From 7749a22974d30c47b8a82c56db84b6c54c044ac0 Mon Sep 17 00:00:00 2001
From: Paul Bakker
Date: Fri, 28 Jun 2013 17:28:20 +0200
Subject: [PATCH] Moved PKCS#12 cipher layer based PBE detection to use OID
database
---
include/polarssl/oid.h | 28 ++++++++++++++++++++++++++++
include/polarssl/pkcs12.h | 8 --------
library/oid.c | 28 ++++++++++++++++++++++++++++
library/x509parse.c | 20 ++++++--------------
4 files changed, 62 insertions(+), 22 deletions(-)
diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h
index b6b55c85f..27a3cceec 100644
--- a/include/polarssl/oid.h
+++ b/include/polarssl/oid.h
@@ -155,6 +155,7 @@
#define OID_PKCS1 OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
#define OID_PKCS5 OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
#define OID_PKCS9 OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define OID_PKCS12 OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
/*
* PKCS#1 OIDs
@@ -212,6 +213,18 @@
#define OID_PKCS5_PBE_SHA1_DES_CBC OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
#define OID_PKCS5_PBE_SHA1_RC2_CBC OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+/*
+ * PKCS#12 PBE OIDs
+ */
+#define OID_PKCS12_PBE OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define OID_PKCS12_PBE_SHA1_RC4_128 OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
+#define OID_PKCS12_PBE_SHA1_RC4_40 OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -344,6 +357,21 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str );
*/
int oid_get_cipher_alg( const asn1_buf *oid, cipher_type_t *cipher_alg );
+#if defined(POLARSSL_PKCS12_C)
+/**
+ * \brief Translate PKCS#12 PBE algorithm OID into md_type and
+ * cipher_type
+ *
+ * \param oid OID to use
+ * \param md_alg place to store message digest algorithm
+ * \param cipher_alg place to store cipher algorithm
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_pkcs12_pbe_alg( const asn1_buf *oid, md_type_t *md_alg,
+ cipher_type_t *cipher_alg );
+#endif /* POLARSSL_PKCS12_C */
+
#ifdef __cplusplus
}
#endif
diff --git a/include/polarssl/pkcs12.h b/include/polarssl/pkcs12.h
index 9a4577173..51bea3da1 100644
--- a/include/polarssl/pkcs12.h
+++ b/include/polarssl/pkcs12.h
@@ -45,14 +45,6 @@
#define PKCS12_PBE_DECRYPT 0
#define PKCS12_PBE_ENCRYPT 1
-/*
- * PKCS#12 PBE types
- */
-#define OID_PKCS12 "\x2a\x86\x48\x86\xf7\x0d\x01\x0c"
-#define OID_PKCS12_PBE_SHA1_RC4_128 OID_PKCS12 "\x01\x01"
-#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC OID_PKCS12 "\x01\x03"
-#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC OID_PKCS12 "\x01\x04"
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/library/oid.c b/library/oid.c
index d8b436071..7c1790159 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -414,6 +414,34 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str )
return( POLARSSL_ERR_OID_NOT_FOUND );
}
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+ oid_descriptor_t descriptor;
+ md_type_t md_alg;
+ cipher_type_t cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+ {
+ { OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+ POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE3_CBC,
+ },
+ {
+ { OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+ POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE_CBC,
+ },
+ {
+ { NULL, NULL, NULL },
+ 0, 0,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg);
+FN_OID_GET_ATTR2(oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, md_type_t, md_alg, cipher_type_t, cipher_alg);
+
#if defined _MSC_VER && !defined snprintf
#include
diff --git a/library/x509parse.c b/library/x509parse.c
index 13be0e665..0335db4b7 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -2193,6 +2193,10 @@ static int x509parse_key_pkcs8_encrypted_der(
unsigned char *p, *end, *end2;
x509_buf pbe_alg_oid, pbe_params;
unsigned char buf[2048];
+#if defined(POLARSSL_PKCS12_C)
+ cipher_type_t cipher_alg;
+ md_type_t md_alg;
+#endif
memset(buf, 0, 2048);
@@ -2256,22 +2260,10 @@ static int x509parse_key_pkcs8_encrypted_der(
* Decrypt EncryptedData with appropriate PDE
*/
#if defined(POLARSSL_PKCS12_C)
- if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) )
+ if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
{
if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
- POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1,
- pwd, pwdlen, p, len, buf ) ) != 0 )
- {
- if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
- return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-
- return( ret );
- }
- }
- else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) )
- {
- if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
- POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1,
+ cipher_alg, md_alg,
pwd, pwdlen, p, len, buf ) ) != 0 )
{
if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )