Moved PKCS#12 cipher layer based PBE detection to use OID database

2025-11-04 12:35:07 +00:00 · 2013-06-28 17:28:20 +02:00 · 2013-06-28 17:28:20 +02:00 · 7749a22974
parent dd1150e846
commit 7749a22974
4 changed files with 62 additions and 22 deletions
--- a/include/polarssl/oid.h
+++ b/include/polarssl/oid.h
@ -155,6 +155,7 @@
 #define OID_PKCS1               OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
 #define OID_PKCS5               OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
 #define OID_PKCS9               OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define OID_PKCS12              OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */

 /*
 * PKCS#1 OIDs
@ -212,6 +213,18 @@
 #define OID_PKCS5_PBE_SHA1_DES_CBC      OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
 #define OID_PKCS5_PBE_SHA1_RC2_CBC      OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */

+/*
+ * PKCS#12 PBE OIDs
+ */
+#define OID_PKCS12_PBE                      OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define OID_PKCS12_PBE_SHA1_RC4_128         OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
+#define OID_PKCS12_PBE_SHA1_RC4_40          OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC     OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC      OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -344,6 +357,21 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str );
 */
 int oid_get_cipher_alg( const asn1_buf *oid, cipher_type_t *cipher_alg );

+#if defined(POLARSSL_PKCS12_C)
+/**
+ * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
+ *                 cipher_type
+ *
+ * \param oid           OID to use
+ * \param md_alg        place to store message digest algorithm
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_pkcs12_pbe_alg( const asn1_buf *oid, md_type_t *md_alg,
+                            cipher_type_t *cipher_alg );
+#endif /* POLARSSL_PKCS12_C */
+
 #ifdef __cplusplus
 }
 #endif
--- a/include/polarssl/pkcs12.h
+++ b/include/polarssl/pkcs12.h
@ -45,14 +45,6 @@
 #define PKCS12_PBE_DECRYPT      0
 #define PKCS12_PBE_ENCRYPT      1

-/*
- * PKCS#12 PBE types
- */
-#define OID_PKCS12               "\x2a\x86\x48\x86\xf7\x0d\x01\x0c"
-#define OID_PKCS12_PBE_SHA1_RC4_128         OID_PKCS12 "\x01\x01"
-#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    OID_PKCS12 "\x01\x03"
-#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    OID_PKCS12 "\x01\x04"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
--- a/library/oid.c
+++ b/library/oid.c
@ -414,6 +414,34 @@ int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str )
    return( POLARSSL_ERR_OID_NOT_FOUND );
 }

+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+    oid_descriptor_t    descriptor;
+    md_type_t           md_alg;
+    cipher_type_t       cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+    {
+        { OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+        POLARSSL_MD_SHA1,      POLARSSL_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+        POLARSSL_MD_SHA1,      POLARSSL_CIPHER_DES_EDE_CBC,
+    },
+    {
+        { NULL, NULL, NULL },
+        0, 0,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg);
+FN_OID_GET_ATTR2(oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, md_type_t, md_alg, cipher_type_t, cipher_alg);
+
 #if defined _MSC_VER && !defined snprintf
 #include <stdarg.h>

--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -2193,6 +2193,10 @@ static int x509parse_key_pkcs8_encrypted_der(
    unsigned char *p, *end, *end2;
    x509_buf pbe_alg_oid, pbe_params;
    unsigned char buf[2048];
+#if defined(POLARSSL_PKCS12_C)
+    cipher_type_t cipher_alg;
+    md_type_t md_alg;
+#endif

    memset(buf, 0, 2048);

@ -2256,22 +2260,10 @@ static int x509parse_key_pkcs8_encrypted_der(
     * Decrypt EncryptedData with appropriate PDE
     */
 #if defined(POLARSSL_PKCS12_C)
-    if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) )
+    if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
    {
        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
-                                POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1,
-                                pwd, pwdlen, p, len, buf ) ) != 0 )
-        {
-            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
-                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-
-            return( ret );
-        }
-    }
-    else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) )
-    {
-        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
-                                POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1,
+                                cipher_alg, md_alg,
                                pwd, pwdlen, p, len, buf ) ) != 0 )
        {
            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )