extra_certs_len = 0;
	gnutls_x509_crt_t *_chain = NULL;
	unsigned int _chain_len = 0;
	int idx = 0;
	int ret;
	size_t cert_id_size = 0;
	size_t key_id_size = 0;
	uint8_t cert_id[20];
	uint8_t key_id[20];
	int privkey_ok = 0;
	unsigned int i;
	int elements_in_bag;

	*key = NULL;

	if (crl)
		*crl = NULL;

	/* find the first private key */
	for (;;) {

		ret = gnutls_pkcs12_bag_init(&bag);
		if (ret < 0) {
			bag = NULL;
			gnutls_assert();
			goto done;
		}

		ret = gnutls_pkcs12_get_bag(p12, idx, bag);
		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
			gnutls_pkcs12_bag_deinit(bag);
			bag = NULL;
			break;
		}
		if (ret < 0) {
			gnutls_assert();
			goto done;
		}

		ret = gnutls_pkcs12_bag_get_type(bag, 0);
		if (ret < 0) {
			gnutls_assert();
			goto done;
		}

		if (ret == GNUTLS_BAG_ENCRYPTED) {
			if (password == NULL) {
				ret =
				    gnutls_assert_val
				    (GNUTLS_E_DECRYPTION_FAILED);
				goto done;
			}

			ret = gnutls_pkcs12_bag_decrypt(bag, password);
			if (ret < 0) {
				gnutls_assert();
				goto done;
			}
		}

		elements_in_bag = gnutls_pkcs12_bag_get_count(bag);
		if (elements_in_bag < 0) {
			gnutls_assert();
			goto done;
		}

		for (i = 0; i < (unsigned)elements_in_bag; i++) {
			int type;
			gnutls_datum_t data;

			type = gnutls_pkcs12_bag_get_type(bag, i);
			if (type < 0) {
				gnutls_assert();
				goto done;
			}

			ret = gnutls_pkcs12_bag_get_data(bag, i, &data);
			if (ret < 0) {
				gnutls_assert();
				goto done;
			}

			switch (type) {
			case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
				if (password == NULL) {
					ret =
					    gnutls_assert_val
					    (GNUTLS_E_DECRYPTION_FAILED);
					goto done;
				}

				FALLTHROUGH;
			case GNUTLS_BAG_PKCS8_KEY:
				if (*key != NULL) {	/* too simple to continue */
					gnutls_assert();
					break;
				}

				ret = gnutls_x509_privkey_init(key);
				if (ret < 0) {
					gnutls_assert();
					goto done;
				}

				ret = gnutls_x509_privkey_import_pkcs8
				    (*key, &data, GNUTLS_X509_FMT_DER,
				     password,
				     type ==
				     GNUTLS_BAG_PKCS8_KEY ?
				     GNUTLS_PKCS_PLAIN : 0);
				if (ret < 0) {
					gnutls_assert();
					goto done;
				}

				key_id_size = sizeof(key_id);
				ret =
				    gnutls_x509_privkey_get_key_id(*key, 0,
								   key_id,
								   &key_id_size);
				if (ret < 0) {
					gnutls_assert();
					goto done;
				}

				privkey_ok = 1;	/* break */
				break;
			default:
				break;
			}
		}

		idx++;
		gnutls_pkcs12_bag_deinit(bag);
		bag = NULL;

		if (privkey_ok != 0)	/* private key was found */
			break;
	}

	if (privkey_ok == 0) {	/* no private key */
		gnutls_assert();
		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
	}

	/* now find the corresponding certificate 
	 */
	idx = 0;
	bag = NULL;
	for (;;) {
		ret = gnutls_pkcs12_bag_init(&bag);
		if (ret < 0) {
			bag = NULL;
			gnutls_assert();
			goto done;
		}

		ret = gnutls_pkcs12_get_bag(p12, idx, bag);
		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
			gnutls_pkcs12_bag_deinit(bag);
			bag = NULL;
			break;
		}
		if (ret < 0) {
			gnutls_assert();
			goto done;
		}

		ret = gnutls_pkcs12_bag_get_type(bag, 0);
		if (ret < 0) {
			gnutls_assert();
			goto done;
		}

		if (ret == GNUTLS_BAG_ENCRYPTED) {
			ret = gnutls_pkcs12_bag_decrypt(bag, password);
			if (ret < 0) {
				gnutls_assert();
				goto done;
			}
		}

		elements_in_bag = gnutls_pkcs12_bag_get_count(bag);
		if (elements_in_bag < 0) {
			gnutls_assert();
			goto done;
		}

		for (i = 0; i < (unsigned)elements_in_bag; i++) {
			int type;
			gnutls_datum_t data;
			gnutls_x509_crt_t this_cert;

			type = gnutls_pkcs12_bag_get_type(bag, i);
			if (type < 0) {
				gnutls_assert();
				goto done;
			}

			ret = gnutls_pkcs12_bag_get_data(bag, i, &data);
			if (ret < 0) {
				gnutls_assert();
				goto done;
			}

			switch (type) {
			case GNUTLS_BAG_CERTIFICATE:
				ret = gnutls_x509_crt_init(&this_cert);
				if (ret < 0) {
					gnutls_assert();
					goto done;
				}

				ret =
				    gnutls_x509_crt_import(this_cert,
							   &data,
							   GNUTLS_X509_FMT_DER);
				if (ret < 0) {
					gnutls_assert();
					gnutls_x509_crt_deinit(this_cert);
					this_cert = NULL;
					goto done;
				}

				/* check if the key id match */
				cert_id_size = sizeof(cert_id);
				ret =
				    gnutls_x509_crt_get_key_id(this_cert,
							       0, cert_id,
							       &cert_id_size);
				if (ret < 0) {
					gnutls_assert();
					gnutls_x509_crt_deinit(this_cert);
					this_cert = NULL;
					goto done;
				}

				if (memcmp(cert_id, key_id, cert_id_size) != 0) {	/* they don't match - skip the certificate */
					_extra_certs =
						gnutls_realloc_fast
						(_extra_certs,
						 sizeof(_extra_certs
							[0]) *
						 ++_extra_certs_len);
					if (!_extra_certs) {
						gnutls_assert();
						ret =
							GNUTLS_E_MEMORY_ERROR;
						goto done;
					}
					_extra_certs
						[_extra_certs_len -
						 1] = this_cert;
					this_cert = NULL;
				} else {
					if (chain && _chain_len == 0) {
						_chain =
						    gnutls_malloc(sizeof
								  (_chain
								   [0]) *
								  (++_chain_len));
						if (!_chain) {
							gnutls_assert();
							ret =
							    GNUTLS_E_MEMORY_ERROR;
							goto done;
						}
						_chain[_chain_len - 1] =
						    this_cert;
						this_cert = NULL;
					} else {
						gnutls_x509_crt_deinit
						    (this_cert);
						this_cert = NULL;
					}
				}
				break;

			case GNUTLS_BAG_CRL:
				if (crl == NULL || *crl != NULL) {
					gnutls_assert();
					break;
				}

				ret = gnutls_x509_crl_init(crl);
				if (ret < 0) {
					gnutls_assert();
					goto done;
				}

				ret =
				    gnutls_x509_crl_import(*crl, &data,
							   GNUTLS_X509_FMT_DER);
				if (ret < 0) {
					gnutls_assert();
					gnutls_x509_crl_deinit(*crl);
					*crl = NULL;
					goto done;
				}
				break;

			case GNUTLS_BAG_ENCRYPTED:
				/* XXX Bother to recurse one level down?  Unlikely to
				   use the same password anyway. */
			case GNUTLS_BAG_EMPTY:
			default:
				break;
			}
		}

		idx++;
		gnutls_pkcs12_bag_deinit(bag);
		bag = NULL;
	}

	if (chain != NULL) {
		if (_chain_len != 1) {
			ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
			goto done;
		}

		ret =
		    make_chain(&_chain, &_chain_len, &_extra_certs,
			       &_extra_certs_len, flags);
		if (ret < 0) {
			gnutls_assert();
			goto done;
		}
	}

	ret = 0;

      done:
	if (bag)
		gnutls_pkcs12_bag_deinit(bag);

	if (ret < 0) {
		if (*key) {
			gnutls_x509_privkey_deinit(*key);
			*key = NULL;
		}
		if (crl != NULL && *crl != NULL) {
			gnutls_x509_crl_deinit(*crl);
			*crl = NULL;
		}
		if (_extra_certs_len && _extra_certs != NULL) {
			for (i = 0; i < _extra_certs_len; i++)
				gnutls_x509_crt_deinit(_extra_certs[i]);
			gnutls_free(_extra_certs);
		}
		if (_chain_len && _chain != NULL) {
			for (i = 0; i < _chain_len; i++)
				gnutls_x509_crt_deinit(_chain[i]);
			gnutls_free(_chain);
		}

		return ret;
	}

	if (extra_certs && _extra_certs_len > 0) {
		*extra_certs = _extra_certs;
		*extra_certs_len = _extra_certs_len;
	} else {
		if (extra_certs) {
			*extra_certs = NULL;
			*extra_certs_len = 0;
		}
		for (i = 0; i < _extra_certs_len; i++)
			gnutls_x509_crt_deinit(_extra_certs[i]);
		gnutls_free(_extra_certs);
	}

	if (chain != NULL) {
		*chain = _chain;
		*chain_len = _chain_len;
	}

	return ret;
}
Exemplo n.º 2
0
void doit(void)
{
	gnutls_pkcs12_t pkcs12;
	gnutls_x509_crt_t client;
	gnutls_x509_crt_t ca;
	gnutls_pkcs12_bag_t bag;
	unsigned char key_id_buf[20];
	gnutls_datum_t key_id;
	int ret, indx;
	char outbuf[10240];
	size_t size;
	unsigned tests, i;

	ret = global_init();
	if (ret < 0) {
		fprintf(stderr, "global_init %d", ret);
		exit(1);
	}

	gnutls_global_set_log_function(tls_log_func);
	if (debug)
		gnutls_global_set_log_level(4711);

	/* Read certs. */
	ret = gnutls_x509_crt_init(&client);
	if (ret < 0) {
		fprintf(stderr, "crt_init: %d", ret);
		exit(1);
	}

	ret =
	    gnutls_x509_crt_import(client, &client_dat,
				   GNUTLS_X509_FMT_PEM);
	if (ret < 0) {
		fprintf(stderr, "crt_import: %d", ret);
		exit(1);
	}

	ret = gnutls_x509_crt_init(&ca);
	if (ret < 0) {
		fprintf(stderr, "ca_init: %d", ret);
		exit(1);
	}

	ret = gnutls_x509_crt_import(ca, &ca_dat, GNUTLS_X509_FMT_PEM);
	if (ret < 0) {
		fprintf(stderr, "ca_import: %d", ret);
		exit(1);
	}

	/* Create PKCS#12 structure. */
	ret = gnutls_pkcs12_init(&pkcs12);
	if (ret < 0) {
		fprintf(stderr, "pkcs12_init: %d", ret);
		exit(1);
	}

	/* Generate and add PKCS#12 cert bags. */
#ifndef ENABLE_FIPS140
	tests = 2; /* include RC2 */
#else
	tests = 1;
#endif
	for (i = 0; i < tests; i++) {
		ret = gnutls_pkcs12_bag_init(&bag);
		if (ret < 0) {
			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
		if (ret < 0) {
			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		indx = ret;

		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
							  i ==
							  0 ? "client" :
							  "ca");
		if (ret < 0) {
			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		size = sizeof(key_id_buf);
		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
						 key_id_buf, &size);
		if (ret < 0) {
			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		key_id.data = key_id_buf;
		key_id.size = size;

		ret = gnutls_pkcs12_bag_set_key_id(bag, indx, &key_id);
		if (ret < 0) {
			fprintf(stderr, "bag_set_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
						i ==
						0 ?
						GNUTLS_PKCS8_USE_PKCS12_3DES
						:
						GNUTLS_PKCS_USE_PKCS12_RC2_40);
		if (ret < 0) {
			fprintf(stderr, "bag_encrypt: %d: %s", ret,
				i == 0 ? "3DES" : "RC2-40");
			exit(1);
		}

		ret = gnutls_pkcs12_set_bag(pkcs12, bag);
		if (ret < 0) {
			fprintf(stderr, "set_bag: %s (%d)\n", gnutls_strerror(ret), ret);
			exit(1);
		}

		gnutls_pkcs12_bag_deinit(bag);
	}

	/* MAC the structure, export and print. */
	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
	if (ret < 0) {
		fprintf(stderr, "generate_mac: %s (%d)\n", gnutls_strerror(ret), ret);
		exit(1);
	}

	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
	if (ret < 0) {
		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
		exit(1);
	}

	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
	if (ret < 0) {
		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
		exit(1);
	}

	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
	if (ret < 0) {
		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
		exit(1);
	}

	size = sizeof(outbuf);
	ret =
	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
				 &size);
	if (ret < 0) {
		fprintf(stderr, "pkcs12_export: %s (%d)\n", gnutls_strerror(ret), ret);
		exit(1);
	}

	if (debug)
		fwrite(outbuf, size, 1, stdout);

	/* Cleanup. */
	gnutls_pkcs12_deinit(pkcs12);
	gnutls_x509_crt_deinit(client);
	gnutls_x509_crt_deinit(ca);
	gnutls_global_deinit();
}
Exemplo n.º 3
0
/**
 * ntfs_pkcs12_extract_rsa_key
 */
static ntfs_rsa_private_key ntfs_pkcs12_extract_rsa_key(u8 *pfx, int pfx_size,
        char *password, char *thumbprint, int thumbprint_size,
        NTFS_DF_TYPES *df_type)
{
    int err, bag_index, flags;
    gnutls_datum_t dpfx, dkey;
    gnutls_pkcs12_t pkcs12 = NULL;
    gnutls_pkcs12_bag_t bag = NULL;
    gnutls_x509_privkey_t pkey = NULL;
    gnutls_x509_crt_t crt = NULL;
    ntfs_rsa_private_key rsa_key = NULL;
    char purpose_oid[100];
    size_t purpose_oid_size = sizeof(purpose_oid);
    size_t tp_size = thumbprint_size;
    BOOL have_thumbprint = FALSE;

    *df_type = DF_TYPE_UNKNOWN;
    /* Create a pkcs12 structure. */
    err = gnutls_pkcs12_init(&pkcs12);
    if (err) {
        ntfs_log_error("Failed to initialize PKCS#12 structure: %s\n",
                       gnutls_strerror(err));
        return NULL;
    }
    /* Convert the PFX file (DER format) to native pkcs12 format. */
    dpfx.data = pfx;
    dpfx.size = pfx_size;
    err = gnutls_pkcs12_import(pkcs12, &dpfx, GNUTLS_X509_FMT_DER, 0);
    if (err) {
        ntfs_log_error("Failed to convert the PFX file from DER to "
                       "native PKCS#12 format: %s\n",
                       gnutls_strerror(err));
        goto err;
    }
    /*
     * Verify that the password is correct and that the key file has not
     * been tampered with.  Note if the password has zero length and the
     * verification fails, retry with password set to NULL.  This is needed
     * to get passwordless .pfx files generated with Windows XP SP1 (and
     * probably earlier versions of Windows) to work.
     */
retry_verify:
    err = gnutls_pkcs12_verify_mac(pkcs12, password);
    if (err) {
        if (err == GNUTLS_E_MAC_VERIFY_FAILED &&
                password && !strlen(password)) {
            password = NULL;
            goto retry_verify;
        }
        ntfs_log_error("Failed to verify the MAC: %s  Is the "
                       "password correct?\n", gnutls_strerror(err));
        goto err;
    }
    for (bag_index = 0; ; bag_index++) {
        err = gnutls_pkcs12_bag_init(&bag);
        if (err) {
            ntfs_log_error("Failed to initialize PKCS#12 Bag "
                           "structure: %s\n",
                           gnutls_strerror(err));
            goto err;
        }
        err = gnutls_pkcs12_get_bag(pkcs12, bag_index, bag);
        if (err) {
            if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
                err = 0;
                break;
            }
            ntfs_log_error("Failed to obtain Bag from PKCS#12 "
                           "structure: %s\n",
                           gnutls_strerror(err));
            goto err;
        }
check_again:
        err = gnutls_pkcs12_bag_get_count(bag);
        if (err < 0) {
            ntfs_log_error("Failed to obtain Bag count: %s\n",
                           gnutls_strerror(err));
            goto err;
        }
        err = gnutls_pkcs12_bag_get_type(bag, 0);
        if (err < 0) {
            ntfs_log_error("Failed to determine Bag type: %s\n",
                           gnutls_strerror(err));
            goto err;
        }
        flags = 0;
        switch (err) {
        case GNUTLS_BAG_PKCS8_KEY:
            flags = GNUTLS_PKCS_PLAIN;
        case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
            err = gnutls_pkcs12_bag_get_data(bag, 0, &dkey);
            if (err < 0) {
                ntfs_log_error("Failed to obtain Bag data: "
                               "%s\n", gnutls_strerror(err));
                goto err;
            }
            err = gnutls_x509_privkey_init(&pkey);
            if (err) {
                ntfs_log_error("Failed to initialized "
                               "private key structure: %s\n",
                               gnutls_strerror(err));
                goto err;
            }
            /* Decrypt the private key into GNU TLS format. */
            err = gnutls_x509_privkey_import_pkcs8(pkey, &dkey,
                                                   GNUTLS_X509_FMT_DER, password, flags);
            if (err) {
                ntfs_log_error("Failed to convert private "
                               "key from DER to GNU TLS "
                               "format: %s\n",
                               gnutls_strerror(err));
                goto err;
            }
#if 0
            /*
             * Export the key again, but unencrypted, and output it
             * to stderr.  Note the output has an RSA header so to
             * compare to openssl pkcs12 -nodes -in myfile.pfx
             * output need to ignore the part of the key between
             * the first "MII..." up to the second "MII...".  The
             * actual RSA private key begins at the second "MII..."
             * and in my testing at least was identical to openssl
             * output and was also identical both on big and little
             * endian so gnutls should be endianness safe.
             */
            char *buf = malloc(8192);
            size_t bufsize = 8192;
            err = gnutls_x509_privkey_export_pkcs8(pkey,
                                                   GNUTLS_X509_FMT_PEM, "", GNUTLS_PKCS_PLAIN, buf,
                                                   &bufsize);
            if (err) {
                ntfs_log_error("eek1\n");
                exit(1);
            }
            ntfs_log_error("%s\n", buf);
            free(buf);
#endif
            /* Convert the private key to our internal format. */
            rsa_key = ntfs_rsa_private_key_import_from_gnutls(pkey);
            if (!rsa_key)
                goto err;
            break;
        case GNUTLS_BAG_ENCRYPTED:
            err = gnutls_pkcs12_bag_decrypt(bag, password);
            if (err) {
                ntfs_log_error("Failed to decrypt Bag: %s\n",
                               gnutls_strerror(err));
                goto err;
            }
            goto check_again;
        case GNUTLS_BAG_CERTIFICATE:
            err = gnutls_pkcs12_bag_get_data(bag, 0, &dkey);
            if (err < 0) {
                ntfs_log_error("Failed to obtain Bag data: "
                               "%s\n", gnutls_strerror(err));
                goto err;
            }
            err = gnutls_x509_crt_init(&crt);
            if (err) {
                ntfs_log_error("Failed to initialize "
                               "certificate structure: %s\n",
                               gnutls_strerror(err));
                goto err;
            }
            err = gnutls_x509_crt_import(crt, &dkey,
                                         GNUTLS_X509_FMT_DER);
            if (err) {
                ntfs_log_error("Failed to convert certificate "
                               "from DER to GNU TLS format: "
                               "%s\n", gnutls_strerror(err));
                goto err;
            }
            err = gnutls_x509_crt_get_key_purpose_oid(crt, 0,
                    purpose_oid, &purpose_oid_size, NULL);
            if (err) {
                ntfs_log_error("Failed to get key purpose "
                               "OID: %s\n",
                               gnutls_strerror(err));
                goto err;
            }
            purpose_oid[purpose_oid_size - 1] = '\0';
            if (!strcmp(purpose_oid,
                        NTFS_EFS_CERT_PURPOSE_OID_DRF))
                *df_type = DF_TYPE_DRF;
            else if (!strcmp(purpose_oid,
                             NTFS_EFS_CERT_PURPOSE_OID_DDF))
                *df_type = DF_TYPE_DDF;
            else {
                ntfs_log_error("Certificate has unknown "
                               "purpose OID %s.\n",
                               purpose_oid);
                err = EINVAL;
                goto err;
            }
            /* Return the thumbprint to the caller. */
            err = gnutls_x509_crt_get_fingerprint(crt,
                                                  GNUTLS_DIG_SHA1, thumbprint, &tp_size);
            if (err) {
                ntfs_log_error("Failed to get thumbprint: "
                               "%s\n", gnutls_strerror(err));
                goto err;
            }
            if (tp_size != NTFS_SHA1_THUMBPRINT_SIZE) {
                ntfs_log_error("Invalid thumbprint size %zd.  "
                               "Should be %d.\n", tp_size,
                               thumbprint_size);
                err = EINVAL;
                goto err;
            }
            have_thumbprint = TRUE;
            gnutls_x509_crt_deinit(crt);
            crt = NULL;
            break;
        default:
            /* We do not care about other types. */
            break;
        }
        gnutls_pkcs12_bag_deinit(bag);
    }
err:
    if (rsa_key && (err || *df_type == DF_TYPE_UNKNOWN ||
                    !have_thumbprint)) {
        if (!err)
            ntfs_log_error("Key type or thumbprint not found, "
                           "aborting.\n");
        ntfs_rsa_private_key_release(rsa_key);
        rsa_key = NULL;
    }
    if (crt)
        gnutls_x509_crt_deinit(crt);
    if (pkey)
        gnutls_x509_privkey_deinit(pkey);
    if (bag)
        gnutls_pkcs12_bag_deinit(bag);
    if (pkcs12)
        gnutls_pkcs12_deinit(pkcs12);
    return rsa_key;
}
Exemplo n.º 4
0
/* This function will write a pkcs12 structure into a file.
 * cert: is a DER encoded certificate
 * pkcs8_key: is a PKCS #8 encrypted key (note that this must be
 *  encrypted using a PKCS #12 cipher, or some browsers will crash)
 * password: is the password used to encrypt the PKCS #12 packet.
 */
int
write_pkcs12 (const gnutls_datum_t * cert,
	      const gnutls_datum_t * pkcs8_key, const char *password)
{
  gnutls_pkcs12_t pkcs12;
  int ret, bag_index;
  gnutls_pkcs12_bag_t bag, key_bag;
  char pkcs12_struct[10 * 1024];
  size_t pkcs12_struct_size;
  FILE *fd;

  /* A good idea might be to use gnutls_x509_privkey_get_key_id()
   * to obtain a unique ID.
   */
  gnutls_datum_t key_id = { "\x00\x00\x07", 3 };

  gnutls_global_init ();

  /* Firstly we create two helper bags, which hold the certificate,
   * and the (encrypted) key.
   */

  gnutls_pkcs12_bag_init (&bag);
  gnutls_pkcs12_bag_init (&key_bag);

  ret = gnutls_pkcs12_bag_set_data (bag, GNUTLS_BAG_CERTIFICATE, cert);
  if (ret < 0)
    {
      fprintf (stderr, "ret: %s\n", gnutls_strerror (ret));
      return 1;
    }

  /* ret now holds the bag's index.
   */
  bag_index = ret;

  /* Associate a friendly name with the given certificate. Used
   * by browsers.
   */
  gnutls_pkcs12_bag_set_friendly_name (bag, bag_index, "My name");

  /* Associate the certificate with the key using a unique key
   * ID.
   */
  gnutls_pkcs12_bag_set_key_id (bag, bag_index, &key_id);

  /* use weak encryption for the certificate. 
   */
  gnutls_pkcs12_bag_encrypt (bag, password, GNUTLS_PKCS_USE_PKCS12_RC2_40);

  /* Now the key.
   */

  ret = gnutls_pkcs12_bag_set_data (key_bag,
				    GNUTLS_BAG_PKCS8_ENCRYPTED_KEY,
				    pkcs8_key);
  if (ret < 0)
    {
      fprintf (stderr, "ret: %s\n", gnutls_strerror (ret));
      return 1;
    }

  /* Note that since the PKCS #8 key is already encrypted we don't
   * bother encrypting that bag.
   */
  bag_index = ret;

  gnutls_pkcs12_bag_set_friendly_name (key_bag, bag_index, "My name");

  gnutls_pkcs12_bag_set_key_id (key_bag, bag_index, &key_id);


  /* The bags were filled. Now create the PKCS #12 structure.
   */
  gnutls_pkcs12_init (&pkcs12);

  /* Insert the two bags in the PKCS #12 structure.
   */

  gnutls_pkcs12_set_bag (pkcs12, bag);
  gnutls_pkcs12_set_bag (pkcs12, key_bag);


  /* Generate a message authentication code for the PKCS #12
   * structure.
   */
  gnutls_pkcs12_generate_mac (pkcs12, password);

  pkcs12_struct_size = sizeof (pkcs12_struct);
  ret =
    gnutls_pkcs12_export (pkcs12, GNUTLS_X509_FMT_DER, pkcs12_struct,
			  &pkcs12_struct_size);
  if (ret < 0)
    {
      fprintf (stderr, "ret: %s\n", gnutls_strerror (ret));
      return 1;
    }

  fd = fopen (OUTFILE, "w");
  if (fd == NULL)
    {
      fprintf (stderr, "cannot open file\n");
      return 1;
    }
  fwrite (pkcs12_struct, 1, pkcs12_struct_size, fd);
  fclose (fd);

  gnutls_pkcs12_bag_deinit (bag);
  gnutls_pkcs12_bag_deinit (key_bag);
  gnutls_pkcs12_deinit (pkcs12);

  return 0;
}
Exemplo n.º 5
0
static int tls_get_bag_at_index(gnutls_pkcs12_t *const p12,
										  const int bag_index,
										  const char *const password,
										  gnutls_x509_privkey_t *const key,
										  gnutls_x509_crt_t *const certs,
										  int *const certs_nr)
{
	gnutls_pkcs12_bag_t bag = NULL;
	int bag_count;
	int status = 0;
	int ret;
	int i;

	assert(p12 != NULL);
	assert(key != NULL);
	assert(certs != NULL);
	assert(certs_nr != NULL);
	assert((*certs_nr) >= 0);
	assert((*certs_nr) <= MAX_CERTS);

	ret = gnutls_pkcs12_bag_init(&bag);
	if(ret < 0)
	{
		trace(LOG_ERR, "failed to init bag #%d", bag_index + 1);
		goto error;
	}

	ret = gnutls_pkcs12_get_bag(*p12, bag_index, bag);
	if(ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
	{
		/* ignore */
		status = 2;
		goto free_bag;
	}
	if(ret < 0)
	{
		trace(LOG_ERR, "failed to retrieve bag #%d", bag_index + 1);
		goto free_bag;
	}

	ret = gnutls_pkcs12_bag_get_type(bag, 0);
	if(ret == GNUTLS_BAG_ENCRYPTED)
	{
		ret = gnutls_pkcs12_bag_decrypt(bag, password);
		if(ret < 0)
		{
			trace(LOG_ERR, "failed to decrypt bag #%d", bag_index + 1);
			goto free_bag;
		}
	}

	bag_count = gnutls_pkcs12_bag_get_count(bag);
	trace(LOG_DEBUG, "bag count = %d\n", bag_count);

	/* first, find the key */
	for(i = 0; i < bag_count; i++)
	{
		gnutls_x509_privkey_t new_key;
		gnutls_x509_crt_t new_cert;

		if(!tls_get_item_from_bag_at(&bag, i, password, &new_key, &new_cert))
		{
			trace(LOG_ERR, "failed to load item #%d of bag #%d",
					i + 1, bag_index + 1);
			goto free_bag;
		}

		/* if we found a new key, store it */
		if(new_key != NULL)
		{
			if((*key) != NULL)
			{
				trace(LOG_ERR, "more than one key found in PKCS#12");
				goto free_bag;
			}
			*key = new_key;
		}

		/* if we found a new certificate, store it in the array */
		if(new_cert != NULL)
		{
			if((*certs_nr) >= MAX_CERTS)
			{
				trace(LOG_ERR, "too many certificates, abort");
				gnutls_x509_crt_deinit(new_cert);
				goto free_bag;
			}

			certs[*certs_nr] = new_cert;
			(*certs_nr)++;
		}
	}

	status = 1;

free_bag:
	gnutls_pkcs12_bag_deinit(bag);
error:
	return status;
}
Exemplo n.º 6
0
/* Parses a PKCS#12 structure and loads the certificate, private key
 * and friendly name if possible.  Returns zero on success, non-zero
 * on error. */
static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
                        gnutls_x509_crt *x5, char **friendly_name,
                        const char *password)
{
    gnutls_pkcs12_bag bag = NULL;
    int i, j, ret = 0;

    for (i = 0; ret == 0; ++i) {
        if (bag) gnutls_pkcs12_bag_deinit(bag);

        ret = gnutls_pkcs12_bag_init(&bag);
        if (ret < 0) continue;

        ret = gnutls_pkcs12_get_bag(p12, i, bag);
        if (ret < 0) continue;

        gnutls_pkcs12_bag_decrypt(bag, password);

        for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
            gnutls_pkcs12_bag_type type;
            gnutls_datum data;

            if (friendly_name && *friendly_name == NULL) {
                char *name = NULL;
                gnutls_pkcs12_bag_get_friendly_name(bag, j, &name);
                if (name) {
                    if (name[0] == '.') name++; /* weird GnuTLS bug? */
                    *friendly_name = ne_strdup(name);
                }
            }

            type = gnutls_pkcs12_bag_get_type(bag, j);
            switch (type) {
            case GNUTLS_BAG_PKCS8_KEY:
            case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
                /* Ignore any but the first key encountered; really
                 * need to match up keyids. */
                if (*pkey) break;

                gnutls_x509_privkey_init(pkey);

                ret = gnutls_pkcs12_bag_get_data(bag, j, &data);
                if (ret < 0) continue;

                ret = gnutls_x509_privkey_import_pkcs8(*pkey, &data,
                                                       GNUTLS_X509_FMT_DER,
                                                       password,
                                                       0);
                if (ret < 0) continue;
                break;
            case GNUTLS_BAG_CERTIFICATE:
                /* Ignore any but the first cert encountered; again,
                 * really need to match up keyids. */
                if (*x5) break;

                ret = gnutls_x509_crt_init(x5);
                if (ret < 0) continue;

                ret = gnutls_pkcs12_bag_get_data(bag, j, &data);
                if (ret < 0) continue;

                ret = gnutls_x509_crt_import(*x5, &data, GNUTLS_X509_FMT_DER);
                if (ret < 0) continue;

                break;
            default:
                break;
            }
        }
    }

    /* Make sure last bag is freed */
    if (bag) gnutls_pkcs12_bag_deinit(bag);

    /* Free in case of error */
    if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
        if (*x5) gnutls_x509_crt_deinit(*x5);
        if (*pkey) gnutls_x509_privkey_deinit(*pkey);
        if (friendly_name && *friendly_name) ne_free(*friendly_name);
    }

    if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = 0;
    return ret;
}
Exemplo n.º 7
0
/**
 * gnutls_system_key_add_x509:
 * @crt: the certificate to be added
 * @privkey: the key to be added
 * @label: the friendly name to describe the key
 * @cert_url: if non-NULL it will contain an allocated value with the certificate URL
 * @key_url: if non-NULL it will contain an allocated value with the key URL
 *
 * This function will added the given key and certificate pair,
 * to the system list.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 *
 * Since: 3.4.0
 **/
int gnutls_system_key_add_x509(gnutls_x509_crt_t crt,
			       gnutls_x509_privkey_t privkey, const char *label,
			       char **cert_url, char **key_url)
{
	HCERTSTORE store = NULL;
	CRYPT_DATA_BLOB pfx;
	gnutls_datum_t _pfx = { NULL, 0 };
	gnutls_pkcs12_t p12 = NULL;
	gnutls_pkcs12_bag_t bag1 = NULL, bag2 = NULL;
	uint8_t id[MAX_WID_SIZE];
	size_t id_size;
	gnutls_datum_t kid;
	int ret;

	if (ncrypt_init == 0)
		return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);

	if (label == NULL)
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

	id_size = sizeof(id);
	ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size);
	if (ret < 0)
		return gnutls_assert_val(ret);

	kid.data = id;
	kid.size = id_size;

	/* the idea: import the cert and private key into PKCS #12
	 * format, export it into pfx, and import it into store */
	ret = gnutls_pkcs12_init(&p12);
	if (ret < 0)
		return gnutls_assert_val(ret);

	ret = gnutls_pkcs12_bag_init(&bag1);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_bag_set_crt(bag1, crt);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_bag_set_key_id(bag1, 0, &kid);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	if (label)
		gnutls_pkcs12_bag_set_friendly_name(bag1, 0, label);

	ret = gnutls_pkcs12_bag_init(&bag2);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_bag_set_privkey(bag2, privkey, NULL, 0);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_bag_set_key_id(bag2, 0, &kid);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	if (label)
		gnutls_pkcs12_bag_set_friendly_name(bag2, 0, label);

	ret = gnutls_pkcs12_set_bag(p12, bag1);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_set_bag(p12, bag2);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_generate_mac(p12, "123456");
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = gnutls_pkcs12_export2(p12, GNUTLS_X509_FMT_DER, &_pfx);
	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	pfx.cbData = _pfx.size;
	pfx.pbData = _pfx.data;

	store = PFXImportCertStore(&pfx, L"123456", 0);
	if (store == NULL) {
		gnutls_assert();
		ret = GNUTLS_E_INVALID_REQUEST;
		goto cleanup;
	}

	if (cert_url || key_url) {
		unsigned char sha[20];
		CRYPT_HASH_BLOB blob;
		const CERT_CONTEXT *cert = NULL;
		gnutls_datum_t data;

		ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &data);
		if (ret < 0) {
			gnutls_assert();
			goto cleanup;
		}

		ret =
		    gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size,
				     sha);
		gnutls_free(data.data);
		if (ret < 0) {
			gnutls_assert();
			goto cleanup;
		}

		blob.cbData = sizeof(sha);
		blob.pbData = sha;

		cert = CertFindCertificateInStore(store,
						  X509_ASN_ENCODING,
						  0,
						  CERT_FIND_SHA1_HASH,
						  &blob, NULL);

		if (cert == NULL) {
			gnutls_assert();
			ret = GNUTLS_E_KEY_IMPORT_FAILED;
			goto cleanup;
		}

		ret = get_win_urls(cert, cert_url, key_url, NULL, NULL);
		if (ret < 0) {
			gnutls_assert();
			goto cleanup;
		}
	}

	ret = 0;

 cleanup:
	if (p12 != NULL)
		gnutls_pkcs12_deinit(p12);
	if (bag1 != NULL)
		gnutls_pkcs12_bag_deinit(bag1);
	if (bag2 != NULL)
		gnutls_pkcs12_bag_deinit(bag2);
	if (store != NULL)
		CertCloseStore(store, 0);
	gnutls_free(_pfx.data);
	return ret;
}