From 7749a22974d30c47b8a82c56db84b6c54c044ac0 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 28 Jun 2013 17:28:20 +0200 Subject: [PATCH] Moved PKCS#12 cipher layer based PBE detection to use OID database --- include/polarssl/oid.h | 28 ++++++++++++++++++++++++++++ include/polarssl/pkcs12.h | 8 -------- library/oid.c | 28 ++++++++++++++++++++++++++++ library/x509parse.c | 20 ++++++-------------- 4 files changed, 62 insertions(+), 22 deletions(-) diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h index b6b55c85f..27a3cceec 100644 --- a/include/polarssl/oid.h +++ b/include/polarssl/oid.h @@ -155,6 +155,7 @@ #define OID_PKCS1 OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */ #define OID_PKCS5 OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */ #define OID_PKCS9 OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */ +#define OID_PKCS12 OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */ /* * PKCS#1 OIDs @@ -212,6 +213,18 @@ #define OID_PKCS5_PBE_SHA1_DES_CBC OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */ #define OID_PKCS5_PBE_SHA1_RC2_CBC OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */ +/* + * PKCS#12 PBE OIDs + */ +#define OID_PKCS12_PBE OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */ + +#define OID_PKCS12_PBE_SHA1_RC4_128 OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */ +#define OID_PKCS12_PBE_SHA1_RC4_40 OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */ +#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */ +#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */ +#define OID_PKCS12_PBE_SHA1_RC2_128_CBC OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ +#define OID_PKCS12_PBE_SHA1_RC2_40_CBC OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */ + #ifdef __cplusplus extern "C" { #endif @@ -344,6 +357,21 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str ); */ int oid_get_cipher_alg( const asn1_buf *oid, cipher_type_t *cipher_alg ); +#if defined(POLARSSL_PKCS12_C) +/** + * \brief Translate PKCS#12 PBE algorithm OID into md_type and + * cipher_type + * + * \param oid OID to use + * \param md_alg place to store message digest algorithm + * \param cipher_alg place to store cipher algorithm + * + * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND + */ +int oid_get_pkcs12_pbe_alg( const asn1_buf *oid, md_type_t *md_alg, + cipher_type_t *cipher_alg ); +#endif /* POLARSSL_PKCS12_C */ + #ifdef __cplusplus } #endif diff --git a/include/polarssl/pkcs12.h b/include/polarssl/pkcs12.h index 9a4577173..51bea3da1 100644 --- a/include/polarssl/pkcs12.h +++ b/include/polarssl/pkcs12.h @@ -45,14 +45,6 @@ #define PKCS12_PBE_DECRYPT 0 #define PKCS12_PBE_ENCRYPT 1 -/* - * PKCS#12 PBE types - */ -#define OID_PKCS12 "\x2a\x86\x48\x86\xf7\x0d\x01\x0c" -#define OID_PKCS12_PBE_SHA1_RC4_128 OID_PKCS12 "\x01\x01" -#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC OID_PKCS12 "\x01\x03" -#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC OID_PKCS12 "\x01\x04" - #ifdef __cplusplus extern "C" { #endif diff --git a/library/oid.c b/library/oid.c index d8b436071..7c1790159 100644 --- a/library/oid.c +++ b/library/oid.c @@ -414,6 +414,34 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str ) return( POLARSSL_ERR_OID_NOT_FOUND ); } +/* + * For PKCS#12 PBEs + */ +typedef struct { + oid_descriptor_t descriptor; + md_type_t md_alg; + cipher_type_t cipher_alg; +} oid_pkcs12_pbe_alg_t; + +static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] = +{ + { + { OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" }, + POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE3_CBC, + }, + { + { OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" }, + POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE_CBC, + }, + { + { NULL, NULL, NULL }, + 0, 0, + }, +}; + +FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg); +FN_OID_GET_ATTR2(oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, md_type_t, md_alg, cipher_type_t, cipher_alg); + #if defined _MSC_VER && !defined snprintf #include diff --git a/library/x509parse.c b/library/x509parse.c index 13be0e665..0335db4b7 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -2193,6 +2193,10 @@ static int x509parse_key_pkcs8_encrypted_der( unsigned char *p, *end, *end2; x509_buf pbe_alg_oid, pbe_params; unsigned char buf[2048]; +#if defined(POLARSSL_PKCS12_C) + cipher_type_t cipher_alg; + md_type_t md_alg; +#endif memset(buf, 0, 2048); @@ -2256,22 +2260,10 @@ static int x509parse_key_pkcs8_encrypted_der( * Decrypt EncryptedData with appropriate PDE */ #if defined(POLARSSL_PKCS12_C) - if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) ) + if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) { if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT, - POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, - pwd, pwdlen, p, len, buf ) ) != 0 ) - { - if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH ) - return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); - - return( ret ); - } - } - else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) ) - { - if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT, - POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1, + cipher_alg, md_alg, pwd, pwdlen, p, len, buf ) ) != 0 ) { if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )