security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity
gnupg/sm/minip12.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

3142 lines
84 KiB
C
Raw Permalink Normal View History

This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* minip12.c - A minimal pkcs-12 implementation.
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
* Copyright (C) 2002, 2003, 2004, 2006, 2011 Free Software Foundation, Inc.
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
* Copyright (C) 2014 Werner Koch
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
* Copyright (C) 2022, 2023 g10 Code GmbH
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
Changed to GPLv3. Removed intl/.
2007-07-04 21:49:40 +02:00
* the Free Software Foundation; either version 3 of the License, or
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
Change all http://www.gnu.org in license notices to https:// --
2016-11-05 12:02:19 +01:00
* along with this program; if not, see <https://www.gnu.org/licenses/>.
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
* SPDX-License-Identifier: GPL-3.0-or-later
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
*/
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
/* References:
* RFC-7292 - PKCS #12: Personal Information Exchange Syntax v1.1
* RFC-8351 - The PKCS #8 EncryptedPrivateKeyInfo Media Type
* RFC-5958 - Asymmetric Key Packages
* RFC-3447 - PKCS #1: RSA Cryptography Specifications Version 2.1
* RFC-5915 - Elliptic Curve Private Key Structure
*/
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gcrypt.h>
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
#include <errno.h>
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
#include <ksba.h>
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
#include "../common/util.h"
Merged jnlib into common.
2010-03-10 13:24:58 +01:00
#include "../common/logging.h"
#include "../common/utf8conv.h"
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
#include "../common/tlv.h"
#include "../common/openpgpdefs.h" /* Only for openpgp_curve_to_oid. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
#include "minip12.h"
#ifndef DIM
#define DIM(v) (sizeof(v)/sizeof((v)[0]))
#endif
sm: Improve the octet string cramming for pkcs#12 * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536
2023-10-05 10:02:59 +02:00
/* Enable the next macro to dump stuff for debugging. */
#undef ENABLE_DER_STRUCT_DUMPING
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static unsigned char const oid_data[9] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01 };
static unsigned char const oid_encryptedData[9] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06 };
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
static unsigned char const oid_pkcs_12_keyBag[11] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x01 };
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static unsigned char const oid_pkcs_12_pkcs_8ShroudedKeyBag[11] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x02 };
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
static unsigned char const oid_pkcs_12_CertBag[11] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x03 };
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
static unsigned char const oid_pkcs_12_CrlBag[11] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x0A, 0x01, 0x04 };
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static unsigned char const oid_pbeWithSHAAnd3_KeyTripleDES_CBC[10] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x03 };
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
static unsigned char const oid_pbeWithSHAAnd40BitRC2_CBC[10] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x06 };
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
static unsigned char const oid_x509Certificate_for_pkcs_12[10] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x16, 0x01 };
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
static unsigned char const oid_pkcs5PBKDF2[9] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C };
static unsigned char const oid_pkcs5PBES2[9] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0D };
static unsigned char const oid_aes128_CBC[9] = {
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02 };
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
static unsigned char const oid_aes256_CBC[9] = {
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A };
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
static unsigned char const oid_hmacWithSHA1[8] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x07 };
static unsigned char const oid_hmacWithSHA224[8] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x08 };
static unsigned char const oid_hmacWithSHA256[8] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x09 };
static unsigned char const oid_hmacWithSHA384[8] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x0A };
static unsigned char const oid_hmacWithSHA512[8] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x0B };
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static unsigned char const oid_rsaEncryption[9] = {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 };
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
static unsigned char const oid_pcPublicKey[7] = {
0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 };
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
static unsigned char const data_3desiter2048[30] = {
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
0x30, 0x1C, 0x06, 0x0A, 0x2A, 0x86, 0x48, 0x86,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x03, 0x30, 0x0E,
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
0x04, 0x08, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
0xFF, 0xFF, 0x02, 0x02, 0x08, 0x00 };
#define DATA_3DESITER2048_SALT_OFF 18
static unsigned char const data_rc2iter2048[30] = {
0x30, 0x1C, 0x06, 0x0A, 0x2A, 0x86, 0x48, 0x86,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
0xF7, 0x0D, 0x01, 0x0C, 0x01, 0x06, 0x30, 0x0E,
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
0x04, 0x08, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0x02, 0x02, 0x08, 0x00 };
#define DATA_RC2ITER2048_SALT_OFF 18
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
static unsigned char const data_mactemplate[51] = {
0x30, 0x31, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04,
0x14, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x08, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x02,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
0x02, 0x08, 0x00 };
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
#define DATA_MACTEMPLATE_MAC_OFF 17
#define DATA_MACTEMPLATE_SALT_OFF 39
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Improve the octet string cramming for pkcs#12 * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536
2023-10-05 10:02:59 +02:00
/* Note that the BMP String in this template reads:
* "GnuPG exported certificate ffffffff" */
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
static unsigned char const data_attrtemplate[106] = {
0x31, 0x7c, 0x30, 0x55, 0x06, 0x09, 0x2a, 0x86,
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31,
0x48, 0x1e, 0x46, 0x00, 0x47, 0x00, 0x6e, 0x00,
0x75, 0x00, 0x50, 0x00, 0x47, 0x00, 0x20, 0x00,
0x65, 0x00, 0x78, 0x00, 0x70, 0x00, 0x6f, 0x00,
0x72, 0x00, 0x74, 0x00, 0x65, 0x00, 0x64, 0x00,
0x20, 0x00, 0x63, 0x00, 0x65, 0x00, 0x72, 0x00,
0x74, 0x00, 0x69, 0x00, 0x66, 0x00, 0x69, 0x00,
0x63, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00,
0x20, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
0x66, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16,
0x04, 0x14 }; /* Need to append SHA-1 digest. */
#define DATA_ATTRTEMPLATE_KEYID_OFF 73
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
struct buffer_s
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
unsigned char *buffer;
size_t length;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
};
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
/* Parser communication object. */
struct p12_parse_ctx_s
{
/* The callback for parsed certificates and its arg. */
void (*certcb)(void*, const unsigned char*, size_t);
void *certcbarg;
/* The supplied parseword. */
const char *password;
/* Set to true if the password was wrong. */
int badpass;
/* Malloced name of the curve. */
char *curve;
/* The private key as an MPI array. */
gcry_mpi_t *privatekey;
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
/* A second private key as an MPI array. */
gcry_mpi_t *privatekey2;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
};
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
static int opt_verbose;
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
void
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
p12_set_verbosity (int verbose, int debug)
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
opt_verbose = !!verbose;
if (debug)
opt_verbose = 2;
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
}
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
static int
digest_algo_from_oid (unsigned char const *oid, size_t oidlen)
{
int algo;
if (oidlen == DIM(oid_hmacWithSHA1) &&
!memcmp (oid, oid_hmacWithSHA1, oidlen))
algo = GCRY_MD_SHA1;
else if (oidlen == DIM(oid_hmacWithSHA224) &&
!memcmp (oid, oid_hmacWithSHA224, oidlen))
algo = GCRY_MD_SHA224;
else if (oidlen == DIM(oid_hmacWithSHA256) &&
!memcmp (oid, oid_hmacWithSHA256, oidlen))
algo = GCRY_MD_SHA256;
else if (oidlen == DIM(oid_hmacWithSHA384) &&
!memcmp (oid, oid_hmacWithSHA384, oidlen))
algo = GCRY_MD_SHA384;
else if (oidlen == DIM(oid_hmacWithSHA512) &&
!memcmp (oid, oid_hmacWithSHA512, oidlen))
algo = GCRY_MD_SHA512;
else
algo = 0;
return algo;
}
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
/* Wrapper around tlv_builder_add_ptr to add an OID. When we
* eventually put the whole tlv_builder stuff into Libksba, we can add
* such a function there. Right now we don't do this to avoid a
* dependency on Libksba. Function return 1 on error. */
static int
builder_add_oid (tlv_builder_t tb, int class, const char *oid)
{
gpg_error_t err;
unsigned char *der;
size_t derlen;
err = ksba_oid_from_str (oid, &der, &derlen);
if (err)
{
log_error ("%s: error converting '%s' to DER: %s\n",
__func__, oid, gpg_strerror (err));
return 1;
}
tlv_builder_add_val (tb, class, TAG_OBJECT_ID, der, derlen);
ksba_free (der);
return 0;
}
doc: Typo fixes in code comments -- Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-04 14:55:34 +02:00
/* Wrapper around tlv_builder_add_ptr to add an MPI. TAG may either
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
* be OCTET_STRING or BIT_STRING. When we eventually put the whole
* tlv_builder stuff into Libksba, we can add such a function there.
* Right now we don't do this to avoid a dependency on Libksba.
* Function return 1 on error. STRIP is a hack to remove the first
* octet from the value. */
static int
builder_add_mpi (tlv_builder_t tb, int class, int tag, gcry_mpi_t mpi,
int strip)
{
int returncode;
gpg_error_t err;
const unsigned char *s;
unsigned char *freethis = NULL;
unsigned char *freethis2 = NULL;
unsigned int nbits;
size_t n;
if (gcry_mpi_get_flag (mpi, GCRYMPI_FLAG_OPAQUE))
{
s = gcry_mpi_get_opaque (mpi, &nbits);
n = (nbits+7)/8;
}
else
{
err = gcry_mpi_aprint (GCRYMPI_FMT_USG, &freethis, &n, mpi);
if (err)
{
log_error ("%s: error converting MPI: %s\n",
__func__, gpg_strerror (err));
returncode = 1;
goto leave;
}
s = freethis;
}
if (tag == TAG_BIT_STRING)
{
freethis2 = xtrymalloc_secure (n + 1);
if (!freethis2)
{
err = gpg_error_from_syserror ();
log_error ("%s: error converting MPI: %s\n",
__func__, gpg_strerror (err));
returncode = 1;
goto leave;
}
freethis2[0] = 0;
memcpy (freethis2+1, s, n);
s = freethis2;
n++;
}
strip = !!strip;
if (strip && n < 2)
strip = 0;
tlv_builder_add_val (tb, class, tag, s+strip, n-strip);
returncode = 0;
leave:
xfree (freethis);
xfree (freethis2);
return returncode;
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
static int
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
string_to_key (int id, char *salt, size_t saltlen, int iter, const char *pw,
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
int req_keylen, unsigned char *keybuf)
{
int rc, i, j;
gcry_md_hd_t md;
gcry_mpi_t num_b1 = NULL;
int pwlen;
unsigned char hash[20], buf_b[64], buf_i[128], *p;
size_t cur_keylen;
size_t n;
cur_keylen = 0;
pwlen = strlen (pw);
if (pwlen > 63/2)
{
log_error ("password too long\n");
return -1;
}
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
if (saltlen < 8)
{
log_error ("salt too short\n");
return -1;
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* Store salt and password in BUF_I */
p = buf_i;
for(i=0; i < 64; i++)
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
*p++ = salt [i%saltlen];
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
for(i=j=0; i < 64; i += 2)
{
*p++ = 0;
*p++ = pw[j];
if (++j > pwlen) /* Note, that we include the trailing zero */
j = 0;
}
for (;;)
{
rc = gcry_md_open (&md, GCRY_MD_SHA1, 0);
if (rc)
{
log_error ( "gcry_md_open failed: %s\n", gpg_strerror (rc));
return rc;
}
for(i=0; i < 64; i++)
gcry_md_putc (md, id);
gcry_md_write (md, buf_i, 128);
memcpy (hash, gcry_md_read (md, 0), 20);
gcry_md_close (md);
for (i=1; i < iter; i++)
gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20);
for (i=0; i < 20 && cur_keylen < req_keylen; i++)
keybuf[cur_keylen++] = hash[i];
if (cur_keylen == req_keylen)
{
gcry_mpi_release (num_b1);
return 0; /* ready */
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* need more bytes. */
for(i=0; i < 64; i++)
buf_b[i] = hash[i % 20];
rc = gcry_mpi_scan (&num_b1, GCRYMPI_FMT_USG, buf_b, 64, &n);
if (rc)
{
log_error ( "gcry_mpi_scan failed: %s\n", gpg_strerror (rc));
return -1;
}
gcry_mpi_add_ui (num_b1, num_b1, 1);
for (i=0; i < 128; i += 64)
{
gcry_mpi_t num_ij;
rc = gcry_mpi_scan (&num_ij, GCRYMPI_FMT_USG, buf_i + i, 64, &n);
if (rc)
{
log_error ( "gcry_mpi_scan failed: %s\n",
gpg_strerror (rc));
return -1;
}
gcry_mpi_add (num_ij, num_ij, num_b1);
gcry_mpi_clear_highbit (num_ij, 64*8);
rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf_i + i, 64, &n, num_ij);
if (rc)
{
log_error ( "gcry_mpi_print failed: %s\n",
gpg_strerror (rc));
return -1;
}
gcry_mpi_release (num_ij);
}
}
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
static int
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
set_key_iv (gcry_cipher_hd_t chd, char *salt, size_t saltlen, int iter,
const char *pw, int keybytes)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
unsigned char keybuf[24];
int rc;
gpgsm: Replace all assert calls by log_assert. -- Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-08 14:40:34 +02:00
log_assert (keybytes == 5 || keybytes == 24);
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
if (string_to_key (1, salt, saltlen, iter, pw, keybytes, keybuf))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
return -1;
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
rc = gcry_cipher_setkey (chd, keybuf, keybytes);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
if (rc)
{
log_error ( "gcry_cipher_setkey failed: %s\n", gpg_strerror (rc));
return -1;
}
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
if (string_to_key (2, salt, saltlen, iter, pw, 8, keybuf))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
return -1;
rc = gcry_cipher_setiv (chd, keybuf, 8);
if (rc)
{
log_error ("gcry_cipher_setiv failed: %s\n", gpg_strerror (rc));
return -1;
}
return 0;
}
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
static int
set_key_iv_pbes2 (gcry_cipher_hd_t chd, char *salt, size_t saltlen, int iter,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
const void *iv, size_t ivlen, const char *pw,
int cipher_algo, int digest_algo)
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
unsigned char *keybuf;
size_t keylen;
int rc;
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
keylen = gcry_cipher_get_algo_keylen (cipher_algo);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
if (!keylen)
return -1;
keybuf = gcry_malloc_secure (keylen);
if (!keybuf)
return -1;
rc = gcry_kdf_derive (pw, strlen (pw),
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
GCRY_KDF_PBKDF2, digest_algo,
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
salt, saltlen, iter, keylen, keybuf);
if (rc)
{
log_error ("gcry_kdf_derive failed: %s\n", gpg_strerror (rc));
gcry_free (keybuf);
return -1;
}
rc = gcry_cipher_setkey (chd, keybuf, keylen);
gcry_free (keybuf);
if (rc)
{
log_error ("gcry_cipher_setkey failed: %s\n", gpg_strerror (rc));
return -1;
}
rc = gcry_cipher_setiv (chd, iv, ivlen);
if (rc)
{
log_error ("gcry_cipher_setiv failed: %s\n", gpg_strerror (rc));
return -1;
}
return 0;
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static void
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
crypt_block (unsigned char *buffer, size_t length, char *salt, size_t saltlen,
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
int iter, const void *iv, size_t ivlen,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
const char *pw, int cipher_algo, int digest_algo, int encrypt)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
gcry_cipher_hd_t chd;
int rc;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
rc = gcry_cipher_open (&chd, cipher_algo, GCRY_CIPHER_MODE_CBC, 0);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
if (rc)
{
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
log_error ( "gcry_cipher_open failed: %s\n", gpg_strerror(rc));
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
wipememory (buffer, length);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
return;
}
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((cipher_algo == GCRY_CIPHER_AES128 || cipher_algo == GCRY_CIPHER_AES256)
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
? set_key_iv_pbes2 (chd, salt, saltlen, iter, iv, ivlen, pw,
cipher_algo, digest_algo)
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
: set_key_iv (chd, salt, saltlen, iter, pw,
cipher_algo == GCRY_CIPHER_RFC2268_40? 5:24))
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
{
wipememory (buffer, length);
goto leave;
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
rc = encrypt? gcry_cipher_encrypt (chd, buffer, length, NULL, 0)
: gcry_cipher_decrypt (chd, buffer, length, NULL, 0);
if (rc)
{
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
wipememory (buffer, length);
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
log_error ("%scrytion failed (%zu bytes): %s\n",
encrypt?"en":"de", length, gpg_strerror (rc));
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto leave;
}
leave:
gcry_cipher_close (chd);
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
/* Decrypt a block of data and try several encodings of the key.
CIPHERTEXT is the encrypted data of size LENGTH bytes; PLAINTEXT is
a buffer of the same size to receive the decryption result. SALT,
SALTLEN, ITER and PW are the information required for decryption
and CIPHER_ALGO is the algorithm id to use. CHECK_FNC is a
function called with the plaintext and used to check whether the
decryption succeeded; i.e. that a correct passphrase has been
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
given. The function returns the length of the unpadded plaintext
or 0 on error. */
static size_t
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
decrypt_block (const void *ciphertext, unsigned char *plaintext, size_t length,
char *salt, size_t saltlen,
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
int iter, const void *iv, size_t ivlen,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
const char *pw, int cipher_algo, int digest_algo,
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
int (*check_fnc) (const void *, size_t))
{
Add option --card-timeout. Add a new attribyte to app-openpgp.c Fix two portability bugs. Have gpg-connect-agent autostart gpg-agent on W32.
2008-12-05 13:01:01 +01:00
static const char * const charsets[] = {
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
"", /* No conversion - use the UTF-8 passphrase direct. */
"ISO-8859-1",
"ISO-8859-15",
"ISO-8859-2",
"ISO-8859-3",
"ISO-8859-4",
"ISO-8859-5",
"ISO-8859-6",
"ISO-8859-7",
"ISO-8859-8",
"ISO-8859-9",
"KOI8-R",
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
"IBM437",
"IBM850",
"EUC-JP",
"BIG5",
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
NULL
};
int charsetidx = 0;
char *convertedpw = NULL; /* Malloced and converted password or NULL. */
size_t convertedpwsize = 0; /* Allocated length. */
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
size_t plainlen = 0;
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
for (charsetidx=0; charsets[charsetidx]; charsetidx++)
{
if (*charsets[charsetidx])
{
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_t cd;
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
const char *inptr;
char *outptr;
size_t inbytes, outbytes;
if (!convertedpw)
{
/* We assume one byte encodings. Thus we can allocate
the buffer of the same size as the original
passphrase; the result will actually be shorter
then. */
convertedpwsize = strlen (pw) + 1;
convertedpw = gcry_malloc_secure (convertedpwsize);
if (!convertedpw)
{
log_info ("out of secure memory while"
" converting passphrase\n");
break; /* Give up. */
}
}
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
cd = jnlib_iconv_open (charsets[charsetidx], "utf-8");
if (cd == (jnlib_iconv_t)(-1))
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
continue;
inptr = pw;
inbytes = strlen (pw);
outptr = convertedpw;
outbytes = convertedpwsize - 1;
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
if ( jnlib_iconv (cd, (const char **)&inptr, &inbytes,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
&outptr, &outbytes) == (size_t)-1)
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
{
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_close (cd);
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
continue;
}
*outptr = 0;
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_close (cd);
Change all quotes in strings and comments to the new GNU standard. The asymmetric quotes used by GNU in the past (`...') don't render nicely on modern systems. We now use two \x27 characters ('...'). The proper solution would be to use the correct Unicode symmetric quotes here. However this has the disadvantage that the system requires Unicode support. We don't want that today. If Unicode is available a generated po file can be used to output proper quotes. A simple sed script like the one used for en@quote is sufficient to change them. The changes have been done by applying sed -i "s/\`\([^'\`]*\)'/'\1'/g" to most files and fixing obvious problems by hand. The msgid strings in the po files were fixed with a similar command.
2012-06-05 19:29:22 +02:00
log_info ("decryption failed; trying charset '%s'\n",
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
charsets[charsetidx]);
}
memcpy (plaintext, ciphertext, length);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
crypt_block (plaintext, length, salt, saltlen, iter, iv, ivlen,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
convertedpw? convertedpw:pw, cipher_algo, digest_algo, 0);
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
if (check_fnc (plaintext, length))
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
{
/* Strip the pkcs#7 padding. */
if (length)
{
int n, i;
n = plaintext[length-1];
if (n >= length || n > 16)
log_info ("decryption failed; invalid padding size\n");
else
{
for (i=1; i < n; i++)
if (plaintext[length-i-1] != n)
break;
if (i < n)
log_info ("decryption failed; invalid padding octet\n");
else
plainlen = length - n;
}
}
break; /* Decryption probably succeeded. */
}
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
}
gcry_free (convertedpw);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
return plainlen;
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
}
/* Return true if the decryption of an bag_encrypted_data object has
likely succeeded. */
static int
bag_decrypted_data_p (const void *plaintext, size_t length)
{
struct tag_info ti;
const unsigned char *p = plaintext;
size_t n = length;
sm: Improve the octet string cramming for pkcs#12 * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536
2023-10-05 10:02:59 +02:00
#ifdef ENABLE_DER_STRUCT_DUMPING
{
# warning debug code is enabled
FILE *fp = fopen ("tmp-minip12-plain-data.der", "wb");
if (!fp || fwrite (p, n, 1, fp) != 1)
exit (2);
fclose (fp);
}
#endif /*ENABLE_DER_STRUCT_DUMPING*/
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
if (tlv_parse_tag (&p, &n, &ti))
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
return 0;
if (ti.class || ti.tag != TAG_SEQUENCE)
return 0;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
if (tlv_parse_tag (&p, &n, &ti))
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
return 0;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
return 1;
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static int
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_error_t err = 0;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
const char *where;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
const unsigned char *oid;
size_t oidlen;
const unsigned char *data;
size_t datalen;
int intval;
gpgsm: Increase salt size in pkcs#12 parser. * sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes. -- GnuPG-bug-id: 6757
2024-02-05 07:59:02 +01:00
char salt[32];
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
size_t saltlen;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
char iv[16];
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
unsigned int iter;
unsigned char *plain = NULL;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
int is_3des = 0;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
int is_pbes2 = 0;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int is_aes256 = 0;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
int keyelem_count;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int renewed_tlv = 0;
int loopcount;
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
unsigned int startlevel, startlevel2;
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
int digest_algo = GCRY_MD_SHA1;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "bag.encryptedData";
if (opt_verbose)
log_info ("processing %s\n", where);
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
where = "bag.encryptedData.version";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (intval)
{
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
}
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
where = "bag.encryptedData.data";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
where = "bag.encryptedData.keyinfo";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
if (oidlen == DIM(oid_pbeWithSHAAnd40BitRC2_CBC)
&& !memcmp (oid, oid_pbeWithSHAAnd40BitRC2_CBC,
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
DIM(oid_pbeWithSHAAnd40BitRC2_CBC)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
;
else if (oidlen == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
&& !memcmp (oid, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
is_3des = 1;
else if (oidlen == DIM(oid_pkcs5PBES2)
&& !memcmp (oid, oid_pkcs5PBES2, oidlen))
is_pbes2 = 1;
else
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/*FIXME: This code is duplicated in parse_shrouded_key_bag. */
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
if (is_pbes2)
{
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
size_t parmlen; /* Remaining length of the parameter sequence. */
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
where = "pkcs5PBES2-params";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
if (oidlen != DIM(oid_pkcs5PBKDF2)
|| memcmp (oid, oid_pkcs5PBKDF2, oidlen))
{
err = gpg_error (GPG_ERR_INV_BER); /* Not PBKDF2. */
goto bailout;
}
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen = tlv_parser_tag_length (tlv, 0);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen -= tlv_parser_tag_length (tlv, 1);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (datalen < 8 || datalen > sizeof salt)
{
log_info ("bad length of salt (%zu)\n", datalen);
err = gpg_error (GPG_ERR_INV_LENGTH);
goto bailout;
}
saltlen = datalen;
memcpy (salt, data, saltlen);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen -= tlv_parser_tag_length (tlv, 1);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!intval) /* Not a valid iteration count. */
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
iter = intval;
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
if (parmlen > 2) /* There is the optional prf. */
{
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_sequence (tlv))
goto bailout;
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
digest_algo = digest_algo_from_oid (oid, oidlen);
if (!digest_algo)
{
gpgrt_log_printhex (oid, oidlen, "kdf digest algo:");
err = gpg_error (GPG_ERR_DIGEST_ALGO);
goto bailout;
}
if (opt_verbose > 1)
log_debug ("kdf digest algo = %d\n", digest_algo);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek_null (tlv))
{
/* Read the optional Null tag. */
if (tlv_next (tlv))
goto bailout;
}
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
}
else
digest_algo = GCRY_MD_SHA1;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen == DIM(oid_aes128_CBC)
&& !memcmp (oid, oid_aes128_CBC, oidlen))
;
else if (oidlen == DIM(oid_aes256_CBC)
&& !memcmp (oid, oid_aes256_CBC, oidlen))
is_aes256 = 1;
else
{
gpgrt_log_printhex (oid, oidlen, "cipher algo:");
err = gpg_error (GPG_ERR_CIPHER_ALGO);
goto bailout;
}
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
goto bailout;
if (datalen != sizeof iv)
{
err = gpg_error (GPG_ERR_INV_LENGTH);
goto bailout; /* Bad IV. */
}
memcpy (iv, data, datalen);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
else
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
{
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
where = "rc2or3des-params";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (datalen < 8 || datalen > 20)
{
log_info ("bad length of salt (%zu) for 3DES\n", datalen);
err = gpg_error (GPG_ERR_INV_LENGTH);
goto bailout;
}
saltlen = datalen;
memcpy (salt, data, saltlen);
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!intval)
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
iter = intval;
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
where = "rc2or3desoraes-ciphertext";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
goto bailout;
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object (tlv, CLASS_CONTEXT, 0, &data, &datalen))
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
goto bailout;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
if (opt_verbose)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
log_info ("%zu bytes of %s encrypted text\n", datalen,
is_pbes2?(is_aes256?"AES256":"AES128"):is_3des?"3DES":"RC2");
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
plain = gcry_malloc_secure (datalen);
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
if (!plain)
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error_from_syserror ();
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
log_error ("error allocating decryption buffer\n");
goto bailout;
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
datalen = decrypt_block (data, plain, datalen, salt, saltlen, iter,
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
iv, is_pbes2?16:0, ctx->password,
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
is_pbes2 ? (is_aes256?GCRY_CIPHER_AES256:GCRY_CIPHER_AES128) :
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
is_3des ? GCRY_CIPHER_3DES : GCRY_CIPHER_RFC2268_40,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
digest_algo,
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
bag_decrypted_data_p);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!datalen)
{
err = gpg_error (GPG_ERR_DECRYPT_FAILED);
gpgsm: Re-introduce the bad passphrase hint for pkcs#12. * sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag. (parse_shrouded_key_bag): Ditto. --
2023-11-14 09:47:13 +01:00
ctx->badpass = 1; /* This is the most likley reason. */
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
goto bailout;
}
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* We do not need the TLV anymore and allocated a new one. */
where = "bag.encryptedData.decrypted-text";
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv = tlv_parser_new (plain, datalen, opt_verbose);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!tlv)
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error_from_syserror ();
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
goto bailout;
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
renewed_tlv = 1;
if (tlv_next (tlv))
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
ctx->badpass = 1;
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
goto bailout;
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_expect_sequence (tlv))
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
ctx->badpass = 1;
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
goto bailout;
}
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
Preparing an interim release
2005-11-28 12:52:25 +01:00
/* Loop over all certificates inside the bag. */
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
loopcount = 0;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
startlevel = tlv_parser_level (tlv);
while (!(err = tlv_next (tlv)) && tlv_parser_level (tlv) == startlevel)
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
{
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
int iscrlbag = 0;
int iskeybag = 0;
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
loopcount++;
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
where = "certbag.nextcert";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
goto bailout;
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "certbag.oid";
if (tlv_next (tlv))
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen == DIM(oid_pkcs_12_CertBag)
&& !memcmp (oid, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
;
else if (oidlen == DIM(oid_pkcs_12_CrlBag)
&& !memcmp (oid, oid_pkcs_12_CrlBag, DIM(oid_pkcs_12_CrlBag)))
iscrlbag = 1;
else if (oidlen == DIM(oid_pkcs_12_keyBag)
&& !memcmp (oid, oid_pkcs_12_keyBag, DIM(oid_pkcs_12_keyBag)))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
/* The TrustedMIME plugin for MS Outlook started to create
files with just one outer 3DES encrypted container and
inside the certificates as well as the key. */
iskeybag = 1;
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
}
else
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
{
gpgrt_log_printhex (oid, oidlen, "cert bag type OID:");
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
goto bailout;
}
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
where = "certbag.before.certheader";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
if (iscrlbag)
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
{
log_info ("skipping unsupported crlBag\n");
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
else if (iskeybag && ctx->privatekey)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
log_info ("one keyBag already processed; skipping this one\n");
}
else if (iskeybag)
{
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
if (opt_verbose)
log_info ("processing simple keyBag\n");
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (intval)
{
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
}
if (tlv_next (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen != DIM(oid_rsaEncryption)
|| memcmp (oid, oid_rsaEncryption, oidlen))
{
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
goto bailout;
}
/* We ignore the next octet string. */
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_sequence (tlv))
goto bailout;
if (ctx->privatekey)
{
err = gpg_error (GPG_ERR_DUP_VALUE);
log_error ("a private key has already been received\n");
goto bailout;
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
ctx->privatekey = gcry_calloc (10, sizeof *ctx->privatekey);
if (!ctx->privatekey)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error_from_syserror ();
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_error ("error allocating private key element array\n");
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
}
where = "reading.keybag.key-parameters";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
keyelem_count = 0;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
startlevel2 = tlv_parser_level (tlv);
while (!(err = tlv_next (tlv)) && tlv_parser_level (tlv) == startlevel2)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (keyelem_count >= 9)
{
err = gpg_error (GPG_ERR_TOO_MANY);
goto bailout;
}
err = tlv_expect_mpinteger (tlv, !keyelem_count,
ctx->privatekey+keyelem_count);
if (!keyelem_count && gpg_err_code (err) == GPG_ERR_FALSE)
; /* Ignore the first value iff it is zero. */
else if (err)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
log_error ("error parsing RSA key parameter %d: %s\n",
keyelem_count, gpg_strerror (err));
goto bailout;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
}
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
if (opt_verbose > 1)
log_debug ("RSA key parameter %d found\n", keyelem_count);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
keyelem_count++;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!err)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_set_pending (tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
else if (err && gpg_err_code (err) != GPG_ERR_EOF)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = 0;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
}
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
else
{
sm: Silence some output on --quiet * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet. * sm/gpgsm.c: Include minip12.h. (set_debug): Call p12_set_verbosity. * sm/import.c (parse_p12): Dump keygrip only in debug mode. * sm/minip12.c (opt_verbose, p12_set_verbosity): New. (parse_bag_encrypted_data): Print info messages only in verbose mode. -- GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
if (opt_verbose)
log_info ("processing certBag\n");
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen != DIM(oid_x509Certificate_for_pkcs_12)
|| memcmp (oid, oid_x509Certificate_for_pkcs_12,
DIM(oid_x509Certificate_for_pkcs_12)))
{
err = gpg_error (GPG_ERR_UNSUPPORTED_CERT);
goto bailout;
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
where = "certbag.before.octetstring";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (intval)
{
err = gpg_error (GPG_ERR_BAD_BER);
goto bailout;
}
if (tlv_next (tlv))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
goto bailout;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
/* Return the certificate. */
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (ctx->certcb)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
ctx->certcb (ctx->certcbarg, data, datalen);
Include cmacros.am for common flags. (libexec_PROGRAMS): Put gpg-protect-tool there.
2004-02-12 10:27:36 +01:00
}
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
/* Skip the optional SET with the pkcs12 cert attributes. */
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "bag.attribute_set";
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_SET))
{
if (tlv_next (tlv))
goto bailout;
err = tlv_expect_set (tlv);
if (err)
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_skip (tlv);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose)
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
log_info ("skipping %s\n", where);
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
}
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!err)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_set_pending (tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
else if (err && gpg_err_code (err) != GPG_ERR_EOF)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
{
if (!loopcount) /* The first while(tlv_next) failed. */
ctx->badpass = 1;
goto bailout;
}
err = 0;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
leave:
if (renewed_tlv)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_release (tlv);
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
gcry_free (plain);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (ctx->badpass)
* minip12.c (parse_bag_encrypted_data): Print error if a bad passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
2004-09-29 15:50:31 +02:00
{
/* Note, that the following string might be used by other programs
to check for a bad passphrase; it should therefore not be
translated or changed. */
log_error ("possibly bad passphrase given\n");
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
return err;
bailout:
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
log_error ("%s(%s): lvl=%u (%s): %s - %s\n",
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
__func__, where,
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_level (tlv),
tlv_parser_lastfunc (tlv),
tlv_parser_lasterrstr (tlv),
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_strerror (err));
goto leave;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
/* Return true if the decryption of a bag_data object has likely
succeeded. */
static int
bag_data_p (const void *plaintext, size_t length)
{
struct tag_info ti;
const unsigned char *p = plaintext;
size_t n = length;
sm: Improve the octet string cramming for pkcs#12 * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536
2023-10-05 10:02:59 +02:00
#ifdef ENABLE_DER_STRUCT_DUMPING
{
# warning debug code is enabled
FILE *fp = fopen ("tmp-minip12-plain-key.der", "wb");
if (!fp || fwrite (p, n, 1, fp) != 1)
exit (2);
fclose (fp);
}
#endif /*ENABLE_DER_STRUCT_DUMPING*/
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
if (tlv_parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
return 0;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
if (tlv_parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
|| ti.length != 1 || *p)
return 0;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
return 1;
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
static gpg_error_t
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parse_shrouded_key_bag (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
gpg_error_t err = 0;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
const char *where;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
const unsigned char *oid;
size_t oidlen;
const unsigned char *data;
size_t datalen;
int intval;
Allow importing of web.de generated p12 files
2006-10-23 12:52:23 +02:00
char salt[20];
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
size_t saltlen;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
char iv[16];
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
unsigned int iter;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_t saved_tlv = NULL;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int renewed_tlv = 0; /* True if the TLV must be released. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
unsigned char *plain = NULL;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
int is_pbes2 = 0;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int is_aes256 = 0;
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
int digest_algo = GCRY_MD_SHA1;
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
gcry_mpi_t *privatekey;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose)
log_info ("processing %s\n", where);
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "shrouded_key_bag.cipherinfo";
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
if (oidlen == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
&& !memcmp (oid, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
; /* Standard cipher. */
else if (oidlen == DIM(oid_pkcs5PBES2)
&& !memcmp (oid, oid_pkcs5PBES2, DIM(oid_pkcs5PBES2)))
is_pbes2 = 1;
else
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
if (is_pbes2)
{
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
size_t parmlen; /* Remaining length of the parameter sequence. */
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag.pkcs5PBES2-params";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!(oidlen == DIM(oid_pkcs5PBKDF2)
&& !memcmp (oid, oid_pkcs5PBKDF2, oidlen)))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout; /* Not PBKDF2. */
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen = tlv_parser_tag_length (tlv, 0);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen -= tlv_parser_tag_length (tlv, 1);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (datalen < 8 || datalen > sizeof salt)
{
log_info ("bad length of salt (%zu) for AES\n", datalen);
err = gpg_error (GPG_ERR_INV_LENGTH);
goto bailout;
}
saltlen = datalen;
memcpy (salt, data, saltlen);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parmlen -= tlv_parser_tag_length (tlv, 1);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!intval) /* Not a valid iteration count. */
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
iter = intval;
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
if (parmlen > 2) /* There is the optional prf. */
{
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_sequence (tlv))
goto bailout;
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
digest_algo = digest_algo_from_oid (oid, oidlen);
if (!digest_algo)
{
gpgrt_log_printhex (oid, oidlen, "kdf digest algo:");
err = gpg_error (GPG_ERR_DIGEST_ALGO);
goto bailout;
}
if (opt_verbose > 1)
log_debug ("kdf digest algo = %d\n", digest_algo);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek_null (tlv))
{
/* Read the optional Null tag. */
if (tlv_next (tlv))
goto bailout;
}
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
}
else
digest_algo = GCRY_MD_SHA1;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
goto bailout;
if (oidlen == DIM(oid_aes128_CBC)
&& !memcmp (oid, oid_aes128_CBC, oidlen))
;
else if (oidlen == DIM(oid_aes256_CBC)
&& !memcmp (oid, oid_aes256_CBC, oidlen))
is_aes256 = 1;
else
{
gpgrt_log_printhex (oid, oidlen, "cipher is:");
err = gpg_error (GPG_ERR_CIPHER_ALGO);
goto bailout;
}
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (datalen != sizeof iv)
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout; /* Bad IV. */
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
memcpy (iv, data, datalen);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
else
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag.3des-params";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (datalen < 8 || datalen > 20)
{
log_info ("bad length of salt (%zu) for 3DES\n", datalen);
err = gpg_error (GPG_ERR_INV_LENGTH);
goto bailout;
}
saltlen = datalen;
memcpy (salt, data, saltlen);
if (tlv_next (tlv))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!intval)
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
iter = intval;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag.3desoraes-ciphertext";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
sm: Do not print certain issuer not found diags in quiet mode. * sm/certchain.c (find_up_dirmngr): Print one diagnostic only in verbose mode. Do not print issuer not found diags in quiet mode. * sm/minip12.c (parse_bag_data): Add missing verbose condition. -- GnuPG-bug-id: 4757
2021-02-25 09:16:18 +01:00
if (opt_verbose)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
log_info ("%zu bytes of %s encrypted text\n",
datalen, is_pbes2? (is_aes256?"AES256":"AES128"):"3DES");
plain = gcry_malloc_secure (datalen);
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
if (!plain)
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error_from_syserror ();
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
log_error ("error allocating decryption buffer\n");
goto bailout;
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
datalen = decrypt_block (data, plain, datalen, salt, saltlen, iter,
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
iv, is_pbes2? 16:0, ctx->password,
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
is_pbes2 ? (is_aes256?GCRY_CIPHER_AES256:GCRY_CIPHER_AES128)
: GCRY_CIPHER_3DES,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
digest_algo,
* PKCS#12 import now tries several encodings in case the passphrase was not utf-8 encoded.
2007-03-19 19:54:34 +01:00
bag_data_p);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!datalen)
{
err = gpg_error (GPG_ERR_DECRYPT_FAILED);
gpgsm: Re-introduce the bad passphrase hint for pkcs#12. * sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag. (parse_shrouded_key_bag): Ditto. --
2023-11-14 09:47:13 +01:00
ctx->badpass = 1;
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
goto bailout;
}
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* We do not need the TLV anymore and allocated a new one. */
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag.decrypted-text";
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
saved_tlv = tlv;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv = tlv_parser_new (plain, datalen, opt_verbose);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!tlv)
{
err = gpg_error_from_syserror ();
goto bailout;
}
renewed_tlv = 1;
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
if (opt_verbose > 1)
log_debug ("new parser context\n");
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
{
ctx->badpass = 1;
goto bailout;
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_expect_sequence (tlv))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
{
ctx->badpass = 1;
goto bailout;
}
if (tlv_next (tlv))
{
ctx->badpass = 1;
goto bailout;
}
if ((err = tlv_expect_integer (tlv, &intval)))
{
ctx->badpass = 1;
goto bailout;
}
if (intval)
{
ctx->badpass = 1;
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
}
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen == DIM(oid_rsaEncryption)
&& !memcmp (oid, oid_rsaEncryption, oidlen))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose > 1)
log_debug ("RSA parameters\n");
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek_null (tlv))
{
/* Read the optional Null tag. */
if (tlv_next (tlv))
goto bailout;
}
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
else if (oidlen == DIM(oid_pcPublicKey)
&& !memcmp (oid, oid_pcPublicKey, oidlen))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
{
/* See RFC-5915 for the format. */
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_object_id (tlv, &oid, &oidlen))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
ksba_free (ctx->curve);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
ctx->curve = ksba_oid_to_str (oid, oidlen);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (!ctx->curve)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
{
err = gpg_error (GPG_ERR_INV_OID_STRING);
goto bailout;
}
if (opt_verbose > 1)
log_debug ("OID of curve is: %s\n", ctx->curve);
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
else /* Unknown key format */
{
gpgrt_log_printhex (oid, oidlen, "key format OID:");
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
goto bailout;
}
/* An octet string to encapsulate the key elements. */
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 1, &data, &datalen))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
if (ctx->privatekey2)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_DUP_VALUE);
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
log_error ("two private kesy have already been received\n");
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
}
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
privatekey = gcry_calloc (10, sizeof *privatekey);
if (!privatekey)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error_from_syserror ();
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_error ("error allocating privatekey element array\n");
goto bailout;
}
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
if (ctx->privatekey)
{
log_info ("a private key has already been received - reading second\n");
ctx->privatekey2 = privatekey;
}
else
ctx->privatekey = privatekey;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "shrouded_key_bag.reading.key-parameters";
if (ctx->curve) /* ECC case. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err = tlv_expect_integer (tlv, &intval)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (intval != 1)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = gpg_error (GPG_ERR_INV_VALUE);
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
log_error ("error parsing private ecPublicKey parameter: %s\n",
"bad version");
goto bailout;
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose > 1)
log_printhex (data, datalen, "ecc q=");
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
err = gcry_mpi_scan (privatekey, GCRYMPI_FMT_USG,
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
data, datalen, NULL);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (err)
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_error ("error parsing key parameter: %s\n", gpg_strerror (err));
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
goto bailout;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
}
else /* RSA case */
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int keyelem_count = 0;
int firstparam = 1;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
unsigned int startlevel = tlv_parser_level (tlv);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
while (!(err = tlv_next (tlv)) && tlv_parser_level (tlv) == startlevel)
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (keyelem_count >= 9)
{
err = gpg_error (GPG_ERR_TOO_MANY);
goto bailout;
}
err = tlv_expect_mpinteger (tlv, firstparam,
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
privatekey+keyelem_count);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (firstparam && gpg_err_code (err) == GPG_ERR_FALSE)
; /* Ignore the first value iff it is zero. */
else if (err)
{
log_error ("error parsing RSA key parameter %d: %s\n",
keyelem_count, gpg_strerror (err));
goto bailout;
}
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
else
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose > 1)
log_debug ("RSA key parameter %d found\n", keyelem_count);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
keyelem_count++;
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
firstparam = 0;
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!err)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_set_pending (tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
else if (err && gpg_err_code (err) != GPG_ERR_EOF)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
err = 0;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
if (opt_verbose > 1)
log_debug ("restoring parser context\n");
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_release (tlv);
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
renewed_tlv = 0;
tlv = saved_tlv;
where = "shrouded_key_bag.attribute_set";
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
/* Check for an optional set of attributes. */
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_SET))
{
if (tlv_next (tlv))
goto bailout;
err = tlv_expect_set (tlv);
if (err)
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_skip (tlv);
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
if (opt_verbose)
log_info ("skipping %s\n", where);
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
leave:
gcry_free (plain);
if (renewed_tlv)
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
{
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_release (tlv);
sm: Adding missing stuff to the PKCS#12 parser rewrite. * sm/minip12.c (struct bufferlist_s): New. (struct tlv_ctx_s): Add bufferlist. (tlv_register_buffer): New. (tlv_release): Release bufferlist. (tlv_expect_object): Handle octet string cramming. (tlv_expect_octet_string): Ditto. (cram_octet_string): Changed interface. We don't need the input_consumed value anymore. * sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set. * sm/t-minip12.c (main): Add option --no-extra. (cert_collect_cb, run_tests_from_file): Fix memory leak * tests/cms/samplekeys/t5793-openssl.pfx: New from T5793. * tests/cms/samplekeys/t5793-test.pfx: Ditto. * tests/cms/samplekeys/Description-p12: Add them. * tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys. -- This should finish the rewrite of the pkcsc#12 parser for now. More fun is likely to come. GnuPG-bug-id: 6536, 5793
2023-06-29 16:33:03 +02:00
if (opt_verbose > 1)
log_debug ("parser context released\n");
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
return err;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
bailout:
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
log_error ("%s(%s): lvl=%u (%s): %s - %s\n",
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
__func__, where,
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_level (tlv),
tlv_parser_lastfunc (tlv),
tlv_parser_lasterrstr (tlv),
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_strerror (err));
goto leave;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
}
static gpg_error_t
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parse_cert_bag (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
{
gpg_error_t err = 0;
const char *where;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int intval;
const unsigned char *oid;
size_t oidlen;
const unsigned char *data;
size_t datalen;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (opt_verbose)
log_info ("processing certBag\n");
/* Expect:
* [0]
* SEQUENCE
* OBJECT IDENTIFIER pkcs-12-certBag
*/
where = "certbag.before.certheader";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (intval)
{
err = gpg_error (GPG_ERR_INV_VALUE);
goto bailout;
}
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen != DIM(oid_x509Certificate_for_pkcs_12)
|| memcmp (oid, oid_x509Certificate_for_pkcs_12, oidlen))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
/* Expect:
* [0]
* OCTET STRING encapsulates -- the certificates
*/
where = "certbag.before.octetstring";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
/* Return the certificate from the octet string. */
if (ctx->certcb)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
ctx->certcb (ctx->certcbarg, data, datalen);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* Expect optional:
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
* SET
* SEQUENCE -- we actually ignore this.
*/
where = "certbag.attribute_set";
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
/* Check for an optional set of attributes. */
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_SET))
{
if (tlv_next (tlv))
goto bailout;
err = tlv_expect_set (tlv);
if (err)
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_skip (tlv);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (opt_verbose)
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
log_info ("skipping %s\n", where);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
leave:
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
return err;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
bailout:
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
log_error ("%s(%s): lvl=%u (%s): %s - %s\n",
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
__func__, where,
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_level (tlv),
tlv_parser_lastfunc (tlv),
tlv_parser_lasterrstr (tlv),
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_strerror (err));
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
goto leave;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
}
static gpg_error_t
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
parse_bag_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
{
gpg_error_t err = 0;
const char *where;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
int intval;
const unsigned char *oid;
size_t oidlen;
unsigned int startlevel;
if (opt_verbose)
log_info ("processing bag data\n");
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
/* Expect:
* [0]
* OCTET STRING, encapsulates
*/
where = "data";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_octet_string (tlv, 1, NULL, NULL))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_OCTET_STRING))
{
if (tlv_next (tlv))
goto bailout;
err = tlv_expect_octet_string (tlv, 1, NULL, NULL);
if (err)
goto bailout;
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
/* Expect:
* SEQUENCE
*/
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "data.outerseqs";
if (tlv_next (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (tlv_expect_sequence (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
startlevel = tlv_parser_level (tlv);
tlv_parser_dump_state ("data.outerseqs", "beginloop", tlv);
while (!(err = tlv_next (tlv)) && tlv_parser_level (tlv) == startlevel)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* Expect:
* SEQUENCE
*/
where = "data.innerseqs";
if (tlv_expect_sequence (tlv))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* Expect:
* OBJECT IDENTIFIER
*/
where = "data.oid";
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
/* Divert to the actual parser. */
if (oidlen == DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
&& !memcmp (oid, oid_pkcs_12_pkcs_8ShroudedKeyBag,
DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
{
if ((err = parse_shrouded_key_bag (ctx, tlv)))
goto bailout;
}
else if (oidlen == DIM(oid_pkcs_12_CertBag)
&& !memcmp (oid, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
{
if ((err = parse_cert_bag (ctx, tlv)))
goto bailout;
}
else
{
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_skip (tlv);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
log_info ("unknown inner data type - skipped\n");
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
}
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_dump_state ("data.outerseqs", "endloop", tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!err)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_set_pending (tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
else if (err && gpg_err_code (err) != GPG_ERR_EOF)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
err = 0;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
leave:
return err;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
bailout:
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
log_error ("%s(%s): lvl=%u (%s): %s - %s\n",
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
__func__, where,
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_level (tlv),
tlv_parser_lastfunc (tlv),
tlv_parser_lasterrstr (tlv),
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_strerror (err));
goto leave;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
/* Parse a PKCS12 object and return an array of MPI representing the
Fixed a build bug (straw letter in sm/import.c) and updated the documentation.
2004-02-04 20:13:16 +01:00
secret key parameters. This is a very limited implementation in
that it is only able to look for 3DES encoded encryptedData and
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
tries to extract the first private key object it finds. In case of
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
an error NULL is returned. CERTCB and CERTCBARG are used to pass
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
X.509 certificates back to the caller. If R_CURVE is not NULL and
an ECC key was found the OID of the curve is stored there. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
gcry_mpi_t *
* minip12.c (parse_bag_encrypted_data): Finished implementation. (p12_parse): Add callback args. * protect-tool.c (import_p12_cert_cb): New. (import_p12_file): Use it.
2004-02-10 20:26:55 +01:00
p12_parse (const unsigned char *buffer, size_t length, const char *pw,
void (*certcb)(void*, const unsigned char*, size_t),
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
void *certcbarg, int *r_badpass, char **r_curve)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_error_t err;
gpgsm: Init a diagnostic var. * sm/minip12.c (p12_parse): Init where. --
2023-07-04 09:26:10 +02:00
const char *where = "";
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_t tlv;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
struct p12_parse_ctx_s ctx = { NULL };
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
const unsigned char *oid;
size_t oidlen;
int intval;
unsigned int startlevel;
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
int i;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
Avoid using the protect-tool to import pkcs#12.
2010-06-17 17:44:44 +02:00
*r_badpass = 0;
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
ctx.certcb = certcb;
ctx.certcbarg = certcbarg;
ctx.password = pw;
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv = tlv_parser_new (buffer, length, opt_verbose);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (!tlv)
{
err = gpg_error_from_syserror ();
goto bailout;
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
where = "pfx";
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_sequence (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
where = "pfxVersion";
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_integer (tlv, &intval)) || intval != 3)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
where = "authSave";
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_sequence (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
{
err = gpg_error (GPG_ERR_INV_OBJ);
goto bailout;
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_context_tag (tlv, &intval)) || intval != 0 )
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_octet_string (tlv, 1, NULL, NULL)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_OCTET_STRING))
{
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
goto bailout;
err = tlv_expect_octet_string (tlv, 1, NULL, NULL);
if (err)
goto bailout;
}
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
where = "bags";
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_sequence (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
startlevel = tlv_parser_level (tlv);
tlv_parser_dump_state ("bags", "beginloop", tlv);
while (!(err = tlv_next (tlv)) && tlv_parser_level (tlv) == startlevel)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
where = "bag-sequence";
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_dump_state (where, NULL, tlv);
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_sequence (tlv)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_next (tlv)))
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
gpgsm: cleanup on error paths * sm/minip12.c (p12_parse): set err on the different error paths -- GnuPG-bug-id: 6973 Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786 Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 00:30:02 +01:00
if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
goto bailout;
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if (oidlen == DIM(oid_encryptedData)
&& !memcmp (oid, oid_encryptedData, DIM(oid_encryptedData)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
where = "bag.encryptedData";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err=parse_bag_encrypted_data (&ctx, tlv)))
goto bailout;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
else if (oidlen == DIM(oid_data)
&& !memcmp (oid, oid_data, DIM(oid_data)))
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
where = "bag.data";
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
if ((err=parse_bag_data (&ctx, tlv)))
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
goto bailout;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
else if (oidlen == DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
&& !memcmp (oid, oid_pkcs_12_pkcs_8ShroudedKeyBag,
DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
{
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
where = "bag.shroudedkeybag";
if ((err = parse_shrouded_key_bag (&ctx, tlv)))
goto bailout;
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
}
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
else
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
{
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_skip (tlv);
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
log_info ("unknown outer bag type - skipped\n");
Fixed importing certs created by newer versions of Mozilla.
2005-12-16 16:52:48 +01:00
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_dump_state ("bags", "endloop", tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
if (!err)
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_set_pending (tlv);
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
else if (err && gpg_err_code (err) != GPG_ERR_EOF)
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
goto bailout;
err = 0;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_release (tlv);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (r_curve)
*r_curve = ctx.curve;
else
gcry_free (ctx.curve);
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
/* We have no way yet to return the second private key. */
if (ctx.privatekey2)
{
for (i=0; ctx.privatekey2[i]; i++)
gcry_mpi_release (ctx.privatekey2[i]);
gcry_free (ctx.privatekey2);
ctx.privatekey2 = NULL;
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
return ctx.privatekey;
sm: Support import of PKCS#12 encoded ECC private keys. * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 20:59:52 +02:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
bailout:
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
*r_badpass = ctx.badpass;
sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
2023-10-24 09:22:13 +02:00
log_error ("%s(%s): @%04zu lvl=%u %s: %s - %s\n",
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
__func__, where,
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_offset (tlv),
tlv_parser_level (tlv),
tlv_parser_lastfunc (tlv),
tlv_parser_lasterrstr (tlv),
sm: Major rewrite of the PKCS#12 parser * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: Major rewrite to run regression tests unattended. * sm/Makefile.am (module_maint_tests): Move t-Minit to ... (module_tests): here. * tests/cms/samplekeys/Description-p12: New. -- Note that cram_octet_string stuff has not yet been reworked. I need to locate the sample files first. GnuPG-bug-id: 6536
2023-06-28 17:33:24 +02:00
gpg_strerror (err));
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
if (ctx.privatekey)
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
{
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
for (i=0; ctx.privatekey[i]; i++)
gcry_mpi_release (ctx.privatekey[i]);
gcry_free (ctx.privatekey);
ctx.privatekey = NULL;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
}
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
if (ctx.privatekey2)
{
for (i=0; ctx.privatekey2[i]; i++)
gcry_mpi_release (ctx.privatekey2[i]);
gcry_free (ctx.privatekey2);
ctx.privatekey2 = NULL;
}
common: Provide API to parse BER/TLV encodings. * sm/minip12.c: Factor parsing code out to ... * common/tlv-parser.c: new. Extend function names and provide a few extra functions. * common/Makefile.am (common_sources): Add new file. * sm/minip12.c: Adjust to use the new parser API.
2023-10-24 13:25:10 +02:00
tlv_parser_release (tlv);
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
gcry_free (ctx.curve);
if (r_curve)
*r_curve = NULL;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
return NULL;
}
gpgsm: Allow parsing of PKCS#12 files with two private keys. * sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2. (parse_shrouded_key_bag): Handle a second private key. (p12_parse_free_kparms): New. * sm/import.c (parse_p12): Factor some code out to ... (p12_to_skey): this. (parse_p12): Use p12_parse_free_kparms. -- Take care: We allow parsing of a second private key but we are not yet able to import the second private key. The whole things is required to at least import the certificates of current pkcs#12 files as created by the German Elster tax system. No test data, sorry.
2024-01-15 09:55:55 +01:00
/* Free the parameters as returned by p12_parse. */
void
p12_parse_free_kparms (gcry_mpi_t *kparms)
{
int i;
if (kparms)
{
for (i=0; i < 8; i++)
gcry_mpi_release (kparms[i]);
gcry_free (kparms);
}
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static size_t
compute_tag_length (size_t n)
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
{
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
int needed = 0;
if (n < 128)
needed += 2; /* tag and one length byte */
else if (n < 256)
needed += 3; /* tag, number of length bytes, 1 length byte */
else if (n < 65536)
needed += 4; /* tag, number of length bytes, 2 length bytes */
else
{
log_error ("object too larger to encode\n");
return 0;
}
return needed;
}
static unsigned char *
store_tag_length (unsigned char *p, int tag, size_t n)
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
{
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
if (tag == TAG_SEQUENCE)
tag |= 0x20; /* constructed */
*p++ = tag;
if (n < 128)
*p++ = n;
else if (n < 256)
{
*p++ = 0x81;
*p++ = n;
}
else if (n < 65536)
{
*p++ = 0x82;
*p++ = n >> 8;
*p++ = n;
}
return p;
}
/* Create the final PKCS-12 object from the sequences contained in
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
SEQLIST. PW is the password. That array is terminated with an NULL
object. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
static unsigned char *
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
create_final (struct buffer_s *sequences, const char *pw, size_t *r_length)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
int i;
size_t needed = 0;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
size_t len[8], n;
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
unsigned char *macstart;
size_t maclen;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
unsigned char *result, *p;
size_t resultlen;
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
char salt[8];
unsigned char keybuf[20];
gcry_md_hd_t md;
int rc;
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
int with_mac = 1;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
/* 9 steps to create the pkcs#12 Krampf. */
/* 8. The MAC. */
/* We add this at step 0. */
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 7. All the buffers. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
for (i=0; sequences[i].buffer; i++)
needed += sequences[i].length;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 6. This goes into a sequences. */
len[6] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = compute_tag_length (needed);
needed += n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 5. Encapsulate all in an octet string. */
len[5] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = compute_tag_length (needed);
needed += n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 4. And tag it with [0]. */
len[4] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = compute_tag_length (needed);
needed += n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 3. Prepend an data OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += 2 + DIM (oid_data);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. Put all into a sequences. */
len[2] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = compute_tag_length (needed);
needed += n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 1. Prepend the version integer 3. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += 3;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 0. And the final outer sequence. */
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
if (with_mac)
needed += DIM (data_mactemplate);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
len[0] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = compute_tag_length (needed);
needed += n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Allocate a buffer. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
result = gcry_malloc (needed);
if (!result)
{
log_error ("error allocating buffer\n");
return NULL;
}
p = result;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 0. Store the very outer sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[0]);
/* 1. Store the version integer 3. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
*p++ = TAG_INTEGER;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
*p++ = 1;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*p++ = 3;
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. Store another sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[2]);
/* 3. Store the data OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
memcpy (p, oid_data, DIM (oid_data));
p += DIM (oid_data);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 4. Next comes a context tag. */
p = store_tag_length (p, 0xa0, len[4]);
/* 5. And an octet string. */
p = store_tag_length (p, TAG_OCTET_STRING, len[5]);
/* 6. And the inner sequence. */
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
macstart = p;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
p = store_tag_length (p, TAG_SEQUENCE, len[6]);
/* 7. Append all the buffers. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
for (i=0; sequences[i].buffer; i++)
{
memcpy (p, sequences[i].buffer, sequences[i].length);
p += sequences[i].length;
}
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
if (with_mac)
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
{
Support import from TrustedMIME (i.e. from simple keyBags)
2006-07-21 11:41:11 +02:00
/* Intermezzo to compute the MAC. */
maclen = p - macstart;
gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
if (string_to_key (3, salt, 8, 2048, pw, 20, keybuf))
{
gcry_free (result);
return NULL;
}
rc = gcry_md_open (&md, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
if (rc)
{
log_error ("gcry_md_open failed: %s\n", gpg_strerror (rc));
gcry_free (result);
return NULL;
}
rc = gcry_md_setkey (md, keybuf, 20);
if (rc)
{
log_error ("gcry_md_setkey failed: %s\n", gpg_strerror (rc));
gcry_md_close (md);
gcry_free (result);
return NULL;
}
gcry_md_write (md, macstart, maclen);
/* 8. Append the MAC template and fix it up. */
memcpy (p, data_mactemplate, DIM (data_mactemplate));
memcpy (p + DATA_MACTEMPLATE_SALT_OFF, salt, 8);
memcpy (p + DATA_MACTEMPLATE_MAC_OFF, gcry_md_read (md, 0), 20);
p += DIM (data_mactemplate);
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
gcry_md_close (md);
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* Ready. */
resultlen = p - result;
if (needed != resultlen)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_debug ("p12_parse: warning: length mismatch: %lu, %lu\n",
(data_sign): Removed empty statement.
2005-06-29 16:12:18 +02:00
(unsigned long)needed, (unsigned long)resultlen);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
*r_length = resultlen;
return result;
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Build a DER encoded SEQUENCE with the key:
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
*
* SEQUENCE { -- OneAsymmetricKey (RFC-5958)
* INTEGER 0
* SEQUENCE {
* OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
* NULL
* }
* OCTET STRING, encapsulates {
* SEQUENCE { -- RSAPrivateKey (RFC-3447)
* INTEGER 0 -- Version
* INTEGER -- n
* INTEGER -- e
* INTEGER -- d
* INTEGER -- p
* INTEGER -- q
* INTEGER -- d mod (p-1)
* INTEGER -- d mod (q-1)
* INTEGER -- q^-1 mod p
* }
* }
* }
*
* MODE controls what is being generated:
* 0 - As described above
* 1 - Ditto but without the padding
* 2 - Only the inner part (pkcs#1)
*/
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
static unsigned char *
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
build_rsa_key_sequence (gcry_mpi_t *kparms, int mode, size_t *r_length)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
int rc, i;
size_t needed, n;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
unsigned char *plain, *p;
size_t plainlen;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
size_t outseqlen, oidseqlen, octstrlen, inseqlen;
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
needed = 3; /* The version integer with value 0. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
for (i=0; kparms[i]; i++)
{
n = 0;
rc = gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &n, kparms[i]);
if (rc)
{
log_error ("error formatting parameter: %s\n", gpg_strerror (rc));
return NULL;
}
needed += n;
n = compute_tag_length (n);
if (!n)
return NULL;
needed += n;
}
if (i != 8)
{
Add dummu option --passwd for gpg. Collected changes.
2010-01-08 20:18:49 +01:00
log_error ("invalid parameters for p12_build\n");
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
return NULL;
}
/* Now this all goes into a sequence. */
inseqlen = needed;
n = compute_tag_length (needed);
if (!n)
return NULL;
needed += n;
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
if (mode != 2)
{
/* Encapsulate all into an octet string. */
octstrlen = needed;
n = compute_tag_length (needed);
if (!n)
return NULL;
needed += n;
/* Prepend the object identifier sequence. */
oidseqlen = 2 + DIM (oid_rsaEncryption) + 2;
needed += 2 + oidseqlen;
/* The version number. */
needed += 3;
/* And finally put the whole thing into a sequence. */
outseqlen = needed;
n = compute_tag_length (needed);
if (!n)
return NULL;
needed += n;
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* allocate 8 extra bytes for padding */
plain = gcry_malloc_secure (needed+8);
if (!plain)
{
log_error ("error allocating encryption buffer\n");
return NULL;
}
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
/* And now fill the plaintext buffer. */
p = plain;
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
if (mode != 2)
{
p = store_tag_length (p, TAG_SEQUENCE, outseqlen);
/* Store version. */
*p++ = TAG_INTEGER;
*p++ = 1;
*p++ = 0;
/* Store object identifier sequence. */
p = store_tag_length (p, TAG_SEQUENCE, oidseqlen);
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_rsaEncryption));
memcpy (p, oid_rsaEncryption, DIM (oid_rsaEncryption));
p += DIM (oid_rsaEncryption);
*p++ = TAG_NULL;
*p++ = 0;
/* Start with the octet string. */
p = store_tag_length (p, TAG_OCTET_STRING, octstrlen);
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
p = store_tag_length (p, TAG_SEQUENCE, inseqlen);
/* Store the key parameters. */
*p++ = TAG_INTEGER;
*p++ = 1;
*p++ = 0;
for (i=0; kparms[i]; i++)
{
n = 0;
rc = gcry_mpi_print (GCRYMPI_FMT_STD, NULL, 0, &n, kparms[i]);
if (rc)
{
log_error ("oops: error formatting parameter: %s\n",
gpg_strerror (rc));
gcry_free (plain);
return NULL;
}
p = store_tag_length (p, TAG_INTEGER, n);
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
n = plain + needed - p;
rc = gcry_mpi_print (GCRYMPI_FMT_STD, p, n, &n, kparms[i]);
if (rc)
{
log_error ("oops: error storing parameter: %s\n",
gpg_strerror (rc));
gcry_free (plain);
return NULL;
}
p += n;
}
plainlen = p - plain;
gpgsm: Replace all assert calls by log_assert. -- Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-08 14:40:34 +02:00
log_assert (needed == plainlen);
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
if (!mode)
{
/* Append some pad characters; we already allocated extra space. */
n = 8 - plainlen % 8;
for (i=0; i < n; i++, plainlen++)
*p++ = n;
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*r_length = plainlen;
return plain;
}
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
/* Build a DER encoded SEQUENCE for an ECC key:
*
* SEQUENCE { -- OneAsymmetricKey (RFC-5958)
* INTEGER 0
* SEQUENCE {
* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
* OBJECT IDENTIFIER -- curvename
* }
* OCTET STRING, encapsulates {
* SEQUENCE { -- ECPrivateKey
* INTEGER 1 -- version
* OCTET STRING -- privateKey
* [1] {
* BIT STRING - publicKey
* }
* }
* }
* }
*
* For details see RFC-5480 and RFC-5915 (ECparameters are not created).
*
* KPARMS[0] := Opaque MPI with the curve name as dotted-decimal string.
doc: Typo fix in comment --
2022-04-08 16:07:22 +02:00
* KPARMS[1] := Opaque MPI with the public key (q)
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
* KPARMS[2] := Opaque MPI with the private key (d)
* MODE controls what is being generated:
* 0 - As described above
* 1 - Ditto but without the extra padding needed for pcsk#12
* 2 - Only the octet string (ECPrivateKey)
*/
static unsigned char *
build_ecc_key_sequence (gcry_mpi_t *kparms, int mode, size_t *r_length)
{
gpg_error_t err;
unsigned int nbits, n;
const unsigned char *s;
char *p;
tlv_builder_t tb;
void *result;
size_t resultlen;
const char *curve;
unsigned int curvebits;
int e;
int i;
int strip_one;
for (i=0; kparms[i]; i++)
;
if (i != 3)
{
log_error ("%s: invalid number of parameters\n", __func__);
return NULL;
}
s = gcry_mpi_get_opaque (kparms[0], &nbits);
n = (nbits+7)/8;
p = xtrymalloc (n + 1);
if (!p)
{
err = gpg_error_from_syserror ();
log_error ("%s:%d: error getting parameter: %s\n",
__func__, __LINE__, gpg_strerror (err));
return NULL;
}
memcpy (p, s, n);
p[n] = 0;
/* We need to use our OpenPGP mapping to turn a curve name into its
* canonical numerical OID. We should have a Libgcrypt function to
* do this; see bug report #4926. */
curve = openpgp_curve_to_oid (p, &curvebits, NULL);
xfree (p);
if (!curve)
{
err = gpg_error (GPG_ERR_UNKNOWN_CURVE);
log_error ("%s:%d: error getting parameter: %s\n",
__func__, __LINE__, gpg_strerror (err));
return NULL;
}
/* Unfortunately the private key D may come with a single leading
* zero byte. This is becuase at some point it was treated as
* signed MPI and the code made sure that it is always interpreted
* as unsigned. Fortunately we got the size of the curve and can
* detect such a case reliable. */
s = gcry_mpi_get_opaque (kparms[2], &nbits);
n = (nbits+7)/8;
strip_one = (n == (curvebits+7)/8 + 1 && !*s);
tb = tlv_builder_new (1);
if (!tb)
{
err = gpg_error_from_syserror ();
log_error ("%s:%d: error creating new TLV builder: %s\n",
__func__, __LINE__, gpg_strerror (err));
return NULL;
}
e = 0;
tlv_builder_add_tag (tb, 0, TAG_SEQUENCE);
tlv_builder_add_ptr (tb, 0, TAG_INTEGER, "\0", 1);
tlv_builder_add_tag (tb, 0, TAG_SEQUENCE);
e|= builder_add_oid (tb, 0, "1.2.840.10045.2.1");
e|= builder_add_oid (tb, 0, curve);
tlv_builder_add_end (tb);
tlv_builder_add_tag (tb, 0, TAG_OCTET_STRING);
tlv_builder_add_tag (tb, 0, TAG_SEQUENCE);
tlv_builder_add_ptr (tb, 0, TAG_INTEGER, "\x01", 1);
e|= builder_add_mpi (tb, 0, TAG_OCTET_STRING, kparms[2], strip_one);
tlv_builder_add_tag (tb, CLASS_CONTEXT, 1);
e|= builder_add_mpi (tb, 0, TAG_BIT_STRING, kparms[1], 0);
tlv_builder_add_end (tb);
tlv_builder_add_end (tb);
tlv_builder_add_end (tb);
tlv_builder_add_end (tb);
err = tlv_builder_finalize (tb, &result, &resultlen);
if (err || e)
{
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
log_error ("%s:%d: tlv building failed: %s\n",
__func__, __LINE__, gpg_strerror (err));
return NULL;
}
/* Append some pad characters if needed. */
if (!mode && (n = 8 - resultlen % 8))
{
p = xtrymalloc_secure (resultlen + n);
if (!p)
{
err = gpg_error_from_syserror ();
log_error ("%s:%d: error allocating buffer: %s\n",
__func__, __LINE__, gpg_strerror (err));
xfree (result);
return NULL;
}
memcpy (p, result, resultlen);
xfree (result);
result = p;
p = (unsigned char*)result + resultlen;
for (i=0; i < n; i++, resultlen++)
*p++ = n;
}
*r_length = resultlen;
return result;
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
static unsigned char *
build_key_bag (unsigned char *buffer, size_t buflen, char *salt,
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
const unsigned char *sha1hash, const char *keyidstr,
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
size_t *r_length)
{
size_t len[11], needed;
unsigned char *p, *keybag;
size_t keybaglen;
/* Walk 11 steps down to collect the info: */
/* 10. The data goes into an octet string. */
needed = compute_tag_length (buflen);
needed += buflen;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 9. Prepend the algorithm identifier. */
needed += DIM (data_3desiter2048);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 8. Put a sequence around. */
len[8] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 7. Prepend a [0] tag. */
len[7] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* 6b. The attributes which are appended at the end. */
if (sha1hash)
needed += DIM (data_attrtemplate) + 20;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 6. Prepend the shroudedKeyBag OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += 2 + DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 5+4. Put all into two sequences. */
len[5] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length ( needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
len[4] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 3. This all goes into an octet string. */
len[3] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. Prepend another [0] tag. */
len[2] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 1. Prepend the data OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += 2 + DIM (oid_data);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 0. Prepend another sequence. */
len[0] = needed;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
needed += compute_tag_length (needed);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Now that we have all length information, allocate a buffer. */
p = keybag = gcry_malloc (needed);
if (!keybag)
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
{
log_error ("error allocating buffer\n");
return NULL;
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Walk 11 steps up to store the data. */
/* 0. Store the first sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[0]);
/* 1. Store the data OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
memcpy (p, oid_data, DIM (oid_data));
p += DIM (oid_data);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. Store a [0] tag. */
p = store_tag_length (p, 0xa0, len[2]);
/* 3. And an octet string. */
p = store_tag_length (p, TAG_OCTET_STRING, len[3]);
/* 4+5. Two sequences. */
p = store_tag_length (p, TAG_SEQUENCE, len[4]);
p = store_tag_length (p, TAG_SEQUENCE, len[5]);
/* 6. Store the shroudedKeyBag OID. */
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
p = store_tag_length (p, TAG_OBJECT_ID,
DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag));
memcpy (p, oid_pkcs_12_pkcs_8ShroudedKeyBag,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag));
p += DIM (oid_pkcs_12_pkcs_8ShroudedKeyBag);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 7. Store a [0] tag. */
p = store_tag_length (p, 0xa0, len[7]);
/* 8. Store a sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[8]);
/* 9. Now for the pre-encoded algorithm identifier and the salt. */
memcpy (p, data_3desiter2048, DIM (data_3desiter2048));
memcpy (p + DATA_3DESITER2048_SALT_OFF, salt, 8);
p += DIM (data_3desiter2048);
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* 10. And the octet string with the encrypted data. */
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
p = store_tag_length (p, TAG_OCTET_STRING, buflen);
memcpy (p, buffer, buflen);
p += buflen;
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* Append the attributes whose length we calculated at step 2b. */
if (sha1hash)
{
int i;
memcpy (p, data_attrtemplate, DIM (data_attrtemplate));
for (i=0; i < 8; i++)
p[DATA_ATTRTEMPLATE_KEYID_OFF+2*i+1] = keyidstr[i];
p += DIM (data_attrtemplate);
memcpy (p, sha1hash, 20);
p += 20;
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
keybaglen = p - keybag;
if (needed != keybaglen)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_debug ("p12_parse: warning: length mismatch: %lu, %lu\n",
(data_sign): Removed empty statement.
2005-06-29 16:12:18 +02:00
(unsigned long)needed, (unsigned long)keybaglen);
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*r_length = keybaglen;
return keybag;
}
static unsigned char *
build_cert_bag (unsigned char *buffer, size_t buflen, char *salt,
size_t *r_length)
{
size_t len[9], needed;
unsigned char *p, *certbag;
size_t certbaglen;
/* Walk 9 steps down to collect the info: */
/* 8. The data goes into an octet string. */
needed = compute_tag_length (buflen);
needed += buflen;
/* 7. The algorithm identifier. */
needed += DIM (data_rc2iter2048);
/* 6. The data OID. */
needed += 2 + DIM (oid_data);
/* 5. A sequence. */
len[5] = needed;
needed += compute_tag_length ( needed);
/* 4. An integer. */
needed += 3;
/* 3. A sequence. */
len[3] = needed;
needed += compute_tag_length (needed);
/* 2. A [0] tag. */
len[2] = needed;
needed += compute_tag_length (needed);
/* 1. The encryptedData OID. */
needed += 2 + DIM (oid_encryptedData);
/* 0. The first sequence. */
len[0] = needed;
needed += compute_tag_length (needed);
/* Now that we have all length information, allocate a buffer. */
p = certbag = gcry_malloc (needed);
if (!certbag)
{
log_error ("error allocating buffer\n");
return NULL;
}
/* Walk 9 steps up to store the data. */
/* 0. Store the first sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[0]);
/* 1. Store the encryptedData OID. */
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_encryptedData));
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
memcpy (p, oid_encryptedData, DIM (oid_encryptedData));
p += DIM (oid_encryptedData);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. Store a [0] tag. */
Fixed yesterdays change. Importing to Outlook seems to work now.
2005-09-09 15:48:48 +02:00
p = store_tag_length (p, 0xa0, len[2]);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 3. Store a sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[3]);
/* 4. Store the integer 0. */
*p++ = TAG_INTEGER;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
*p++ = 1;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*p++ = 0;
/* 5. Store a sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[5]);
/* 6. Store the data OID. */
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_data));
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
memcpy (p, oid_data, DIM (oid_data));
p += DIM (oid_data);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 7. Now for the pre-encoded algorithm identifier and the salt. */
memcpy (p, data_rc2iter2048, DIM (data_rc2iter2048));
memcpy (p + DATA_RC2ITER2048_SALT_OFF, salt, 8);
p += DIM (data_rc2iter2048);
/* 8. And finally the [0] tag with the encrypted data. */
Fixed yesterdays change. Importing to Outlook seems to work now.
2005-09-09 15:48:48 +02:00
p = store_tag_length (p, 0x80, buflen);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
memcpy (p, buffer, buflen);
p += buflen;
certbaglen = p - certbag;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (needed != certbaglen)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_debug ("p12_parse: warning: length mismatch: %lu, %lu\n",
(data_sign): Removed empty statement.
2005-06-29 16:12:18 +02:00
(unsigned long)needed, (unsigned long)certbaglen);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*r_length = certbaglen;
return certbag;
}
static unsigned char *
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
build_cert_sequence (const unsigned char *buffer, size_t buflen,
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
const unsigned char *sha1hash, const char *keyidstr,
size_t *r_length)
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
{
size_t len[8], needed, n;
unsigned char *p, *certseq;
size_t certseqlen;
Fixed padding in pkcs#12
2005-09-16 14:49:53 +02:00
int i;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
gpgsm: Replace all assert calls by log_assert. -- Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-08 14:40:34 +02:00
log_assert (strlen (keyidstr) == 8);
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Walk 8 steps down to collect the info: */
/* 7. The data goes into an octet string. */
needed = compute_tag_length (buflen);
needed += buflen;
/* 6. A [0] tag. */
len[6] = needed;
needed += compute_tag_length (needed);
/* 5. An OID. */
needed += 2 + DIM (oid_x509Certificate_for_pkcs_12);
/* 4. A sequence. */
len[4] = needed;
needed += compute_tag_length (needed);
/* 3. A [0] tag. */
len[3] = needed;
needed += compute_tag_length (needed);
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* 2b. The attributes which are appended at the end. */
if (sha1hash)
needed += DIM (data_attrtemplate) + 20;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 2. An OID. */
needed += 2 + DIM (oid_pkcs_12_CertBag);
/* 1. A sequence. */
len[1] = needed;
needed += compute_tag_length (needed);
/* 0. The first sequence. */
len[0] = needed;
needed += compute_tag_length (needed);
/* Now that we have all length information, allocate a buffer. */
p = certseq = gcry_malloc (needed + 8 /*(for padding)*/);
if (!certseq)
{
log_error ("error allocating buffer\n");
return NULL;
}
/* Walk 8 steps up to store the data. */
/* 0. Store the first sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[0]);
/* 1. Store the second sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[1]);
/* 2. Store the pkcs12-cert-bag OID. */
p = store_tag_length (p, TAG_OBJECT_ID, DIM (oid_pkcs_12_CertBag));
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
memcpy (p, oid_pkcs_12_CertBag, DIM (oid_pkcs_12_CertBag));
p += DIM (oid_pkcs_12_CertBag);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 3. Store a [0] tag. */
p = store_tag_length (p, 0xa0, len[3]);
/* 4. Store a sequence. */
p = store_tag_length (p, TAG_SEQUENCE, len[4]);
/* 5. Store the x509Certificate OID. */
p = store_tag_length (p, TAG_OBJECT_ID,
DIM (oid_x509Certificate_for_pkcs_12));
memcpy (p, oid_x509Certificate_for_pkcs_12,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
DIM (oid_x509Certificate_for_pkcs_12));
p += DIM (oid_x509Certificate_for_pkcs_12);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* 6. Store a [0] tag. */
p = store_tag_length (p, 0xa0, len[6]);
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* 7. And the octet string with the actual certificate. */
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
p = store_tag_length (p, TAG_OCTET_STRING, buflen);
memcpy (p, buffer, buflen);
p += buflen;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* Append the attributes whose length we calculated at step 2b. */
if (sha1hash)
{
memcpy (p, data_attrtemplate, DIM (data_attrtemplate));
for (i=0; i < 8; i++)
p[DATA_ATTRTEMPLATE_KEYID_OFF+2*i+1] = keyidstr[i];
p += DIM (data_attrtemplate);
memcpy (p, sha1hash, 20);
p += 20;
}
certseqlen = p - certseq;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (needed != certseqlen)
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
log_debug ("p12_parse: warning: length mismatch: %lu, %lu\n",
(data_sign): Removed empty statement.
2005-06-29 16:12:18 +02:00
(unsigned long)needed, (unsigned long)certseqlen);
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Append some pad characters; we already allocated extra space. */
n = 8 - certseqlen % 8;
Fixed padding in pkcs#12
2005-09-16 14:49:53 +02:00
for (i=0; i < n; i++, certseqlen++)
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*p++ = n;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*r_length = certseqlen;
return certseq;
}
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
/* Expect the RSA key parameters in KPARMS and a password in PW.
Create a PKCS structure from it and return it as well as the length
in R_LENGTH; return NULL in case of an error. If CHARSET is not
NULL, re-encode PW to that character set. */
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
unsigned char *
Implement export of pkcs#12 objects using a direct agent connection.
2010-06-21 12:01:24 +02:00
p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
const char *pw, const char *charset, size_t *r_length)
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
{
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
unsigned char *buffer = NULL;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
size_t n, buflen;
char salt[8];
Bug fixes and ssh support for the BELPIC.
2005-09-09 13:18:08 +02:00
struct buffer_s seqlist[3];
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
int seqlistidx = 0;
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
unsigned char sha1hash[20];
char keyidstr[8+1];
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
char *pwbuf = NULL;
size_t pwbufsize = 0;
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
gcc-4 defaults forced me to edit many many files to get rid of the char * vs. unsigned char * warnings. The GNU coding standards used to say that these mismatches are okay and better than a bunch of casts. Obviously this has changed now.
2005-06-16 10:12:03 +02:00
n = buflen = 0; /* (avoid compiler warning). */
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
memset (sha1hash, 0, 20);
*keyidstr = 0;
gcc-4 defaults forced me to edit many many files to get rid of the char * vs. unsigned char * warnings. The GNU coding standards used to say that these mismatches are okay and better than a bunch of casts. Obviously this has changed now.
2005-06-16 10:12:03 +02:00
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
if (charset && pw && *pw)
{
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_t cd;
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
const char *inptr;
char *outptr;
size_t inbytes, outbytes;
/* We assume that the converted passphrase is at max 2 times
longer than its utf-8 encoding. */
pwbufsize = strlen (pw)*2 + 1;
pwbuf = gcry_malloc_secure (pwbufsize);
if (!pwbuf)
{
log_error ("out of secure memory while converting passphrase\n");
goto failure;
}
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
cd = jnlib_iconv_open (charset, "utf-8");
if (cd == (jnlib_iconv_t)(-1))
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
{
log_error ("can't convert passphrase to"
Change all quotes in strings and comments to the new GNU standard. The asymmetric quotes used by GNU in the past (`...') don't render nicely on modern systems. We now use two \x27 characters ('...'). The proper solution would be to use the correct Unicode symmetric quotes here. However this has the disadvantage that the system requires Unicode support. We don't want that today. If Unicode is available a generated po file can be used to output proper quotes. A simple sed script like the one used for en@quote is sufficient to change them. The changes have been done by applying sed -i "s/\`\([^'\`]*\)'/'\1'/g" to most files and fixing obvious problems by hand. The msgid strings in the po files were fixed with a similar command.
2012-06-05 19:29:22 +02:00
" requested charset '%s': %s\n",
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
charset, strerror (errno));
goto failure;
}
inptr = pw;
inbytes = strlen (pw);
outptr = pwbuf;
outbytes = pwbufsize - 1;
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
if ( jnlib_iconv (cd, (const char **)&inptr, &inbytes,
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
&outptr, &outbytes) == (size_t)-1)
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
{
log_error ("error converting passphrase to"
Change all quotes in strings and comments to the new GNU standard. The asymmetric quotes used by GNU in the past (`...') don't render nicely on modern systems. We now use two \x27 characters ('...'). The proper solution would be to use the correct Unicode symmetric quotes here. However this has the disadvantage that the system requires Unicode support. We don't want that today. If Unicode is available a generated po file can be used to output proper quotes. A simple sed script like the one used for en@quote is sufficient to change them. The changes have been done by applying sed -i "s/\`\([^'\`]*\)'/'\1'/g" to most files and fixing obvious problems by hand. The msgid strings in the po files were fixed with a similar command.
2012-06-05 19:29:22 +02:00
" requested charset '%s': %s\n",
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
charset, strerror (errno));
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_close (cd);
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
goto failure;
}
*outptr = 0;
A whole bunch of changes to allow building for Windows. See the ChangeLogs for details.
2007-06-14 19:05:07 +02:00
jnlib_iconv_close (cd);
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
pw = pwbuf;
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (cert && certlen)
{
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
/* Calculate the hash value we need for the bag attributes. */
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1hash, cert, certlen);
sprintf (keyidstr, "%02x%02x%02x%02x",
sha1hash[16], sha1hash[17], sha1hash[18], sha1hash[19]);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Encode the certificate. */
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
buffer = build_cert_sequence (cert, certlen, sha1hash, keyidstr,
&buflen);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (!buffer)
goto failure;
/* Encrypt it. */
gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
crypt_block (buffer, buflen, salt, 8, 2048, NULL, 0, pw,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
GCRY_CIPHER_RFC2268_40, GCRY_MD_SHA1, 1);
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Encode the encrypted stuff into a bag. */
seqlist[seqlistidx].buffer = build_cert_bag (buffer, buflen, salt, &n);
seqlist[seqlistidx].length = n;
gcry_free (buffer);
buffer = NULL;
if (!seqlist[seqlistidx].buffer)
goto failure;
seqlistidx++;
}
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (kparms)
{
/* Encode the key. */
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
int i;
/* Right, that is a stupid way to distinguish ECC from RSA. */
for (i=0; kparms[i]; i++)
;
if (i == 3 && gcry_mpi_get_flag (kparms[0], GCRYMPI_FLAG_OPAQUE))
buffer = build_ecc_key_sequence (kparms, 0, &buflen);
else
buffer = build_rsa_key_sequence (kparms, 0, &buflen);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
if (!buffer)
goto failure;
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Encrypt it. */
gcry_randomize (salt, 8, GCRY_STRONG_RANDOM);
Support pkcs#12 import of PBES2 encoded data. This is so that we read compatible with gnutls's certtool. Only AES-128 is supported. The latest Libgcrypt from git is required. Fixes bug#1321.
2011-03-10 15:27:10 +01:00
crypt_block (buffer, buflen, salt, 8, 2048, NULL, 0,
sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
2023-10-06 10:57:12 +02:00
pw, GCRY_CIPHER_3DES, GCRY_MD_SHA1, 1);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
/* Encode the encrypted stuff into a bag. */
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
if (cert && certlen)
Nuked almost all trailing white space. We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
2011-02-04 12:57:53 +01:00
seqlist[seqlistidx].buffer = build_key_bag (buffer, buflen, salt,
Create bag attributes so that Mozilla will accept these files. Tested with using a CAcert generated certificate.
2006-07-24 13:20:33 +02:00
sha1hash, keyidstr, &n);
else
seqlist[seqlistidx].buffer = build_key_bag (buffer, buflen, salt,
NULL, NULL, &n);
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
seqlist[seqlistidx].length = n;
gcry_free (buffer);
buffer = NULL;
if (!seqlist[seqlistidx].buffer)
goto failure;
seqlistidx++;
}
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
seqlist[seqlistidx].buffer = NULL;
seqlist[seqlistidx].length = 0;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
Add MAC t P12 files.
2006-06-20 17:48:09 +02:00
buffer = create_final (seqlist, pw, &buflen);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
failure:
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
if (pwbuf)
{
sm: Simplify fix ed8383c6 * sm/minip12.c (p12_build): Release PWBUF only at the end. -- Suggested-by: Eygene Ryabinkin <rea@codelabs.ru> Signed-off-by: Werner Koch <wk@gnupg.org>
2015-01-26 17:56:52 +01:00
/* Note that wipememory is not really needed due to the use of
gcry_malloc_secure. */
Allow setting of the passphrase encoding of pkcs#12 files. New option --p12-charset.
2007-03-20 11:00:55 +01:00
wipememory (pwbuf, pwbufsize);
gcry_free (pwbuf);
}
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
for ( ; seqlistidx; seqlistidx--)
gcry_free (seqlist[seqlistidx].buffer);
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
* protect-tool.c: New options --have-cert and --prompt. (export_p12_file): Read a certificate from STDIN and pass it to p12_build. Detect a keygrip and construct the filename in that case. Unprotcet a key if needed. Print error messages for key formats we can't handle. (release_passphrase): New. (get_passphrase): New arg PROMPTNO. Return the allocated string. Changed all callers. * minip12.c: Revamped the build part. (p12_build): New args CERT and CERTLEN. * simple-pwquery.c (agent_open): Don't mangle INFOSTR. * export.c (export_p12, popen_protect_tool) (gpgsm_p12_export): New. * gpgsm.c (main): New command --export-secret-key-p12.
2004-02-19 17:26:32 +01:00
*r_length = buffer? buflen : 0;
return buffer;
This commit was manufactured by cvs2svn to create branch 'GNUPG-1-9-BRANCH'.
2003-08-05 19:11:04 +02:00
}
sm: Rework the PKCS#12 parser to support DFN issued keys. * sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of passing several parameters to most functions. (parse_pag_data): Factor things out to ... parse_shrouded_key_bag): new. (parse_cert_bag): New. (parse_bag_data): New. (p12_parse): Setup the parse context. -- To support newer pkcs#12 files like those issued by the DFN we need to support another ordering of data elements. This rework reflects the P12 data structure a bit better than our old ad-hoc hacks. Tests could only be done with the certificate parts and not the encrypted private keys. GnuPG-bug-id: 6037
2022-06-20 16:45:42 +02:00
/* This is actually not a PKCS#12 function but one which creates an
* unencrypted PKCS#1 private key. */
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
unsigned char *
p12_raw_build (gcry_mpi_t *kparms, int rawmode, size_t *r_length)
{
unsigned char *buffer;
size_t buflen;
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
int i;
log_assert (rawmode == 1 || rawmode == 2);
/* Right, that is a stupid way to distinguish ECC from RSA. */
for (i=0; kparms[i]; i++)
;
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
sm: Add support to export ECC private keys. * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
2020-04-27 16:53:30 +02:00
if (gcry_mpi_get_flag (kparms[0], GCRYMPI_FLAG_OPAQUE))
buffer = build_ecc_key_sequence (kparms, rawmode, &buflen);
else
buffer = build_rsa_key_sequence (kparms, rawmode, &buflen);
gpgsm: New commands --export-secret-key-{p8,raw} * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
2014-06-03 18:57:33 +02:00
if (!buffer)
return NULL;
*r_length = buflen;
return buffer;
}