wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4279 from haydenroche5/pkcs12

Browse Source 
Cleanups for PKCS8 and PKCS12 macros (always support parsing PKCS8 header)
This commit is contained in:
elms
2021-08-10 18:37:33 -07:00
committed by GitHub
parent fdb6c8141e 699728c70c
commit d487916557
5 changed files with 71 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
configure.ac
View File

@ -4844,6 +4844,24 @@ then
fi
# PKCS#12
# set PKCS#12 default
PKCS12_DEFAULT=yes
if test "$ENABLED_ASN" = "no"
then
PKCS12_DEFAULT=no
fi
AC_ARG_ENABLE([pkcs12],
[AS_HELP_STRING([--enable-pkcs12],[Enable pkcs12 (default: enabled)])],
[ ENABLED_PKCS12=$enableval ],
[ ENABLED_PKCS12=$PKCS12_DEFAULT ]
)
if test "x$ENABLED_PKCS12" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PKCS12"
fi
# PWDBASED has to come after certservice since we want it on w/o explicit on
# PWDBASED
AC_ARG_ENABLE([pwdbased],
@ -4854,9 +4872,11 @@ AC_ARG_ENABLE([pwdbased],
if test "$ENABLED_PWDBASED" = "no"
then
if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_ENCKEYS" = "yes"
if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_ENCKEYS" = "yes" || \
test "$ENABLED_PKCS12" = "yes"
then
# opensslextra, opensslall, webserver, and enckeys needs pwdbased
# opensslextra, opensslall, webserver, enckeys and pkcs12 need pwdbased
ENABLED_PWDBASED=yes
else
AM_CFLAGS="$AM_CFLAGS -DNO_PWDBASED"
@ -5076,16 +5096,16 @@ then
fi
# PKCS#12
AC_ARG_ENABLE([pkcs12],
[AS_HELP_STRING([--enable-pkcs12],[Enable pkcs12 (default: enabled)])],
[ ENABLED_PKCS12=$enableval ],
[ ENABLED_PKCS12=yes ]
# PKCS#8
AC_ARG_ENABLE([pkcs8],
[AS_HELP_STRING([--enable-pkcs8],[Enable PKCS #8 key packages (default: enabled)])],
[ ENABLED_PKCS8=$enableval ],
[ ENABLED_PKCS8=yes ]
)
if test "x$ENABLED_PKCS12" = "xno"
if test "x$ENABLED_PKCS8" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PKCS12"
AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"
fi
@ -6639,6 +6659,7 @@ AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS],[test "x$ENABLED_CRYPT_TESTS" = "xyes"])
AM_CONDITIONAL([BUILD_LIBZ],[test "x$ENABLED_LIBZ" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS11],[test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS12],[test "x$ENABLED_PKCS12" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS8],[test "x$ENABLED_PKCS8" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CAVIUM],[test "x$ENABLED_CAVIUM" = "xyes"])
AM_CONDITIONAL([BUILD_CAVIUM_V],[test "x$ENABLED_CAVIUM_V" = "xyes"])
AM_CONDITIONAL([BUILD_OCTEON_SYNC],[test "x$ENABLED_OCTEON_SYNC" = "xyes"])
@ -7021,6 +7042,7 @@ else
fi
echo " * SP math implementation: $ENABLED_SP_MATH_DESC"
echo " * Async Crypto: $ENABLED_ASYNCCRYPT"
echo " * PKCS#8: $ENABLED_PKCS8"
echo " * PKCS#11: $ENABLED_PKCS11"
echo " * PKCS#12: $ENABLED_PKCS12"
echo " * Cavium Nitrox: $ENABLED_CAVIUM"

5
src/ssl.c
View File

@ -38324,7 +38324,6 @@ int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
}
rsa->pkcs8HeaderSz = 0;
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Check if input buffer has PKCS8 header. In the case that it does not
* have a PKCS8 header then do not error out. */
if ((ret = ToTraditionalInline_ex((const byte*)derBuf, &idx, (word32)derSz,
@ -38338,7 +38337,6 @@ int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
return WOLFSSL_FATAL_ERROR;
}
}
#endif
if (opt == WOLFSSL_RSA_LOAD_PRIVATE) {
ret = wc_RsaPrivateKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal, derSz);
@ -38884,7 +38882,7 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf,
}
key->pkcs8HeaderSz = 0;
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Check if input buffer has PKCS8 header. In the case that it does not
* have a PKCS8 header then do not error out. */
if ((ret = ToTraditionalInline_ex((const byte*)derBuf, &idx, (word32)derSz,
@ -38898,7 +38896,6 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf,
return WOLFSSL_FATAL_ERROR;
}
}
#endif
if (opt == WOLFSSL_EC_KEY_LOAD_PRIVATE) {
ret = wc_EccPrivateKeyDecode(derBuf, &idx, (ecc_key*)key->internal,

83
wolfcrypt/src/asn.c
View File

@ -2866,20 +2866,16 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
word32 inSz)
{
int version, length;
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
word32 algId = 0;
#endif
if (inOutIdx == NULL || input == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* if has pkcs8 header skip it */
if (ToTraditionalInline_ex(input, inOutIdx, inSz, &algId) < 0) {
/* ignore error, did not have pkcs8 header */
}
#endif
if (GetSequence(input, inOutIdx, &length, inSz) < 0)
return ASN_PARSE_E;
@ -2924,10 +2920,9 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
#endif /* HAVE_USER_RSA */
#endif /* NO_RSA */
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Remove PKCS8 header, place inOutIdx at beginning of traditional,
* return traditional length on success, negative on error */
* return traditional length on success, negative on error.
* Keeping this function for all builds */
int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
word32* algId)
{
@ -2979,6 +2974,8 @@ int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz)
return ToTraditionalInline_ex(input, inOutIdx, sz, &oid);
}
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Remove PKCS8 header, move beginning of traditional to beginning of input */
int ToTraditional_ex(byte* input, word32 sz, word32* algId)
{
@ -3388,6 +3385,7 @@ int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, DecodedCert* der)
#ifndef NO_PWDBASED
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* Check To see if PKCS version algo is supported, set id if it is return 0
< 0 on error */
static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz)
@ -3459,6 +3457,10 @@ static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz)
}
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS8
/* Check To see if PKCS v2 algo is supported, set id if it is return 0
< 0 on error */
static int CheckAlgoV2(int oid, int* id, int* blockSz)
@ -3495,9 +3497,9 @@ static int CheckAlgoV2(int oid, int* id, int* blockSz)
}
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#endif /* HAVE_PKCS8 */
#ifdef HAVE_PKCS8
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
int* algoID, void* heap)
@ -3613,29 +3615,6 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
return 1;
}
#endif /* HAVE_PKCS8 */
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
#define PKCS8_MIN_BLOCK_SIZE 8
static int Pkcs8Pad(byte* buf, int sz, int blockSz)
{
int i, padSz;
/* calculate pad size */
padSz = blockSz - (sz & (blockSz - 1));
/* pad with padSz value */
if (buf) {
for (i = 0; i < padSz; i++) {
buf[sz+i] = (byte)(padSz & 0xFF);
}
}
/* return adjusted length */
return sz + padSz;
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#ifdef HAVE_PKCS8
@ -3970,10 +3949,6 @@ int wc_CreateEncryptedPKCS8Key(byte* key, word32 keySz, byte* out,
pbeOid, encAlgId, salt, saltSz, itt, rng, heap);
}
#endif /* HAVE_PKCS8 */
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* decrypt PKCS
*
* NOTE: input buffer is overwritten with decrypted data!
@ -4157,10 +4132,29 @@ int ToTraditionalEnc(byte* input, word32 sz, const char* password,
return ret;
}
#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
#endif /* HAVE_PKCS8 */
#ifdef HAVE_PKCS12
#define PKCS8_MIN_BLOCK_SIZE 8
static int Pkcs8Pad(byte* buf, int sz, int blockSz)
{
int i, padSz;
/* calculate pad size */
padSz = blockSz - (sz & (blockSz - 1));
/* pad with padSz value */
if (buf) {
for (i = 0; i < padSz; i++) {
buf[sz+i] = (byte)(padSz & 0xFF);
}
}
/* return adjusted length */
return sz + padSz;
}
/* encrypt PKCS 12 content
*
* NOTE: if out is NULL then outSz is set with the total buffer size needed and
@ -5029,21 +5023,17 @@ int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
word32 inSz)
{
int length, version, ret = 0, temp = 0;
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
word32 algId = 0;
#endif
/* Sanity checks on input */
if (input == NULL || inOutIdx == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* if has pkcs8 header skip it */
if (ToTraditionalInline_ex(input, inOutIdx, inSz, &algId) < 0) {
/* ignore error, did not have pkcs8 header */
}
#endif
if (GetSequence(input, inOutIdx, &length, inSz) < 0)
return ASN_PARSE_E;
@ -11328,9 +11318,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
int sz = (int)longSz;
int encrypted_key = 0;
DerBuffer* der;
#if defined(HAVE_PKCS8) || defined(WOLFSSL_ENCRYPTED_KEYS)
word32 algId = 0;
word32 idx;
#if defined(WOLFSSL_ENCRYPTED_KEYS)
#if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_WOLFSSL_SKIP_TRAILING_PAD)
int padVal = 0;
#endif
@ -11541,7 +11531,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
#endif
) && !encrypted_key)
{
#ifdef HAVE_PKCS8
/* detect pkcs8 key and get alg type */
/* keep PKCS8 header */
idx = 0;
@ -11553,9 +11542,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
else {
/* ignore failure here and assume key is not pkcs8 wrapped */
}
#endif
return 0;
}
#ifdef WOLFSSL_ENCRYPTED_KEYS
if (encrypted_key || header == BEGIN_ENC_PRIV_KEY) {
@ -11668,6 +11657,7 @@ int wc_PemToDer(const unsigned char* buff, long longSz, int type,
DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
{
int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
if (ret == 0 && type == PRIVATEKEY_TYPE) {
DerBuffer* der = *pDer;
/* if a PKCS8 key header exists remove it */
@ -11677,6 +11667,7 @@ int wc_PemToDer(const unsigned char* buff, long longSz, int type,
ret = 0;
}
}
#endif
return ret;
}
@ -16378,20 +16369,16 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
byte priv[ECC_MAXSIZE+1];
byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */
#endif
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
word32 algId = 0;
#endif
byte* pubData = NULL;
if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
return BAD_FUNC_ARG;
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
/* if has pkcs8 header skip it */
if (ToTraditionalInline_ex(input, inOutIdx, inSz, &algId) < 0) {
/* ignore error, did not have pkcs8 header */
}
#endif
if (GetSequence(input, inOutIdx, &length, inSz) < 0)
return ASN_PARSE_E;

1
wolfcrypt/src/pkcs12.c
View File

@ -19,6 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* PKCS#12 allows storage of key and certificates into containers */
#ifdef HAVE_CONFIG_H
#include <config.h>

5
wolfssl/wolfcrypt/settings.h
View File

@ -2152,12 +2152,13 @@ extern void uITRON4_free(void *p) ;
#define HAVE_PKCS12
#endif
#ifndef NO_PKCS8
#if !defined(NO_PKCS8) || defined(HAVE_PKCS12)
#undef HAVE_PKCS8
#define HAVE_PKCS8
#endif
#if !defined(NO_PBKDF1) || defined(WOLFSSL_ENCRYPTED_KEYS) || defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
#if !defined(NO_PBKDF1) || defined(WOLFSSL_ENCRYPTED_KEYS) || \
defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
#undef HAVE_PBKDF1
#define HAVE_PBKDF1
#endif