MercurialSymaptic / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw | help
os/ossrv/ssl/libcrypto/src/crypto/pkcs12/p12_npas.c
author sl
Tue, 10 Jun 2014 14:32:02 +0200
changeset 1 260cb5ec6c19
permissions -rw-r--r--
Update contrib. 
     1 /* p12_npas.c */

     2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

     3  * project 1999.

     4  */

     5 /* ====================================================================

     6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

     7  *

     8  * Redistribution and use in source and binary forms, with or without

     9  * modification, are permitted provided that the following conditions

    10  * are met:

    11  *

    12  * 1. Redistributions of source code must retain the above copyright

    13  *    notice, this list of conditions and the following disclaimer. 

    14  *

    15  * 2. Redistributions in binary form must reproduce the above copyright

    16  *    notice, this list of conditions and the following disclaimer in

    17  *    the documentation and/or other materials provided with the

    18  *    distribution.

    19  *

    20  * 3. All advertising materials mentioning features or use of this

    21  *    software must display the following acknowledgment:

    22  *    "This product includes software developed by the OpenSSL Project

    23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

    24  *

    25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

    26  *    endorse or promote products derived from this software without

    27  *    prior written permission. For written permission, please contact

    28  *    licensing@OpenSSL.org.

    29  *

    30  * 5. Products derived from this software may not be called "OpenSSL"

    31  *    nor may "OpenSSL" appear in their names without prior written

    32  *    permission of the OpenSSL Project.

    33  *

    34  * 6. Redistributions of any form whatsoever must retain the following

    35  *    acknowledgment:

    36  *    "This product includes software developed by the OpenSSL Project

    37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

    38  *

    39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

    40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

    41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

    42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

    43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

    44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

    45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

    46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

    47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

    48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

    50  * OF THE POSSIBILITY OF SUCH DAMAGE.

    51  * ====================================================================

    52  *

    53  * This product includes cryptographic software written by Eric Young

    54  * (eay@cryptsoft.com).  This product includes software written by Tim

    55  * Hudson (tjh@cryptsoft.com).

    56  *

    57  */

    58 

    59 #include <stdio.h>

    60 #include <stdlib.h>

    61 #include <string.h>

    62 #include <openssl/pem.h>

    63 #include <openssl/err.h>

    64 #include <openssl/pkcs12.h>

    65 

    66 /* PKCS#12 password change routine */

    67 

    68 static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);

    69 static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass,

    70 			char *newpass);

    71 static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);

    72 static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);

    73 

    74 /* 

    75  * Change the password on a PKCS#12 structure.

    76  */

    77 

    78 EXPORT_C int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)

    79 {

    80 	/* Check for NULL PKCS12 structure */

    81 

    82 	if(!p12) {

    83 		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);

    84 		return 0;

    85 	}

    86 

    87 	/* Check the mac */

    88 	

    89 	if (!PKCS12_verify_mac(p12, oldpass, -1)) {

    90 		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);

    91 		return 0;

    92 	}

    93 

    94 	if (!newpass_p12(p12, oldpass, newpass)) {

    95 		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);

    96 		return 0;

    97 	}

    98 

    99 	return 1;

   100 }

   101 

   102 /* Parse the outer PKCS#12 structure */

   103 

   104 static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)

   105 {

   106 	STACK_OF(PKCS7) *asafes, *newsafes;

   107 	STACK_OF(PKCS12_SAFEBAG) *bags;

   108 	int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;

   109 	PKCS7 *p7, *p7new;

   110 	ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;

   111 	unsigned char mac[EVP_MAX_MD_SIZE];

   112 	unsigned int maclen;

   113 

   114 	if (!(asafes = PKCS12_unpack_authsafes(p12))) return 0;

   115 	if(!(newsafes = sk_PKCS7_new_null())) return 0;

   116 	for (i = 0; i < sk_PKCS7_num (asafes); i++) {

   117 		p7 = sk_PKCS7_value(asafes, i);

   118 		bagnid = OBJ_obj2nid(p7->type);

   119 		if (bagnid == NID_pkcs7_data) {

   120 			bags = PKCS12_unpack_p7data(p7);

   121 		} else if (bagnid == NID_pkcs7_encrypted) {

   122 			bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);

   123 			alg_get(p7->d.encrypted->enc_data->algorithm,

   124 				&pbe_nid, &pbe_iter, &pbe_saltlen);

   125 		} else continue;

   126 		if (!bags) {

   127 			sk_PKCS7_pop_free(asafes, PKCS7_free);

   128 			return 0;

   129 		}

   130 	    	if (!newpass_bags(bags, oldpass, newpass)) {

   131 			sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);

   132 			sk_PKCS7_pop_free(asafes, PKCS7_free);

   133 			return 0;

   134 		}

   135 		/* Repack bag in same form with new password */

   136 		if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags);

   137 		else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL,

   138 						 pbe_saltlen, pbe_iter, bags);

   139 		sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);

   140 		if(!p7new) {

   141 			sk_PKCS7_pop_free(asafes, PKCS7_free);

   142 			return 0;

   143 		}

   144 		sk_PKCS7_push(newsafes, p7new);

   145 	}

   146 	sk_PKCS7_pop_free(asafes, PKCS7_free);

   147 

   148 	/* Repack safe: save old safe in case of error */

   149 

   150 	p12_data_tmp = p12->authsafes->d.data;

   151 	if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr;

   152 	if(!PKCS12_pack_authsafes(p12, newsafes)) goto saferr;

   153 

   154 	if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr;

   155 	if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr;

   156 	if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr;

   157 	ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);

   158 	p12->mac->dinfo->digest = macnew;

   159 	ASN1_OCTET_STRING_free(p12_data_tmp);

   160 

   161 	return 1;

   162 

   163 	saferr:

   164 	/* Restore old safe */

   165 	ASN1_OCTET_STRING_free(p12->authsafes->d.data);

   166 	ASN1_OCTET_STRING_free(macnew);

   167 	p12->authsafes->d.data = p12_data_tmp;

   168 	return 0;

   169 

   170 }

   171 

   172 

   173 static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass,

   174 			char *newpass)

   175 {

   176 	int i;

   177 	for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {

   178 		if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i),

   179 				 oldpass, newpass))

   180 		    return 0;

   181 	}

   182 	return 1;

   183 }

   184 

   185 /* Change password of safebag: only needs handle shrouded keybags */

   186 

   187 static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)

   188 {

   189 	PKCS8_PRIV_KEY_INFO *p8;

   190 	X509_SIG *p8new;

   191 	int p8_nid, p8_saltlen, p8_iter;

   192 

   193 	if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;

   194 

   195 	if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0;

   196 	alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen);

   197 	if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,

   198 						     p8_iter, p8))) return 0;

   199 	X509_SIG_free(bag->value.shkeybag);

   200 	bag->value.shkeybag = p8new;

   201 	return 1;

   202 }

   203 

   204 static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)

   205 {

   206         PBEPARAM *pbe;

   207         const unsigned char *p;

   208 

   209         p = alg->parameter->value.sequence->data;

   210         pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);

   211         *pnid = OBJ_obj2nid(alg->algorithm);

   212 	*piter = ASN1_INTEGER_get(pbe->iter);

   213 	*psaltlen = pbe->salt->length;

   214         PBEPARAM_free(pbe);

   215         return 0;

   216 }
Symaptic