luna - wolfssl/wolfcrypt/src/pkcs12.c

   1/* pkcs12.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22/* PKCS#12 allows storage of key and certificates into containers */
  23
  24#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  25
  26#if defined(HAVE_PKCS12) && \
  27    !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_HMAC) && \
  28    !defined(NO_CERTS)
  29
  30#include <wolfssl/wolfcrypt/asn.h>
  31#include <wolfssl/wolfcrypt/asn_public.h>
  32#include <wolfssl/wolfcrypt/hmac.h>
  33#ifdef NO_INLINE
  34    #include <wolfssl/wolfcrypt/misc.h>
  35#else
  36    #define WOLFSSL_MISC_INCLUDED
  37    #include <wolfcrypt/src/misc.c>
  38#endif
  39#include <wolfssl/wolfcrypt/pkcs12.h>
  40#include <wolfssl/wolfcrypt/pwdbased.h>
  41#include <wolfssl/wolfcrypt/hash.h>
  42
  43
  44#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
  45
  46enum {
  47    WC_PKCS12_DATA_OBJ_SZ = 11,
  48    WC_PKCS12_MAC_SALT_SZ = 8
  49};
  50
  51static const byte WC_PKCS12_ENCRYPTED_OID[] =
  52                         {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06};
  53static const byte WC_PKCS12_DATA_OID[] =
  54                         {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01};
  55static const byte WC_PKCS12_CertBag_Type1_OID[] =
  56                   {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x16, 0x01};
  57static const byte WC_PKCS12_CertBag_OID[] =
  58             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x03};
  59static const byte WC_PKCS12_KeyBag_OID[] =
  60             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x01};
  61static const byte WC_PKCS12_ShroudedKeyBag_OID[] =
  62             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x02};
  63
  64
  65typedef struct ContentInfo {
  66    const byte* data;
  67    struct ContentInfo* next;
  68    word32 encC;  /* encryptedContent */
  69    word32 dataSz;
  70    int type; /* DATA / encrypted / enveloped */
  71} ContentInfo;
  72
  73
  74typedef struct AuthenticatedSafe {
  75    ContentInfo* CI;
  76    byte* data; /* T contents.... */
  77    word32 oid; /* encrypted or not */
  78    word32 numCI; /* number of Content Info structs */
  79    word32 dataSz;
  80} AuthenticatedSafe;
  81
  82
  83typedef struct MacData {
  84    byte* digest;
  85    byte* salt;
  86    word32 oid;
  87    word32 digestSz;
  88    word32 saltSz;
  89    int itt; /* number of iterations when creating HMAC key */
  90} MacData;
  91
  92
  93struct WC_PKCS12 {
  94    void* heap;
  95    AuthenticatedSafe* safe;
  96    MacData* signData;
  97    word32 oid; /* DATA / Enveloped DATA ... */
  98    byte   indefinite;
  99#ifdef ASN_BER_TO_DER
 100    byte*  safeDer; /* der encoded version of message */
 101    byte*  der; /* der encoded version of message */
 102    word32 safeDersz;
 103    word32 derSz;
 104#endif
 105};
 106
 107
 108/* for friendlyName, localKeyId .... */
 109typedef struct WC_PKCS12_ATTRIBUTE {
 110    byte* data;
 111    word32 oid;
 112    word32 dataSz;
 113} WC_PKCS12_ATTRIBUTE;
 114
 115
 116WC_PKCS12* wc_PKCS12_new(void)
 117{
 118    return wc_PKCS12_new_ex(NULL);
 119}
 120
 121
 122WC_PKCS12* wc_PKCS12_new_ex(void* heap)
 123{
 124    WC_PKCS12* pkcs12 = (WC_PKCS12*)XMALLOC(sizeof(WC_PKCS12),
 125                                                      heap, DYNAMIC_TYPE_PKCS);
 126    if (pkcs12 == NULL) {
 127        WOLFSSL_MSG("Memory issue when creating WC_PKCS12 struct");
 128        return NULL;
 129    }
 130
 131    XMEMSET(pkcs12, 0, sizeof(WC_PKCS12));
 132    pkcs12->heap = heap;
 133
 134    return pkcs12;
 135}
 136
 137
 138static void freeSafe(AuthenticatedSafe* safe, void* heap)
 139{
 140    int i;
 141
 142    if (safe == NULL) {
 143        return;
 144    }
 145
 146    /* free content info structs */
 147    for (i = (int)safe->numCI; i > 0; i--) {
 148        ContentInfo* ci = safe->CI;
 149        safe->CI = ci->next;
 150        XFREE(ci, heap, DYNAMIC_TYPE_PKCS);
 151    }
 152    XFREE(safe->data, heap, DYNAMIC_TYPE_PKCS);
 153    XFREE(safe, heap, DYNAMIC_TYPE_PKCS);
 154
 155    (void)heap;
 156}
 157
 158
 159void wc_PKCS12_free(WC_PKCS12* pkcs12)
 160{
 161    void* heap;
 162
 163    /* if null pointer is passed in do nothing */
 164    if (pkcs12 == NULL) {
 165        WOLFSSL_MSG("Trying to free null WC_PKCS12 object");
 166        return;
 167    }
 168
 169    heap = pkcs12->heap;
 170    if (pkcs12->safe != NULL) {
 171        freeSafe(pkcs12->safe, heap);
 172    }
 173
 174    /* free mac data */
 175    if (pkcs12->signData != NULL) {
 176        XFREE(pkcs12->signData->digest, heap, DYNAMIC_TYPE_DIGEST);
 177        XFREE(pkcs12->signData->salt, heap, DYNAMIC_TYPE_SALT);
 178        XFREE(pkcs12->signData, heap, DYNAMIC_TYPE_PKCS);
 179    }
 180
 181#ifdef ASN_BER_TO_DER
 182    XFREE(pkcs12->der, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 183    XFREE(pkcs12->safeDer, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 184#endif
 185
 186    XFREE(pkcs12, heap, DYNAMIC_TYPE_PKCS);
 187}
 188
 189
 190/* return 0 on success */
 191static int GetSafeContent(WC_PKCS12* pkcs12, const byte* input,
 192                          word32* idx, word32 maxIdx)
 193{
 194    AuthenticatedSafe* safe;
 195    word32 oid;
 196    word32 localIdx = *idx;
 197    int ret;
 198    int size = 0;
 199    byte tag;
 200
 201    safe = (AuthenticatedSafe*)XMALLOC(sizeof(AuthenticatedSafe), pkcs12->heap,
 202                                       DYNAMIC_TYPE_PKCS);
 203    if (safe == NULL) {
 204        return MEMORY_E;
 205    }
 206    XMEMSET(safe, 0, sizeof(AuthenticatedSafe));
 207
 208    ret = GetObjectId(input, &localIdx, &oid, oidIgnoreType, maxIdx);
 209    if (ret < 0) {
 210        WOLFSSL_LEAVE("Get object id failed", ret);
 211        freeSafe(safe, pkcs12->heap);
 212        return ASN_PARSE_E;
 213    }
 214
 215    safe->oid = oid;
 216    /* check tag, length */
 217    if (GetASNTag(input, &localIdx, &tag, maxIdx) < 0) {
 218        freeSafe(safe, pkcs12->heap);
 219        return ASN_PARSE_E;
 220    }
 221
 222    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
 223        WOLFSSL_MSG("Unexpected tag in PKCS12 DER");
 224        freeSafe(safe, pkcs12->heap);
 225        return ASN_PARSE_E;
 226    }
 227    if (GetLength(input, &localIdx, &size, maxIdx) <= 0) {
 228        freeSafe(safe, pkcs12->heap);
 229        return ASN_PARSE_E;
 230    }
 231
 232    switch (oid) {
 233        case WC_PKCS12_ENCRYPTED_DATA:
 234            WOLFSSL_MSG("Found PKCS12 OBJECT: ENCRYPTED DATA");
 235            break;
 236
 237        case WC_PKCS12_DATA:
 238            WOLFSSL_MSG("Found PKCS12 OBJECT: DATA");
 239            /* get octets holding contents */
 240            if (GetASNTag(input, &localIdx, &tag, maxIdx) < 0) {
 241                freeSafe(safe, pkcs12->heap);
 242                return ASN_PARSE_E;
 243            }
 244
 245            if (tag != ASN_OCTET_STRING) {
 246                WOLFSSL_MSG("Wrong tag with content PKCS12 type DATA");
 247                freeSafe(safe, pkcs12->heap);
 248                return ASN_PARSE_E;
 249            }
 250            if (GetLength(input, &localIdx, &size, maxIdx) <= 0) {
 251                freeSafe(safe, pkcs12->heap);
 252                return ASN_PARSE_E;
 253            }
 254
 255            break;
 256    }
 257
 258    safe->dataSz = (word32)size;
 259    safe->data = (byte*)XMALLOC((size_t)size, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 260    if (safe->data == NULL) {
 261        freeSafe(safe, pkcs12->heap);
 262        return MEMORY_E;
 263    }
 264    XMEMCPY(safe->data, input + localIdx, (size_t)size);
 265    *idx = localIdx;
 266
 267    localIdx = 0;
 268    input = safe->data;
 269    size = (int)safe->dataSz;
 270
 271#ifdef ASN_BER_TO_DER
 272     if (pkcs12->indefinite) {
 273        if (wc_BerToDer(input, safe->dataSz, NULL,
 274                        &pkcs12->safeDersz) != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
 275            WOLFSSL_MSG("Not BER sequence");
 276            freeSafe(safe, pkcs12->heap);
 277            return ASN_PARSE_E;
 278        }
 279
 280        pkcs12->safeDer = (byte*)XMALLOC(pkcs12->safeDersz, pkcs12->heap,
 281                DYNAMIC_TYPE_PKCS);
 282        if (pkcs12->safeDer == NULL) {
 283            freeSafe(safe, pkcs12->heap);
 284            return MEMORY_E;
 285        }
 286
 287        ret = wc_BerToDer(input, safe->dataSz, pkcs12->safeDer, &pkcs12->safeDersz);
 288        if (ret < 0) {
 289            freeSafe(safe, pkcs12->heap);
 290            return ret;
 291        }
 292
 293        input = pkcs12->safeDer;
 294     }
 295#endif /* ASN_BER_TO_DER */
 296
 297    /* an instance of AuthenticatedSafe is created from
 298     * ContentInfo's strung together in a SEQUENCE. Here we iterate
 299     * through the ContentInfo's and add them to our
 300     * AuthenticatedSafe struct */
 301    {
 302        int CISz;
 303        ret = GetSequence(input, &localIdx, &CISz, (word32)size);
 304        if (ret < 0) {
 305            freeSafe(safe, pkcs12->heap);
 306            return ASN_PARSE_E;
 307        }
 308        CISz += (int)localIdx;
 309        while (localIdx < (word32)CISz) {
 310            int curSz = 0;
 311            word32 curIdx;
 312            ContentInfo* ci = NULL;
 313
 314        #ifdef WOLFSSL_DEBUG_PKCS12
 315            printf("\t\tlooking for Content Info.... ");
 316        #endif
 317
 318            if ((ret = GetSequence(input, &localIdx, &curSz, (word32)size)) < 0) {
 319                freeSafe(safe, pkcs12->heap);
 320                return ret;
 321            }
 322
 323            if (curSz > CISz) {
 324                /* subset should not be larger than universe */
 325                freeSafe(safe, pkcs12->heap);
 326                return ASN_PARSE_E;
 327            }
 328
 329            curIdx = localIdx;
 330            if ((ret = GetObjectId(input, &localIdx, &oid, oidIgnoreType,
 331                                                curIdx + (word32)curSz)) < 0) {
 332                WOLFSSL_LEAVE("Get object id failed", ret);
 333                freeSafe(safe, pkcs12->heap);
 334                return ret;
 335            }
 336
 337            /* Check that OID did not consume more than the sequence length */
 338            if (localIdx > curIdx + (word32)curSz) {
 339                freeSafe(safe, pkcs12->heap);
 340                return ASN_PARSE_E;
 341            }
 342
 343            /* create new content info struct ... possible OID sanity check? */
 344            ci = (ContentInfo*)XMALLOC(sizeof(ContentInfo), pkcs12->heap,
 345                                       DYNAMIC_TYPE_PKCS);
 346            if (ci == NULL) {
 347                freeSafe(safe, pkcs12->heap);
 348                return MEMORY_E;
 349            }
 350
 351            ci->type   = (int)oid;
 352            ci->dataSz = (word32)curSz - (localIdx-curIdx);
 353            ci->data   = input + localIdx;
 354            localIdx  += ci->dataSz;
 355
 356        #ifdef WOLFSSL_DEBUG_PKCS12
 357            switch (oid) {
 358                case WC_PKCS12_ENCRYPTED_DATA:
 359                    printf("CONTENT INFO: ENCRYPTED DATA, size = %d\n", ci->dataSz);
 360                    break;
 361
 362                case WC_PKCS12_DATA:
 363                    printf("CONTENT INFO: DATA, size = %d\n", ci->dataSz);
 364                    break;
 365                default:
 366                    printf("CONTENT INFO: UNKNOWN, size = %d\n", ci->dataSz);
 367            }
 368        #endif
 369
 370            /* insert to head of list */
 371            ci->next = safe->CI;
 372            safe->CI = ci;
 373            safe->numCI += 1;
 374        }
 375    }
 376
 377    pkcs12->safe = safe;
 378    *idx += localIdx;
 379
 380    return ret;
 381}
 382
 383
 384/* parse optional mac data
 385 * return 0 on success */
 386static int GetSignData(WC_PKCS12* pkcs12, const byte* mem, word32* idx,
 387                       word32 totalSz)
 388{
 389    MacData* mac;
 390    word32 curIdx = *idx;
 391    word32 oid = 0;
 392    int size, ret;
 393    byte tag;
 394
 395    /* Digest Info : Sequence
 396     *      DigestAlgorithmIdentifier
 397     *      Digest
 398     */
 399    if (GetSequence(mem, &curIdx, &size, totalSz) <= 0) {
 400        WOLFSSL_MSG("Failed to get PKCS12 sequence");
 401        return ASN_PARSE_E;
 402    }
 403
 404#ifdef WOLFSSL_DEBUG_PKCS12
 405    printf("\t\tSEQUENCE: DigestInfo size = %d\n", size);
 406#endif
 407
 408    mac = (MacData*)XMALLOC(sizeof(MacData), pkcs12->heap, DYNAMIC_TYPE_PKCS);
 409    if (mac == NULL) {
 410        return MEMORY_E;
 411    }
 412    XMEMSET(mac, 0, sizeof(MacData));
 413
 414    /* DigestAlgorithmIdentifier */
 415    if ((ret = GetAlgoId(mem, &curIdx, &oid, oidIgnoreType, totalSz)) < 0) {
 416        WOLFSSL_MSG("Failed to get PKCS12 sequence");
 417        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 418        return ret;
 419    }
 420    mac->oid = oid;
 421
 422#ifdef WOLFSSL_DEBUG_PKCS12
 423    printf("\t\tALGO ID = %d\n", oid);
 424#endif
 425
 426    /* Digest: should be octet type holding digest */
 427    if (GetASNTag(mem, &curIdx, &tag, totalSz) < 0) {
 428        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 429        return ASN_PARSE_E;
 430    }
 431
 432    if (tag != ASN_OCTET_STRING) {
 433        WOLFSSL_MSG("Failed to get digest");
 434        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 435        return ASN_PARSE_E;
 436    }
 437
 438    if (GetLength(mem, &curIdx, &size, totalSz) <= 0) {
 439        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 440        return ASN_PARSE_E;
 441    }
 442    mac->digestSz = (word32)size;
 443    mac->digest = (byte*)XMALLOC(mac->digestSz, pkcs12->heap,
 444                                 DYNAMIC_TYPE_DIGEST);
 445    if (mac->digest == NULL || mac->digestSz + curIdx > totalSz) {
 446        ERROR_OUT(MEMORY_E, exit_gsd);
 447    }
 448    XMEMCPY(mac->digest, mem + curIdx, mac->digestSz);
 449
 450#ifdef WOLFSSL_DEBUG_PKCS12
 451    {
 452        byte* p;
 453        for (printf("\t\tDigest = "), p = (byte*)mem+curIdx;
 454             p < (byte*)mem + curIdx + mac->digestSz;
 455             printf("%02X", *p), p++);
 456        printf(" : size = %d\n", mac->digestSz);
 457    }
 458#endif
 459
 460    curIdx += mac->digestSz;
 461
 462    /* get salt, should be octet string */
 463    if (GetASNTag(mem, &curIdx, &tag, totalSz) < 0) {
 464        ERROR_OUT(ASN_PARSE_E, exit_gsd);
 465    }
 466
 467    if (tag != ASN_OCTET_STRING) {
 468        WOLFSSL_MSG("Failed to get salt");
 469        ERROR_OUT(ASN_PARSE_E, exit_gsd);
 470    }
 471
 472    if ((ret = GetLength(mem, &curIdx, &size, totalSz)) < 0) {
 473        goto exit_gsd;
 474    }
 475    mac->saltSz = (word32)size;
 476    mac->salt = (byte*)XMALLOC(mac->saltSz, pkcs12->heap, DYNAMIC_TYPE_SALT);
 477    if (mac->salt == NULL || mac->saltSz + curIdx > totalSz) {
 478        ERROR_OUT(MEMORY_E, exit_gsd);
 479    }
 480    XMEMCPY(mac->salt, mem + curIdx, mac->saltSz);
 481
 482#ifdef WOLFSSL_DEBUG_PKCS12
 483    {
 484        byte* p;
 485        for (printf("\t\tSalt = "), p = (byte*)mem + curIdx;
 486             p < (byte*)mem + curIdx + mac->saltSz;
 487             printf("%02X", *p), p++);
 488        printf(" : size = %d\n", mac->saltSz);
 489    }
 490#endif
 491
 492    curIdx += mac->saltSz;
 493
 494    /* check for MAC iterations, default to 1 */
 495    mac->itt = WC_PKCS12_MAC_DEFAULT;
 496    if (curIdx < totalSz) {
 497        int number = 0;
 498        if (GetShortInt(mem, &curIdx, &number, totalSz) >= 0) {
 499            /* found a iteration value */
 500            mac->itt = number;
 501        }
 502    }
 503
 504#ifdef WOLFSSL_DEBUG_PKCS12
 505    printf("\t\tITERATIONS : %d\n", mac->itt);
 506#endif
 507
 508    *idx = curIdx;
 509    pkcs12->signData = mac;
 510    ret = 0; /* success */
 511
 512exit_gsd:
 513
 514    /* failure cleanup */
 515    if (ret != 0) {
 516        if (mac) {
 517            XFREE(mac->digest, pkcs12->heap, DYNAMIC_TYPE_DIGEST);
 518            XFREE(mac->salt, pkcs12->heap, DYNAMIC_TYPE_SALT);
 519            XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 520        }
 521    }
 522
 523    return ret;
 524}
 525
 526
 527/* expects PKCS12 signData to be set up with OID
 528 *
 529 * returns the size of mac created on success. A negative value will be returned
 530 *         in the case that an error happened.
 531 */
 532static int wc_PKCS12_create_mac(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
 533                         const byte* psw, word32 pswSz, byte* out, word32 outSz)
 534{
 535    WC_DECLARE_VAR(hmac, Hmac, 1, pkcs12 ? pkcs12->heap : NULL);
 536    WC_DECLARE_VAR(unicodePasswd, byte, MAX_UNICODE_SZ,
 537                   pkcs12 ? pkcs12->heap : NULL);
 538    MacData* mac;
 539    int ret, kLen;
 540    enum wc_HashType hashT;
 541    int idx = 0;
 542    int id  = 3; /* value from RFC 7292 indicating key is used for MAC */
 543    word32 i;
 544    byte key[PKCS_MAX_KEY_SIZE];
 545
 546    if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL ||
 547            out == NULL) {
 548        return BAD_FUNC_ARG;
 549    }
 550
 551    mac = pkcs12->signData;
 552
 553    WC_ALLOC_VAR_EX(unicodePasswd, byte, MAX_UNICODE_SZ, pkcs12->heap,
 554                    DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
 555    WC_ALLOC_VAR_EX(hmac, Hmac, 1, pkcs12->heap, DYNAMIC_TYPE_HMAC,
 556                    { WC_FREE_VAR_EX(unicodePasswd, pkcs12->heap,
 557                                     DYNAMIC_TYPE_TMP_BUFFER);
 558                      return MEMORY_E; });
 559
 560    /* unicode set up from asn.c */
 561    if (pswSz >= MAX_UNICODE_SZ ||
 562       (pswSz * 2 + 2) > MAX_UNICODE_SZ) {
 563        WOLFSSL_MSG("PKCS12 max unicode size too small");
 564        ret = UNICODE_SIZE_E;
 565        goto exit_mac;
 566    }
 567
 568    for (i = 0; i < pswSz; i++) {
 569        unicodePasswd[idx++] = 0x00;
 570        unicodePasswd[idx++] = (byte)psw[i];
 571    }
 572    /* add trailing NULL */
 573    unicodePasswd[idx++] = 0x00;
 574    unicodePasswd[idx++] = 0x00;
 575
 576    /* get hash type used and resulting size of HMAC key */
 577    hashT = wc_OidGetHash((int)mac->oid);
 578    if (hashT == WC_HASH_TYPE_NONE) {
 579        WOLFSSL_MSG("Unsupported hash used");
 580        ret = BAD_FUNC_ARG;
 581        goto exit_mac;
 582    }
 583    kLen = wc_HashGetDigestSize(hashT);
 584
 585    /* check out buffer is large enough */
 586    if (kLen < 0 || outSz < (word32)kLen) {
 587        ret = BAD_FUNC_ARG;
 588        goto exit_mac;
 589    }
 590
 591    /* idx contains size of unicodePasswd */
 592    ret = wc_PKCS12_PBKDF_ex(key, unicodePasswd, idx, mac->salt, (int)mac->saltSz,
 593                                  mac->itt, kLen, (int)hashT, id, pkcs12->heap);
 594    if (ret < 0) {
 595        goto exit_mac;
 596    }
 597
 598    /* now that key has been created use it to get HMAC hash on data */
 599    if ((ret = wc_HmacInit(hmac, pkcs12->heap, INVALID_DEVID)) != 0) {
 600        goto exit_mac;
 601    }
 602    ret = wc_HmacSetKey(hmac, (int)hashT, key, (word32)kLen);
 603    if (ret == 0)
 604        ret = wc_HmacUpdate(hmac, data, dataSz);
 605    if (ret == 0)
 606        ret = wc_HmacFinal(hmac, out);
 607    wc_HmacFree(hmac);
 608
 609    if (ret == 0)
 610        ret = kLen; /* same as digest size */
 611
 612exit_mac:
 613    ForceZero(unicodePasswd, MAX_UNICODE_SZ);
 614    WC_FREE_VAR_EX(unicodePasswd, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
 615    WC_FREE_VAR_EX(hmac, pkcs12->heap, DYNAMIC_TYPE_HMAC);
 616    return ret;
 617}
 618
 619/* check mac on pkcs12, pkcs12->mac has been sanity checked before entering *
 620 * returns the result of comparison, success is 0 */
 621static int wc_PKCS12_verify(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
 622                            const byte* psw, word32 pswSz)
 623{
 624    MacData* mac;
 625    int ret;
 626    byte digest[WC_MAX_DIGEST_SIZE];
 627
 628    if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL) {
 629        return BAD_FUNC_ARG;
 630    }
 631
 632    mac = pkcs12->signData;
 633
 634#ifdef WOLFSSL_DEBUG_PKCS12
 635    printf("Verifying MAC with OID = %d\n", mac->oid);
 636#endif
 637
 638    /* check if this builds digest size is too small */
 639    if (mac->digestSz > WC_MAX_DIGEST_SIZE) {
 640        WOLFSSL_MSG("PKCS12 max digest size too small");
 641        return BAD_FUNC_ARG;
 642    }
 643
 644    if ((ret = wc_PKCS12_create_mac(pkcs12, data, dataSz, psw, pswSz,
 645            digest, WC_MAX_DIGEST_SIZE)) < 0) {
 646        return ret;
 647    }
 648
 649    if ((word32)ret != mac->digestSz) {
 650        WOLFSSL_MSG("PKCS12 MAC digest size mismatch");
 651        ForceZero(digest, sizeof(digest));
 652        return MAC_CMP_FAILED_E;
 653    }
 654
 655#ifdef WOLFSSL_DEBUG_PKCS12
 656    {
 657        byte* p;
 658        for (printf("\t\tHash = "), p = (byte*)digest;
 659             p < (byte*)digest + mac->digestSz;
 660             printf("%02X", *p), p++);
 661        printf(" : size = %d\n", mac->digestSz);
 662    }
 663#endif
 664
 665    if (ConstantCompare(digest, mac->digest, (int)mac->digestSz) != 0) {
 666        ForceZero(digest, sizeof(digest));
 667        return MAC_CMP_FAILED_E;
 668    }
 669
 670    ForceZero(digest, sizeof(digest));
 671    return 0;
 672}
 673
 674int wc_PKCS12_verify_ex(WC_PKCS12* pkcs12, const byte* psw, word32 pswSz)
 675{
 676    if (pkcs12 == NULL || pkcs12->safe == NULL) {
 677        return BAD_FUNC_ARG;
 678    }
 679    return wc_PKCS12_verify(pkcs12, pkcs12->safe->data, pkcs12->safe->dataSz,
 680            psw, pswSz);
 681}
 682
 683
 684/* Convert DER format stored in der buffer to WC_PKCS12 struct
 685 * Puts the raw contents of Content Info into structure without completely
 686 * parsing or decoding.
 687 * der    : pointer to der buffer holding PKCS12
 688 * derSz  : size of der buffer
 689 * pkcs12 : non-null pkcs12 pointer
 690 * return 0 on success and negative on failure.
 691 */
 692int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12)
 693{
 694    word32 idx  = 0;
 695    word32 totalSz = 0;
 696    int ret;
 697    int size    = 0;
 698    int version = 0;
 699#ifdef ASN_BER_TO_DER
 700    word32 tmpSz = 0;
 701#endif
 702
 703    WOLFSSL_ENTER("wolfSSL_d2i_PKCS12");
 704
 705    if (der == NULL || pkcs12 == NULL) {
 706        return BAD_FUNC_ARG;
 707    }
 708
 709    totalSz = derSz;
 710    if (GetSequence(der, &idx, &size, totalSz) < 0) {
 711        WOLFSSL_MSG("Failed to get PKCS12 sequence");
 712        return ASN_PARSE_E;
 713    }
 714
 715    /* get version */
 716    if ((ret = GetMyVersion(der, &idx, &version, totalSz)) < 0) {
 717        return ret;
 718    }
 719
 720    #ifdef ASN_BER_TO_DER
 721     if (size == 0) {
 722         if (wc_BerToDer(der, totalSz, NULL,
 723                         &tmpSz) != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
 724             WOLFSSL_MSG("Not BER sequence");
 725             return ASN_PARSE_E;
 726         }
 727
 728         pkcs12->der = (byte*)XMALLOC((size_t)tmpSz, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 729         if (pkcs12->der == NULL)
 730             return MEMORY_E;
 731         ret = wc_BerToDer(der, derSz, pkcs12->der, &tmpSz);
 732         if (ret < 0) {
 733             return ret;
 734         }
 735
 736         der  = pkcs12->der;
 737         pkcs12->derSz = tmpSz;
 738         totalSz = tmpSz;
 739         idx = 0;
 740
 741         if (GetSequence(der, &idx, &size, totalSz) < 0) {
 742             WOLFSSL_MSG("Failed to get PKCS12 sequence");
 743             return ASN_PARSE_E;
 744         }
 745
 746         /* get version */
 747         if ((ret = GetMyVersion(der, &idx, &version, totalSz)) < 0) {
 748             return ret;
 749         }
 750
 751         pkcs12->indefinite = 1;
 752
 753     }
 754     else
 755#endif /* ASN_BER_TO_DER */
 756    {
 757        pkcs12->indefinite = 0;
 758    }
 759
 760#ifdef WOLFSSL_DEBUG_PKCS12
 761    printf("\nBEGIN: PKCS12 size = %d\n", totalSz);
 762    printf("version = %d\n", version);
 763#endif
 764
 765    if (version != WC_PKCS12_VERSION_DEFAULT) {
 766        WOLFSSL_MSG("PKCS12 unsupported version!");
 767        WOLFSSL_ERROR_VERBOSE(ASN_VERSION_E);
 768        return ASN_VERSION_E;
 769    }
 770
 771    if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
 772        return ret;
 773    }
 774
 775#ifdef WOLFSSL_DEBUG_PKCS12
 776    printf("\tSEQUENCE: AuthenticatedSafe size = %d\n", size);
 777#endif
 778
 779    if ((ret = GetSafeContent(pkcs12, der, &idx, (word32)size + idx)) < 0) {
 780        WOLFSSL_MSG("GetSafeContent error");
 781        return ret;
 782    }
 783
 784#ifdef ASN_BER_TO_DER
 785    /* If indef, skip EOF */
 786    if (pkcs12->indefinite) {
 787        while((idx < totalSz) && (der[idx] == ASN_EOC)) {
 788            idx+=1;
 789        }
 790    }
 791#endif
 792
 793    /* if more buffer left check for MAC data */
 794    if (idx < totalSz) {
 795        if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
 796            WOLFSSL_MSG("Ignoring unknown data at end of PKCS12 DER buffer");
 797        }
 798        else {
 799        #ifdef WOLFSSL_DEBUG_PKCS12
 800            printf("\tSEQUENCE: Signature size = %d\n", size);
 801        #endif
 802
 803            if ((ret = GetSignData(pkcs12, der, &idx, totalSz)) < 0) {
 804                return ASN_PARSE_E;
 805            }
 806        }
 807    }
 808
 809#ifdef WOLFSSL_DEBUG_PKCS12
 810    printf("END: PKCS12\n");
 811#endif
 812
 813    return ret;
 814}
 815
 816#ifndef NO_FILESYSTEM
 817/* Parse the DER-encoded PKCS #12 object in the provided file. Populate the
 818 * WC_PKCS12 object pointed to by the passed in pointer, allocating the object
 819 * if necessary.
 820 *
 821 * file  : path to PKCS #12 file.
 822 * pkcs12: pointer to a pointer to a WC_PKCS12 object to populate. If *pkcs12 is
 823 *         NULL, this function will allocate a new WC_PKCS12.
 824 * return 0 on success and negative on failure.
 825 */
 826int wc_d2i_PKCS12_fp(const char* file, WC_PKCS12** pkcs12)
 827{
 828    int ret = 0;
 829    byte* buf = NULL;
 830    size_t bufSz = 0;
 831    WC_PKCS12* tmpPkcs12 = NULL;
 832    int callerAlloc = 1;
 833
 834    WOLFSSL_ENTER("wc_d2i_PKCS12_fp");
 835
 836    if (pkcs12 == NULL) {
 837        WOLFSSL_MSG("pkcs12 parameter NULL.");
 838        ret = BAD_FUNC_ARG;
 839    }
 840
 841    if (ret == 0)
 842        ret = wc_FileLoad(file, &buf, &bufSz, NULL);
 843
 844    if (ret == 0) {
 845        if (*pkcs12 == NULL) {
 846            tmpPkcs12 = wc_PKCS12_new();
 847            if (tmpPkcs12 == NULL) {
 848                WOLFSSL_MSG("Failed to allocate PKCS12 object.");
 849                ret = MEMORY_E;
 850            }
 851            else {
 852                *pkcs12 = tmpPkcs12;
 853                callerAlloc = 0;
 854            }
 855        }
 856    }
 857    if (ret == 0) {
 858        ret = wc_d2i_PKCS12(buf, (word32)bufSz, *pkcs12);
 859        if (ret != 0) {
 860            WOLFSSL_MSG("wc_d2i_PKCS12 failed.");
 861        }
 862    }
 863
 864    if (ret != 0 && callerAlloc == 0 && *pkcs12 != NULL) {
 865        wc_PKCS12_free(*pkcs12);
 866        *pkcs12 = NULL;
 867    }
 868    XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 869
 870    WOLFSSL_LEAVE("wc_d2i_PKCS12_fp", ret);
 871
 872    return ret;
 873}
 874#endif /* NO_FILESYSTEM */
 875
 876/* Convert WC_PKCS12 struct to allocated DER buffer.
 877 * pkcs12 : non-null pkcs12 pointer
 878 * der    : pointer-pointer to der buffer. If NULL space will be
 879 *          allocated for der, which must be freed by application.
 880 * derSz  : size of buffer passed in when der is not NULL. NULL arg disables
 881 *          sanity checks on buffer read/writes. Max size gets set to derSz when
 882 *          the "der" buffer passed in is NULL and LENGTH_ONLY_E is returned.
 883 * return size of DER on success and negative on failure.
 884 */
 885int wc_i2d_PKCS12(WC_PKCS12* pkcs12, byte** der, int* derSz)
 886{
 887    int ret = 0;
 888    word32 seqSz = 0, verSz = 0, totalSz = 0, idx = 0, sdBufSz = 0;
 889    byte *buf = NULL;
 890    byte ver[MAX_VERSION_SZ];
 891    byte seq[MAX_SEQ_SZ];
 892    byte *sdBuf = NULL;
 893
 894    if ((pkcs12 == NULL) || (pkcs12->safe == NULL) ||
 895            (der == NULL && derSz == NULL)) {
 896        return BAD_FUNC_ARG;
 897    }
 898
 899    /* Create the MAC portion */
 900    if (pkcs12->signData != NULL) {
 901        MacData *mac = (MacData*)pkcs12->signData;
 902        word32 innerSz = 0;
 903        word32 outerSz = 0;
 904
 905        /* get exact size */
 906        {
 907            byte ASNLENGTH[MAX_LENGTH_SZ];
 908            byte ASNSHORT[MAX_SHORT_SZ];
 909            byte ASNALGO[MAX_ALGO_SZ];
 910            word32 tmpIdx = 0;
 911
 912            /* algo id */
 913            innerSz += SetAlgoID((int)mac->oid, ASNALGO, oidHashType, 0);
 914
 915            /* Octet string holding digest */
 916            innerSz += ASN_TAG_SZ;
 917            innerSz += SetLength(mac->digestSz, ASNLENGTH);
 918            innerSz += mac->digestSz;
 919
 920            /* salt */
 921            outerSz += ASN_TAG_SZ;
 922            outerSz += SetLength(mac->saltSz, ASNLENGTH);
 923            outerSz += mac->saltSz;
 924
 925            /* MAC iterations */
 926            ret = SetShortInt(ASNSHORT, &tmpIdx, (word32)mac->itt, MAX_SHORT_SZ);
 927            if (ret >= 0) {
 928                outerSz += (word32)ret;
 929                ret = 0;
 930            }
 931            else {
 932                return ret;
 933            }
 934
 935            /* sequence of inner data */
 936            outerSz += SetSequence(innerSz, seq);
 937            outerSz += innerSz;
 938        }
 939        sdBufSz = outerSz + SetSequence(outerSz, seq);
 940        sdBuf = (byte*)XMALLOC(sdBufSz, pkcs12->heap, DYNAMIC_TYPE_PKCS);
 941        if (sdBuf == NULL) {
 942            ret = MEMORY_E;
 943        }
 944
 945        if (ret == 0) {
 946            idx += SetSequence(outerSz, sdBuf);
 947            idx += SetSequence(innerSz, &sdBuf[idx]);
 948
 949            /* Set Algorithm Identifier */
 950            {
 951                word32 algoIdSz;
 952
 953                algoIdSz = SetAlgoID((int)mac->oid, &sdBuf[idx], oidHashType, 0);
 954                if (algoIdSz == 0) {
 955                    ret = ALGO_ID_E;
 956                }
 957                else {
 958                    idx += algoIdSz;
 959                }
 960            }
 961        }
 962
 963        if (ret == 0) {
 964
 965
 966            /* Octet string holding digest */
 967            idx += SetOctetString(mac->digestSz, &sdBuf[idx]);
 968            XMEMCPY(&sdBuf[idx], mac->digest, mac->digestSz);
 969            idx += mac->digestSz;
 970
 971            /* Set salt */
 972            idx += SetOctetString(mac->saltSz, &sdBuf[idx]);
 973            XMEMCPY(&sdBuf[idx], mac->salt, mac->saltSz);
 974            idx += mac->saltSz;
 975
 976            /* MAC iterations */
 977            {
 978                int tmpSz;
 979                word32 tmpIdx = 0;
 980                byte ar[MAX_SHORT_SZ];
 981                tmpSz = SetShortInt(ar, &tmpIdx, (word32)mac->itt, MAX_SHORT_SZ);
 982                if (tmpSz < 0) {
 983                    ret = tmpSz;
 984                }
 985                else {
 986                    XMEMCPY(&sdBuf[idx], ar, (size_t)tmpSz);
 987                }
 988            }
 989            totalSz += sdBufSz;
 990        }
 991    }
 992
 993    /* Calculate size of der */
 994    if (ret == 0) {
 995        totalSz += pkcs12->safe->dataSz;
 996
 997        totalSz += 4; /* Octet string */
 998
 999        totalSz += 4; /* Element */
1000
1001        totalSz += 2U + (word32)sizeof(WC_PKCS12_DATA_OID);
1002
1003        totalSz += 4; /* Seq */
1004
1005        ret = SetMyVersion(WC_PKCS12_VERSION_DEFAULT, ver, FALSE);
1006        if (ret > 0) {
1007            verSz = (word32)ret;
1008            ret   = 0; /* value larger than 0 is success */
1009            totalSz += verSz;
1010
1011            seqSz = SetSequence(totalSz, seq);
1012            totalSz += seqSz;
1013
1014            /* check if getting length only */
1015            if (der == NULL) {
1016                /* repeat nullness check locally to mollify -Wnull-dereference. */
1017                if (derSz != NULL)
1018                    *derSz = (int)totalSz;
1019                XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1020                return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
1021            }
1022
1023            if (*der == NULL) {
1024                /* Allocate if requested */
1025                buf = (byte*)XMALLOC(totalSz, NULL, DYNAMIC_TYPE_PKCS);
1026            }
1027            else {
1028                buf = *der;
1029
1030                /* sanity check on buffer size if passed in */
1031                if (derSz != NULL) {
1032                    if (*derSz < (int)totalSz) {
1033                        WOLFSSL_MSG("Buffer passed in is too small");
1034                        ret = BUFFER_E;
1035                    }
1036                }
1037            }
1038        }
1039    }
1040
1041    if (buf == NULL) {
1042        ret = MEMORY_E;
1043    }
1044
1045    if (ret == 0) {
1046        idx = 0;
1047
1048        /* Copy parts to buf */
1049        XMEMCPY(&buf[idx], seq, seqSz);
1050        idx += seqSz;
1051
1052        XMEMCPY(&buf[idx], ver, verSz);
1053        idx += verSz;
1054
1055        seqSz = SetSequence(totalSz - sdBufSz - idx - 4, seq);
1056        XMEMCPY(&buf[idx], seq, seqSz);
1057        idx += seqSz;
1058
1059        /* OID */
1060        idx += (word32)SetObjectId(sizeof(WC_PKCS12_DATA_OID), &buf[idx]);
1061        XMEMCPY(&buf[idx], WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
1062        idx += (word32)sizeof(WC_PKCS12_DATA_OID);
1063
1064        /* Element */
1065        buf[idx++] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC;
1066        idx += SetLength(totalSz - sdBufSz - idx - 3, &buf[idx]);
1067
1068        /* Octet string */
1069        idx += SetOctetString(totalSz - sdBufSz - idx - 4, &buf[idx]);
1070
1071        XMEMCPY(&buf[idx], pkcs12->safe->data, pkcs12->safe->dataSz);
1072        idx += pkcs12->safe->dataSz;
1073
1074        if (pkcs12->signData != NULL) {
1075            XMEMCPY(&buf[idx], sdBuf, sdBufSz);
1076        }
1077
1078        if (*der == NULL) {
1079            /* Point to start of data allocated for DER */
1080            *der = buf;
1081        }
1082        else {
1083            /* Increment pointer to byte past DER */
1084            *der = &buf[totalSz];
1085        }
1086
1087        /* Return size of der */
1088        ret = (int)totalSz;
1089    }
1090
1091    XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1092    /* Allocation of buf was the last time ret could be a failure,
1093     * so no need to free here */
1094
1095    return ret;
1096}
1097
1098
1099/* helper function to free WC_DerCertList */
1100void wc_FreeCertList(WC_DerCertList* list, void* heap)
1101{
1102    WC_DerCertList* current = list;
1103    WC_DerCertList* next;
1104
1105    if (list == NULL) {
1106        return;
1107    }
1108
1109    while (current != NULL) {
1110        next = current->next;
1111        XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
1112        XFREE(current, heap, DYNAMIC_TYPE_PKCS);
1113        current = next;
1114    }
1115
1116    (void)heap;
1117}
1118
1119static WARN_UNUSED_RESULT int freeDecCertList(WC_DerCertList** list,
1120    byte** pkey, word32* pkeySz, byte** cert, word32* certSz, void* heap)
1121{
1122    WC_DerCertList* current  = *list;
1123    WC_DerCertList* previous = NULL;
1124#ifdef WOLFSSL_SMALL_STACK
1125    DecodedCert *DeCert = (DecodedCert *)XMALLOC(
1126        sizeof(*DeCert), heap, DYNAMIC_TYPE_PKCS);
1127    if (DeCert == NULL)
1128        return MEMORY_E;
1129#else
1130    DecodedCert DeCert[1];
1131#endif
1132
1133    while (current != NULL) {
1134
1135        InitDecodedCert(DeCert, current->buffer, current->bufferSz, heap);
1136        if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) {
1137            if (wc_CheckPrivateKeyCert(*pkey, *pkeySz, DeCert, 0, heap) == 1) {
1138                WOLFSSL_MSG("Key Pair found");
1139                *cert = current->buffer;
1140                *certSz = current->bufferSz;
1141
1142                if (previous == NULL) {
1143                    *list = current->next;
1144                }
1145                else {
1146                    previous->next = current->next;
1147                }
1148                FreeDecodedCert(DeCert);
1149                XFREE(current, heap, DYNAMIC_TYPE_PKCS);
1150                break;
1151            }
1152        }
1153        FreeDecodedCert(DeCert);
1154
1155        previous = current;
1156        current  = current->next;
1157    }
1158
1159    WC_FREE_VAR_EX(DeCert, heap, DYNAMIC_TYPE_PKCS);
1160
1161    return 0;
1162}
1163
1164#ifdef ASN_BER_TO_DER
1165/* append data to encrypted content cache in PKCS12 structure
1166 * return buffer on success, NULL on error */
1167static byte* PKCS12_ConcatenateContent(WC_PKCS12* pkcs12,byte* mergedData,
1168        word32* mergedSz, byte* in, word32 inSz)
1169{
1170    byte* oldContent;
1171    word32 oldContentSz;
1172    word32 newSz = 0;
1173
1174    (void)pkcs12;
1175
1176    if (mergedData == NULL || in == NULL)
1177        return NULL;
1178
1179    /* save pointer to old cache */
1180    oldContent = mergedData;
1181    oldContentSz = *mergedSz;
1182
1183    /* re-allocate new buffer to fit appended data */
1184    if (WC_SAFE_SUM_WORD32(oldContentSz, inSz, newSz) == 0) {
1185        XFREE(oldContent, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1186        return NULL;
1187    }
1188
1189    mergedData = (byte*)XMALLOC(newSz, pkcs12->heap,
1190            DYNAMIC_TYPE_PKCS);
1191    if (mergedData != NULL) {
1192        if (oldContent != NULL) {
1193            XMEMCPY(mergedData, oldContent, oldContentSz);
1194        }
1195        XMEMCPY(mergedData + oldContentSz, in, inSz);
1196        *mergedSz = newSz;
1197    }
1198    XFREE(oldContent, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1199
1200    return mergedData;
1201}
1202
1203/* Check if constructed [0] is seen after wc_BerToDer() or not.
1204 * returns 1 if seen, 0 if not, ASN_PARSE_E on error */
1205static int PKCS12_CheckConstructedZero(const byte* data, word32 dataSz,
1206                                       word32* idx)
1207{
1208    word32 oid;
1209    int    ret = 0;
1210    int    number, size = 0;
1211    byte   tag = 0;
1212
1213    if (GetSequence(data, idx, &size, dataSz) < 0) {
1214        ret = ASN_PARSE_E;
1215    }
1216
1217    if (ret == 0 && GetObjectId(data, idx, &oid, oidIgnoreType, dataSz)) {
1218        ret = ASN_PARSE_E;
1219    }
1220
1221    if (ret == 0 && GetSequence(data, idx, &size, dataSz) < 0) {
1222        ret = ASN_PARSE_E;
1223    }
1224
1225    if (ret == 0 && GetOctetString(data, idx, &size, dataSz) < 0) {
1226        ret = ASN_PARSE_E;
1227    }
1228
1229    *idx += (word32)size;
1230    if (ret == 0 && GetShortInt(data, idx, &number, dataSz) < 0) {
1231        ret = ASN_PARSE_E;
1232    }
1233
1234    /* Check if wc_BerToDer() handled constructed [0] and octet
1235     * strings properly, manually fix it if not. */
1236    if (ret == 0 && GetASNTag(data, idx, &tag, dataSz) < 0) {
1237        ret = ASN_PARSE_E;
1238    }
1239    else if (ret == 0 && tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1240        ret = 1;
1241    }
1242
1243    return ret;
1244}
1245
1246/* Manually coalesce definite length octet strings into one unconstructed
1247 * definite length octet string.
1248 * returns 0 on success, negative on failure */
1249static int PKCS12_CoalesceOctetStrings(WC_PKCS12* pkcs12, byte* data,
1250        word32 dataSz, word32* idx, int* curIdx)
1251{
1252    byte*  mergedData = NULL; /* buffer for concatenated strings */
1253    word32 mergedSz = 0;      /* total size of merged strings */
1254    int    encryptedContentSz = 0;
1255    int    originalEncSz = 0;
1256    int    ret = 0;
1257    word32 saveIdx;
1258    byte   tag;
1259
1260    saveIdx = *idx;
1261
1262    if (GetLength(data, idx, &originalEncSz, dataSz) < 0) {
1263        ret = ASN_PARSE_E;
1264    }
1265
1266    /* Loop through octet strings and concatenate them without
1267     * the tags and length */
1268    while ((int)*idx < originalEncSz + *curIdx) {
1269        if (GetASNTag(data, idx, &tag, dataSz) < 0) {
1270            ret = ASN_PARSE_E;
1271        }
1272        if (ret == 0 && (tag != ASN_OCTET_STRING)) {
1273            ret = ASN_PARSE_E;
1274        }
1275        if (ret == 0 && GetLength(data, idx,
1276                    &encryptedContentSz, dataSz) <= 0) {
1277            ret = ASN_PARSE_E;
1278        }
1279        if (ret == 0) {
1280            if (mergedData == NULL) {
1281                mergedData = (byte*)XMALLOC((size_t)encryptedContentSz,
1282                            pkcs12->heap, DYNAMIC_TYPE_PKCS);
1283                if (mergedData == NULL) {
1284                    ret = MEMORY_E;
1285                }
1286            }
1287            mergedData = PKCS12_ConcatenateContent(pkcs12, mergedData,
1288                    &mergedSz, &data[*idx], (word32)encryptedContentSz);
1289            if (mergedData == NULL) {
1290                ret = MEMORY_E;
1291            }
1292        }
1293        if (ret != 0) {
1294            break;
1295        }
1296        *idx += (word32)encryptedContentSz;
1297    }
1298
1299    if (ret == 0) {
1300        *idx = saveIdx;
1301
1302        *idx += SetLength(mergedSz, &data[*idx]);
1303
1304        if (mergedSz > 0) {
1305            /* Copy over concatenated octet strings into data buffer */
1306            XMEMCPY(&data[*idx], mergedData, mergedSz);
1307        }
1308    }
1309
1310    XFREE(mergedData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1311
1312    return ret;
1313}
1314#endif
1315
1316/* return 0 on success and negative on failure.
1317 * By side effect returns private key, cert, and optionally ca.
1318 * Parses and decodes the parts of PKCS12
1319 *
1320 * NOTE: can parse with USER RSA enabled but may return cert that is not the
1321 *       pair for the key when using RSA key pairs.
1322 *
1323 * pkcs12 : non-null WC_PKCS12 struct
1324 * psw    : password to use for PKCS12 decode
1325 * pkey   : Private key returned
1326 * cert   : x509 cert returned
1327 * ca     : optional ca returned
1328 */
1329int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
1330        byte** pkey, word32* pkeySz, byte** cert, word32* certSz,
1331        WC_DerCertList** ca)
1332{
1333    return wc_PKCS12_parse_ex(pkcs12, psw, pkey, pkeySz, cert, certSz, ca, 0);
1334}
1335
1336/* return 0 on success and negative on failure.
1337 * By side effect returns private key, cert, and optionally ca.
1338 * Parses and decodes the parts of PKCS12
1339 *
1340 * NOTE: can parse with USER RSA enabled but may return cert that is not the
1341 *       pair for the key when using RSA key pairs.
1342 *
1343 * pkcs12        : non-null WC_PKCS12 struct
1344 * psw           : password to use for PKCS12 decode
1345 * pkey          : Private key returned
1346 * cert          : x509 cert returned
1347 * ca            : optional ca returned
1348 * keepKeyHeader : 0 removes PKCS8 header, other than 0 keeps PKCS8 header
1349 */
1350int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
1351        byte** pkey, word32* pkeySz, byte** cert, word32* certSz,
1352        WC_DerCertList** ca, int keepKeyHeader)
1353{
1354    ContentInfo* ci       = NULL;
1355    WC_DerCertList* certList = NULL;
1356    WC_DerCertList* tailList = NULL;
1357    byte* buf             = NULL;
1358    word32 i, oid;
1359    word32 algId;
1360    word32 contentSz = 0;
1361    int ret, pswSz;
1362#ifdef ASN_BER_TO_DER
1363    int curIdx;
1364#endif
1365
1366    WOLFSSL_ENTER("wc_PKCS12_parse");
1367
1368    if (pkcs12 == NULL || psw == NULL || cert == NULL || certSz == NULL ||
1369        pkey == NULL   || pkeySz == NULL) {
1370        return BAD_FUNC_ARG;
1371    }
1372
1373    pswSz = (int)XSTRLEN(psw);
1374    *cert = NULL;
1375    *pkey = NULL;
1376    if (ca != NULL)
1377        *ca = NULL;
1378
1379    /* if there is sign data then verify the MAC */
1380    if (pkcs12->signData != NULL ) {
1381        if ((ret = wc_PKCS12_verify(pkcs12, pkcs12->safe->data,
1382                 pkcs12->safe->dataSz, (const byte*)psw, (word32)pswSz)) != 0) {
1383            WOLFSSL_MSG("PKCS12 Bad MAC on verify");
1384            WOLFSSL_LEAVE("wc_PKCS12_parse verify ", ret);
1385            (void)ret;
1386            return MAC_CMP_FAILED_E;
1387        }
1388    }
1389
1390    if (pkcs12->safe == NULL) {
1391        WOLFSSL_MSG("No PKCS12 safes to parse");
1392        return BAD_FUNC_ARG;
1393    }
1394
1395    /* Decode content infos */
1396    ci = pkcs12->safe->CI;
1397    for (i = 0; i < pkcs12->safe->numCI; i++) {
1398        const byte* data;
1399        word32 idx = 0;
1400        int    size, totalSz;
1401        byte   tag;
1402
1403        data = ci->data;
1404
1405        if (ci->type == WC_PKCS12_ENCRYPTED_DATA) {
1406            int number;
1407
1408            WOLFSSL_MSG("Decrypting PKCS12 Content Info Container");
1409            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
1410                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1411            }
1412
1413            if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1414                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1415            }
1416            if ((ret = GetLength(data, &idx, &size, ci->dataSz)) < 0) {
1417                goto exit_pk12par;
1418            }
1419
1420            if ((ret = GetSequence(data, &idx, &size, ci->dataSz)) < 0) {
1421                goto exit_pk12par;
1422            }
1423
1424            if ((ret = GetShortInt(data, &idx, &number, ci->dataSz)) < 0) {
1425                goto exit_pk12par;
1426            }
1427
1428            if (number != 0) {
1429                WOLFSSL_MSG("Expecting 0 for Integer with Encrypted PKCS12");
1430            }
1431
1432            if ((ret = GetSequence(data, &idx, &size, ci->dataSz)) < 0) {
1433                goto exit_pk12par;
1434            }
1435
1436            ret = GetObjectId(data, &idx, &oid, oidIgnoreType, ci->dataSz);
1437            if (ret < 0 || oid != WC_PKCS12_DATA) {
1438                WOLFSSL_MSG("Not PKCS12 DATA object or get object parse error");
1439                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1440            }
1441
1442
1443#ifdef ASN_BER_TO_DER
1444            curIdx = (int)idx;
1445            /* If indefinite length format, ensure it is in the ASN format
1446             * the DecryptContent() expects */
1447            if (pkcs12->indefinite && PKCS12_CheckConstructedZero(data,
1448                                                    ci->dataSz, &idx) == 1) {
1449                /* safe casts -- pkcs12->indefinite signals that data is inside
1450                 * the earlier allocation of der by wc_d2i_PKCS12(().
1451                 */
1452                ((byte *)(wc_ptr_t)data)[idx-1] = ASN_LONG_LENGTH;
1453                ret = PKCS12_CoalesceOctetStrings(
1454                    pkcs12, ((byte *)(wc_ptr_t)data), ci->dataSz,
1455                    &idx, &curIdx);
1456                if (ret < 0) {
1457                    goto exit_pk12par;
1458                }
1459            }
1460            idx = (word32)curIdx;
1461#endif
1462
1463        /* decrypted content overwrites input buffer */
1464            size = (int)(ci->dataSz - idx);
1465            buf = (byte*)XMALLOC((size_t)size, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1466            if (buf == NULL) {
1467                ERROR_OUT(MEMORY_E, exit_pk12par);
1468            }
1469            XMEMCPY(buf, data + idx, (size_t)size);
1470
1471            if ((ret = DecryptContent(buf, (word32)size, psw, pswSz)) < 0) {
1472                WOLFSSL_MSG("Decryption failed, algorithm not compiled in?");
1473                goto exit_pk12par;
1474            }
1475
1476            /* DecryptContent strips the PBE ASN.1 wrapper and returns the
1477             * actual decrypted payload size, which is smaller than the
1478             * allocated buf. Track the real bounds so subsequent ASN.1
1479             * parsing does not read past the decrypted content. */
1480            contentSz = (word32)ret;
1481            data = buf;
1482            idx = 0;
1483
1484        #ifdef WOLFSSL_DEBUG_PKCS12
1485            {
1486                byte* p;
1487                for (printf("\tData = "), p = (byte*)buf;
1488                    p < (byte*)buf + size;
1489                    printf("%02X", *p), p++);
1490                printf("\n");
1491            }
1492        #endif
1493        }
1494        else { /* type DATA */
1495            WOLFSSL_MSG("Parsing PKCS12 DATA Content Info Container");
1496            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
1497                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1498            }
1499
1500            if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1501                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1502            }
1503            if (GetLength(data, &idx, &size, ci->dataSz) <= 0) {
1504                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1505            }
1506
1507            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
1508                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1509            }
1510            if (tag != ASN_OCTET_STRING) {
1511                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1512            }
1513            if ((ret = GetLength(data, &idx, &size, ci->dataSz)) < 0) {
1514                goto exit_pk12par;
1515            }
1516
1517            /* DATA branch: data still points into ci->data, so the
1518             * ContentInfo size is the correct parsing bound. */
1519            contentSz = ci->dataSz;
1520        }
1521
1522        /* parse through bags in ContentInfo */
1523        if ((ret = GetSequence(data, &idx, &totalSz, contentSz)) < 0) {
1524            goto exit_pk12par;
1525        }
1526        totalSz += (int)idx;
1527
1528        while ((int)idx < totalSz) {
1529            int bagSz;
1530            if ((ret = GetSequence(data, &idx, &bagSz, contentSz)) < 0) {
1531                goto exit_pk12par;
1532            }
1533            bagSz += (int)idx;
1534
1535            if ((ret = GetObjectId(data, &idx, &oid, oidIgnoreType,
1536                                                             contentSz)) < 0) {
1537                goto exit_pk12par;
1538            }
1539
1540            switch (oid) {
1541                case WC_PKCS12_KeyBag: /* 667 */
1542                    WOLFSSL_MSG("PKCS12 Key Bag found");
1543                    if (GetASNTag(data, &idx, &tag, contentSz) < 0) {
1544                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1545                    }
1546                    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1547                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1548                    }
1549                    if ((ret = GetLength(data, &idx, &size, contentSz)) <= 0) {
1550                        if (ret == 0)
1551                            ret = ASN_PARSE_E;
1552                        goto exit_pk12par;
1553                    }
1554                    if (*pkey == NULL) {
1555                        *pkey = (byte*)XMALLOC((size_t)size, pkcs12->heap,
1556                                                       DYNAMIC_TYPE_PUBLIC_KEY);
1557                        if (*pkey == NULL) {
1558                            ERROR_OUT(MEMORY_E, exit_pk12par);
1559                        }
1560                        XMEMCPY(*pkey, data + idx, (size_t)size);
1561                        if (keepKeyHeader) {
1562                            *pkeySz = (word32)size;
1563                        }
1564                        else {
1565                            ret = ToTraditional_ex(*pkey,
1566                                    (word32)size, &algId);
1567                            if (ret < 0) {
1568                                *pkeySz = (word32)size;
1569                                goto exit_pk12par;
1570                            }
1571                            *pkeySz = (word32)ret;
1572                        }
1573                    }
1574
1575                #ifdef WOLFSSL_DEBUG_PKCS12
1576                    {
1577                        byte* p;
1578                        for (printf("\tKey = "), p = (byte*)*pkey;
1579                            p < (byte*)*pkey + size;
1580                            printf("%02X", *p), p++);
1581                        printf("\n");
1582                    }
1583                #endif
1584                    idx += (word32)size;
1585                    break;
1586
1587                case WC_PKCS12_ShroudedKeyBag: /* 668 */
1588                    {
1589                        byte* k;
1590
1591                        WOLFSSL_MSG("PKCS12 Shrouded Key Bag found");
1592                        if (GetASNTag(data, &idx, &tag, contentSz) < 0) {
1593                            ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1594                        }
1595                        if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1596                            ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1597                        }
1598                        if ((ret = GetLength(data, &idx, &size,
1599                                                             contentSz)) < 0) {
1600                            goto exit_pk12par;
1601                        }
1602
1603                        k = (byte*)XMALLOC((size_t)size, pkcs12->heap,
1604                                                       DYNAMIC_TYPE_PUBLIC_KEY);
1605                        if (k == NULL) {
1606                            ERROR_OUT(MEMORY_E, exit_pk12par);
1607                        }
1608                        XMEMCPY(k, data + idx, (size_t)size);
1609
1610                        /* overwrites input, be warned */
1611                        if (keepKeyHeader) {
1612                            if ((ret = wc_DecryptPKCS8Key(k, (word32)size, psw,
1613                                pswSz)) < 0) {
1614                                ForceZero(k, (size_t)size);
1615                                XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1616                                goto exit_pk12par;
1617                            }
1618                        }
1619                        else {
1620                            if ((ret = ToTraditionalEnc(k, (word32)size, psw,
1621                                pswSz, &algId)) < 0) {
1622                                ForceZero(k, (size_t)size);
1623                                XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1624                                goto exit_pk12par;
1625                            }
1626                        }
1627
1628                        if (ret < size) {
1629                            /* shrink key buffer */
1630                            byte* tmp = (byte*)XMALLOC((size_t)ret, pkcs12->heap,
1631                                                 DYNAMIC_TYPE_PUBLIC_KEY);
1632                            if (tmp == NULL) {
1633                                ForceZero(k, (size_t)size);
1634                                XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1635                                ERROR_OUT(MEMORY_E, exit_pk12par);
1636                            }
1637                            XMEMCPY(tmp, k, (size_t)ret);
1638                            ForceZero(k, (size_t)size);
1639                            XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1640                            k = tmp;
1641                        }
1642                        size = ret;
1643
1644                        if (*pkey == NULL) {
1645                            *pkey = k;
1646                            *pkeySz = (word32)size;
1647                        }
1648                        else { /* only expecting one key */
1649                            ForceZero(k, (size_t)size);
1650                            XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1651                        }
1652                        idx += (word32)size;
1653
1654                    #ifdef WOLFSSL_DEBUG_PKCS12
1655                        {
1656                            byte* p;
1657                            for (printf("\tKey = "), p = (byte*)k;
1658                                p < (byte*)k + ret;
1659                                printf("%02X", *p), p++);
1660                            printf("\n");
1661                        }
1662                    #endif
1663                    }
1664                    break;
1665
1666                case WC_PKCS12_CertBag: /* 669 */
1667                {
1668                    WC_DerCertList* node;
1669                    WOLFSSL_MSG("PKCS12 Cert Bag found");
1670                    if (GetASNTag(data, &idx, &tag, contentSz) < 0) {
1671                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1672                    }
1673                    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
1674                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1675                    }
1676                    if ((ret = GetLength(data, &idx, &size, contentSz)) < 0) {
1677                        goto exit_pk12par;
1678                    }
1679
1680                    /* get cert bag type */
1681                    if ((ret = GetSequence(data, &idx, &size, contentSz)) <0) {
1682                        goto exit_pk12par;
1683                    }
1684
1685                    if ((ret = GetObjectId(data, &idx, &oid, oidIgnoreType,
1686                                                             contentSz)) < 0) {
1687                        goto exit_pk12par;
1688                    }
1689
1690                    switch (oid) {
1691                        case WC_PKCS12_CertBag_Type1:  /* 675 */
1692                            /* type 1 */
1693                            WOLFSSL_MSG("PKCS12 cert bag type 1");
1694                            if (GetASNTag(data, &idx, &tag, contentSz) < 0) {
1695                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1696                            }
1697                            if (tag != (ASN_CONSTRUCTED |
1698                                        ASN_CONTEXT_SPECIFIC)) {
1699                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1700                            }
1701                            if ((ret = GetLength(data, &idx, &size, contentSz))
1702                                                                         <= 0) {
1703                                if (ret == 0)
1704                                    ret = ASN_PARSE_E;
1705                                goto exit_pk12par;
1706                            }
1707                            if (GetASNTag(data, &idx, &tag, contentSz) < 0) {
1708                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1709                            }
1710                            if (tag != ASN_OCTET_STRING) {
1711                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1712
1713                            }
1714                            if ((ret = GetLength(data, &idx, &size, contentSz))
1715                                                                          < 0) {
1716                                goto exit_pk12par;
1717                            }
1718                            break;
1719                       default:
1720                            WOLFSSL_MSG("Unknown PKCS12 cert bag type");
1721                    }
1722
1723                    if (size + (int)idx > bagSz) {
1724                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
1725                    }
1726
1727                    /* list to hold all certs found */
1728                    node = (WC_DerCertList*)XMALLOC(sizeof(WC_DerCertList),
1729                                               pkcs12->heap, DYNAMIC_TYPE_PKCS);
1730                    if (node == NULL) {
1731                        ERROR_OUT(MEMORY_E, exit_pk12par);
1732                    }
1733                    XMEMSET(node, 0, sizeof(WC_DerCertList));
1734
1735                    node->buffer = (byte*)XMALLOC((size_t)size, pkcs12->heap,
1736                                                             DYNAMIC_TYPE_PKCS);
1737                    if (node->buffer == NULL) {
1738                        XFREE(node, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1739                        ERROR_OUT(MEMORY_E, exit_pk12par);
1740                    }
1741                    XMEMCPY(node->buffer, data + idx, (size_t)size);
1742                    node->bufferSz = (word32)size;
1743
1744                    /* put the new node into the list */
1745                    if (certList != NULL) {
1746                        WOLFSSL_MSG("Pushing new cert onto queue");
1747                        tailList->next = node;
1748                        tailList = node;
1749                    }
1750                    else {
1751                        certList = node;
1752                        tailList = node;
1753                    }
1754
1755                    /* on to next */
1756                    idx += (word32)size;
1757                }
1758                    break;
1759
1760                case WC_PKCS12_CrlBag: /* 670 */
1761                    WOLFSSL_MSG("PKCS12 CRL BAG not yet supported");
1762                    break;
1763
1764                case WC_PKCS12_SecretBag: /* 671 */
1765                    WOLFSSL_MSG("PKCS12 Secret BAG not yet supported");
1766                    break;
1767
1768                case WC_PKCS12_SafeContentsBag: /* 672 */
1769                    WOLFSSL_MSG("PKCS12 Safe Contents BAG not yet supported");
1770                    break;
1771
1772                default:
1773                    WOLFSSL_MSG("Unknown PKCS12 BAG type found");
1774            }
1775
1776            /* Attribute, unknown bag or unsupported */
1777            if ((int)idx < bagSz) {
1778                idx = (word32)bagSz; /* skip for now */
1779            }
1780        }
1781
1782        /* free temporary buffer */
1783        XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1784        buf = NULL;
1785
1786        ci = ci->next;
1787        WOLFSSL_MSG("Done Parsing PKCS12 Content Info Container");
1788    }
1789
1790    /* check if key pair, remove from list */
1791    if (*pkey != NULL) {
1792        ret = freeDecCertList(&certList, pkey, pkeySz, cert, certSz,
1793                              pkcs12->heap);
1794        if (ret < 0)
1795            goto exit_pk12par;
1796    }
1797
1798    /* if ca arg provided return certList, otherwise free it */
1799    if (ca != NULL) {
1800        *ca = certList;
1801    }
1802    else {
1803        /* free list, not wanted */
1804        wc_FreeCertList(certList, pkcs12->heap);
1805    }
1806    (void)tailList; /* not used */
1807
1808    ret = 0; /* success */
1809
1810exit_pk12par:
1811
1812    if (ret != 0) {
1813        /* failure cleanup */
1814        if (*pkey) {
1815            ForceZero(*pkey, *pkeySz);
1816            XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
1817            *pkey = NULL;
1818        }
1819        XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1820        buf = NULL;
1821
1822        wc_FreeCertList(certList, pkcs12->heap);
1823    }
1824
1825    return ret;
1826}
1827
1828
1829/* Helper function to get parameters for key and cert encryptions */
1830static int wc_PKCS12_get_enc_params(int inAlgo, int* vPKCS, int* outAlgo,
1831        int* blkOid, int* hmacOid)
1832{
1833    int ret = 0;
1834
1835    if (inAlgo == PBE_SHA1_RC4_128) {
1836        *vPKCS = 1;   /* PKCS#12 */
1837        *outAlgo = PBE_SHA1_RC4_128;
1838        *blkOid = 0;  /* Unused */
1839        *hmacOid = 0; /* Use SHA1 as default */
1840    }
1841    else if (inAlgo == PBE_SHA1_DES) {
1842        *vPKCS = PKCS5;
1843        *outAlgo = PBES1_SHA1_DES;
1844        *blkOid = 0;  /* Unused */
1845        *hmacOid = 0; /* Use SHA1 as default */
1846    }
1847    else if (inAlgo == PBE_SHA1_DES3) {
1848        *vPKCS = 1;   /* PKCS#12 */
1849        *outAlgo = PBE_SHA1_DES3;
1850        *blkOid = 0;  /* Unused */
1851        *hmacOid = 0; /* Use SHA1 as default */
1852    }
1853    else if (inAlgo == PBE_AES256_CBC) {
1854        *vPKCS = PKCS5;
1855        *outAlgo = PBES2;
1856        *blkOid = AES256CBCb;
1857        *hmacOid = HMAC_SHA256_OID;
1858    }
1859    else if (inAlgo == PBE_AES128_CBC) {
1860        *vPKCS = PKCS5;
1861        *outAlgo = PBES2;
1862        *blkOid = AES128CBCb;
1863        *hmacOid = HMAC_SHA256_OID;
1864    }
1865    else {
1866        WOLFSSL_MSG("Unsupported algorithm for PKCS12 encryption");
1867        ret = ALGO_ID_E;
1868    }
1869
1870    return ret;
1871}
1872
1873
1874/* Helper function to shroud keys.
1875 *
1876 * pkcs12 structure to use with shrouding key
1877 * rng    random number generator used
1878 * out    buffer to hold results
1879 * outSz  size of out buffer
1880 * key    key that is going to be shrouded
1881 * keySz  size of key buffer
1882 * vAlgo  algorithm version
1883 * pass   password to use
1884 * passSz size of pass buffer
1885 * itt    number of iterations
1886 *
1887 * returns the size of the shrouded key on success
1888 */
1889static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
1890        byte* out, word32* outSz, byte* key, word32 keySz, int vAlgo,
1891        const char* pass, int passSz, int itt)
1892{
1893    void* heap;
1894    word32 tmpIdx = 0;
1895    word32 sz;
1896    word32 totalSz = 0;
1897    int ret;
1898    byte* pkcs8Key = NULL;
1899    byte salt[PKCS5V2_SALT_SZ]; /* PKCS5V2_SALT_SZ > PKCS5_SALT_SZ */
1900    word32 saltSz = 0;
1901
1902    int vPKCS = -1;
1903    int outAlgo = -1;
1904    int blkOid = 0;
1905    int hmacOid = 0;
1906
1907    if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL ||
1908            pass == NULL) {
1909        return BAD_FUNC_ARG;
1910    }
1911
1912    heap = wc_PKCS12_GetHeap(pkcs12);
1913
1914    /* check if trying to get size */
1915    if (out != NULL) {
1916        tmpIdx += MAX_LENGTH_SZ + 1; /* save room for length and tag (+1) */
1917        sz = *outSz - tmpIdx;
1918        pkcs8Key = out + tmpIdx;
1919    }
1920
1921    /* case of no encryption */
1922    if (vAlgo < 0) {
1923        const byte* curveOID = NULL;
1924        word32 oidSz = 0;
1925        int algoID;
1926
1927        WOLFSSL_MSG("creating PKCS12 Key Bag");
1928
1929        /* check key type and get OID if ECC */
1930        if ((ret = wc_GetKeyOID(key, keySz, &curveOID, &oidSz, &algoID, heap))
1931                < 0) {
1932            return ret;
1933        }
1934
1935        /* PKCS#8 wrapping around key */
1936        ret = wc_CreatePKCS8Key(pkcs8Key, &sz, key, keySz, algoID, curveOID,
1937                oidSz);
1938    }
1939    else {
1940        WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag");
1941
1942        if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid,
1943                &hmacOid)) < 0) {
1944            return ret;
1945        }
1946        saltSz = (outAlgo != PBES2) ? PKCS5_SALT_SZ : PKCS5V2_SALT_SZ;
1947        if ((ret = wc_RNG_GenerateBlock(rng, salt, saltSz)) < 0) {
1948            return ret;
1949        }
1950
1951        ret = TraditionalEnc_ex(key, keySz, pkcs8Key, &sz, pass, passSz,
1952                vPKCS, outAlgo, blkOid, salt, saltSz, itt, hmacOid, rng, heap);
1953    }
1954    if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
1955        *outSz =  sz + MAX_LENGTH_SZ + 1;
1956        return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
1957    }
1958    if (ret < 0) {
1959        return ret;
1960    }
1961
1962    totalSz += (word32)ret;
1963
1964    /* out should not be null at this point but check before writing */
1965    if (out == NULL) {
1966        return BAD_FUNC_ARG;
1967    }
1968
1969    /* rewind index and set tag and length */
1970    tmpIdx -= MAX_LENGTH_SZ + 1;
1971    sz = (word32)SetExplicit(0, (word32)ret, out + tmpIdx, 0);
1972    tmpIdx += sz; totalSz += sz;
1973    XMEMMOVE(out + tmpIdx, out + MAX_LENGTH_SZ + 1, (size_t)ret);
1974
1975    return (int)totalSz;
1976}
1977
1978
1979/* Helper function to create key bag.
1980 *
1981 * pkcs12 structure to use with key bag
1982 * rng    random number generator used
1983 * out    buffer to hold results
1984 * outSz  size of out buffer
1985 * key    key that is going into key bag
1986 * keySz  size of key buffer
1987 * algo   algorithm version
1988 * iter   number of iterations
1989 * pass   password to use
1990 * passSz size of pass buffer
1991 *
1992 * returns the size of the key bag on success
1993 */
1994static int wc_PKCS12_create_key_bag(WC_PKCS12* pkcs12, WC_RNG* rng,
1995        byte* out, word32* outSz, byte* key, word32 keySz, int algo, int iter,
1996        char* pass, int passSz)
1997{
1998    void* heap;
1999    byte* tmp;
2000    word32 length  = 0;
2001    word32 idx     = 0;
2002    word32 totalSz = 0;
2003    word32 sz;
2004    word32 i;
2005    word32 tmpSz;
2006    word32 tmpAllocSz;
2007    int ret;
2008
2009    /* get max size for shrouded key */
2010    ret =  wc_PKCS12_shroud_key(pkcs12, rng, NULL, &length, key, keySz,
2011            algo, pass, passSz, iter);
2012    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E) && ret < 0) {
2013        return ret;
2014    }
2015
2016    if (out == NULL) {
2017        *outSz = MAX_SEQ_SZ + WC_PKCS12_DATA_OBJ_SZ + 1 + MAX_LENGTH_SZ +
2018            length;
2019        return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
2020    }
2021
2022    heap = wc_PKCS12_GetHeap(pkcs12);
2023
2024    /* leave room for sequence */
2025    idx += MAX_SEQ_SZ;
2026
2027    if (algo < 0) { /* not encrypted */
2028        out[idx++] = ASN_OBJECT_ID; totalSz++;
2029        sz = SetLength(sizeof(WC_PKCS12_KeyBag_OID), out + idx);
2030        idx += sz; totalSz += sz;
2031        for (i = 0; i < sizeof(WC_PKCS12_KeyBag_OID); i++) {
2032            out[idx++] = WC_PKCS12_KeyBag_OID[i]; totalSz++;
2033        }
2034    }
2035    else { /* encrypted */
2036        out[idx++] = ASN_OBJECT_ID; totalSz++;
2037        sz = SetLength(sizeof(WC_PKCS12_ShroudedKeyBag_OID), out + idx);
2038        idx += sz; totalSz += sz;
2039        for (i = 0; i < sizeof(WC_PKCS12_ShroudedKeyBag_OID); i++) {
2040            out[idx++] = WC_PKCS12_ShroudedKeyBag_OID[i]; totalSz++;
2041        }
2042    }
2043
2044    /* shroud key */
2045    tmpAllocSz = length;
2046    tmp = (byte*)XMALLOC(length, heap, DYNAMIC_TYPE_TMP_BUFFER);
2047    if (tmp == NULL) {
2048        return MEMORY_E;
2049    }
2050
2051    ret =  wc_PKCS12_shroud_key(pkcs12, rng, tmp, &length, key, keySz,
2052            algo, pass, passSz, iter);
2053    if (ret < 0) {
2054        ForceZero(tmp, tmpAllocSz);
2055        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2056        return ret;
2057    }
2058    length = (word32)ret;
2059    XMEMCPY(out + idx, tmp, (size_t)length);
2060    ForceZero(tmp, tmpAllocSz);
2061    XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2062    totalSz += length;
2063
2064    /* set beginning sequence */
2065    tmpSz = SetSequence(totalSz, out);
2066    XMEMMOVE(out + tmpSz, out + MAX_SEQ_SZ, totalSz);
2067
2068    (void)heap;
2069    return (int)(totalSz + tmpSz);
2070}
2071
2072
2073/* Helper function to create cert bag.
2074 *
2075 * pkcs12 structure to use with cert bag
2076 * out    buffer to hold results
2077 * outSz  size of out buffer
2078 * cert   cert that is going into cert bag
2079 * certSz size of cert buffer
2080 *
2081 * returns the size of the cert bag on success
2082 */
2083static int wc_PKCS12_create_cert_bag(WC_PKCS12* pkcs12,
2084        byte* out, word32* outSz, byte* cert, word32 certSz)
2085{
2086    word32 length = 0;
2087    word32 idx = 0;
2088    word32 totalSz = 0;
2089    word32 sz;
2090    int WC_CERTBAG_OBJECT_ID  = 13;
2091    int WC_CERTBAG1_OBJECT_ID = 12;
2092    word32 i;
2093    word32 tmpSz;
2094
2095    if (out == NULL) {
2096        *outSz = (word32)(MAX_SEQ_SZ + WC_CERTBAG_OBJECT_ID + 1 + MAX_LENGTH_SZ +
2097            MAX_SEQ_SZ + WC_CERTBAG1_OBJECT_ID + 1 + MAX_LENGTH_SZ + 1 +
2098            MAX_LENGTH_SZ + (int)certSz);
2099        return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
2100    }
2101
2102    /* check buffer size able to handle max size */
2103    if (*outSz < (word32)(MAX_SEQ_SZ + WC_CERTBAG_OBJECT_ID + 1 + MAX_LENGTH_SZ +
2104            MAX_SEQ_SZ + WC_CERTBAG1_OBJECT_ID + 1 + MAX_LENGTH_SZ + 1 +
2105            MAX_LENGTH_SZ + (int)certSz)) {
2106        return BUFFER_E;
2107    }
2108
2109    /* save room for sequence */
2110    idx += MAX_SEQ_SZ;
2111
2112    /* objectId WC_PKCS12_CertBag */
2113    out[idx++] = ASN_OBJECT_ID; totalSz++;
2114    sz = SetLength(sizeof(WC_PKCS12_CertBag_OID), out + idx);
2115    idx += sz; totalSz += sz;
2116    for (i = 0; i < sizeof(WC_PKCS12_CertBag_OID); i++) {
2117        out[idx++] = WC_PKCS12_CertBag_OID[i]; totalSz++;
2118    }
2119
2120    /**** Cert Bag type 1 ****/
2121    out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC); totalSz++;
2122
2123    /* save room for length and sequence */
2124    idx += MAX_LENGTH_SZ;
2125    idx += MAX_SEQ_SZ;
2126
2127    /* object id WC_PKCS12_CertBag_Type1 */
2128    out[idx++] = ASN_OBJECT_ID; length++;
2129    sz = SetLength(sizeof(WC_PKCS12_CertBag_Type1_OID), out + idx);
2130    idx += sz; length += sz;
2131    for (i = 0; i < sizeof(WC_PKCS12_CertBag_Type1_OID); i++) {
2132        out[idx++] = WC_PKCS12_CertBag_Type1_OID[i]; length++;
2133    }
2134
2135    out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC); length++;
2136    sz = 0;
2137    idx += MAX_LENGTH_SZ; /* save room for length */
2138
2139    /* place the cert in the buffer */
2140    out[idx++] = ASN_OCTET_STRING; sz++;
2141    tmpSz = SetLength(certSz, out + idx);
2142    idx += tmpSz; sz += tmpSz;
2143    XMEMCPY(out + idx, cert, certSz);
2144    idx += certSz; sz += certSz;
2145
2146    /* rewind idx and place length */
2147    idx -= (sz + MAX_LENGTH_SZ);
2148    tmpSz = SetLength(sz, out + idx);
2149    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_LENGTH_SZ, sz);
2150    idx += tmpSz + sz; length += tmpSz + sz;
2151
2152    /* rewind idx and set sequence */
2153    idx -= (length + MAX_SEQ_SZ);
2154    tmpSz = SetSequence(length, out + idx);
2155    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_SEQ_SZ, length);
2156    length += tmpSz;
2157
2158    /* place final length */
2159    idx -= MAX_LENGTH_SZ;
2160    tmpSz = SetLength(length, out + idx);
2161    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_LENGTH_SZ, length);
2162    length += tmpSz;
2163
2164    /* place final sequence */
2165    totalSz += length;
2166    tmpSz = SetSequence(totalSz, out);
2167    XMEMMOVE(out + tmpSz, out + MAX_SEQ_SZ, totalSz);
2168
2169    (void)pkcs12;
2170
2171    return (int)(totalSz + tmpSz);
2172}
2173
2174
2175/* Helper function to encrypt content.
2176 *
2177 * pkcs12    structure to use with key bag
2178 * rng       random number generator used
2179 * out       buffer to hold results
2180 * outSz     size of out buffer
2181 * content   content to encrypt
2182 * contentSz size of content buffer
2183 * vAlgo     algorithm version
2184 * pass      password to use
2185 * passSz    size of pass buffer
2186 * iter      number of iterations
2187 * type      content type i.e WC_PKCS12_ENCRYPTED_DATA or WC_PKCS12_DATA
2188 *
2189 * returns the size of result on success
2190 */
2191static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
2192        byte* out, word32* outSz, byte* content, word32 contentSz, int vAlgo,
2193        const char* pass, int passSz, int iter, int type)
2194{
2195    void* heap;
2196    int ret;
2197    byte*  tmp;
2198    word32 idx = 0;
2199    word32 totalSz = 0;
2200    word32 length = 0;
2201    word32 tmpSz;
2202    word32 encSz;
2203
2204    int vPKCS = -1;
2205    int outAlgo = -1;
2206    int blkOid = 0;
2207    int hmacOid = 0;
2208
2209    byte seq[MAX_SEQ_SZ];
2210
2211    WOLFSSL_MSG("encrypting PKCS12 content");
2212
2213    heap = wc_PKCS12_GetHeap(pkcs12);
2214
2215    /* ENCRYPTED DATA
2216     * ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC
2217     * length
2218     * sequence
2219     * short int
2220     * sequence
2221     * get object id */
2222    if (type == WC_PKCS12_ENCRYPTED_DATA) {
2223        word32 outerSz = 0;
2224
2225        if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid,
2226                &hmacOid)) < 0) {
2227            return ret;
2228        }
2229
2230        encSz = contentSz;
2231        if ((ret = EncryptContent(NULL, contentSz, NULL, &encSz,
2232                   pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid,
2233                   rng, heap)) < 0) {
2234            if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2235                return ret;
2236            }
2237        }
2238
2239        /* calculate size */
2240        totalSz  = (word32)SetObjectId(sizeof(WC_PKCS12_ENCRYPTED_OID), seq);
2241        totalSz += (word32)sizeof(WC_PKCS12_ENCRYPTED_OID);
2242        totalSz += ASN_TAG_SZ;
2243
2244        length  = (word32)SetMyVersion(0, seq, 0);
2245        tmpSz   = (word32)SetObjectId(sizeof(WC_PKCS12_DATA_OID), seq);
2246        tmpSz  += (word32)sizeof(WC_PKCS12_DATA_OID);
2247        tmpSz  += encSz;
2248        length += SetSequence(tmpSz, seq) + tmpSz;
2249        outerSz = SetSequence(length, seq) + length;
2250
2251        totalSz += SetLength(outerSz, seq) + outerSz;
2252        if (out == NULL) {
2253            *outSz = totalSz + SetSequence(totalSz, seq);
2254            return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
2255        }
2256
2257        if (*outSz < totalSz + SetSequence(totalSz, seq)) {
2258            return BUFFER_E;
2259        }
2260
2261        idx = 0;
2262        idx += SetSequence(totalSz, out + idx);
2263        idx += (word32)SetObjectId(sizeof(WC_PKCS12_ENCRYPTED_OID), out + idx);
2264        if (idx + sizeof(WC_PKCS12_ENCRYPTED_OID) > *outSz){
2265            return BUFFER_E;
2266        }
2267        XMEMCPY(out + idx, WC_PKCS12_ENCRYPTED_OID,
2268                sizeof(WC_PKCS12_ENCRYPTED_OID));
2269        idx += (word32)sizeof(WC_PKCS12_ENCRYPTED_OID);
2270
2271        if (idx + 1 > *outSz){
2272            return BUFFER_E;
2273        }
2274        out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC);
2275        idx += SetLength(outerSz, out + idx);
2276
2277        idx += SetSequence(length, out + idx);
2278        idx += (word32)SetMyVersion(0, out + idx, 0);
2279        tmp = (byte*)XMALLOC(encSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
2280        if (tmp == NULL) {
2281            return MEMORY_E;
2282        }
2283
2284        if ((ret = EncryptContent(content, contentSz, tmp, &encSz,
2285                   pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid,
2286                   rng, heap)) < 0) {
2287            XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2288            return ret;
2289        }
2290        encSz = (word32)ret;
2291
2292        #ifdef WOLFSSL_DEBUG_PKCS12
2293        {
2294            byte* p;
2295            for (printf("(size %u) Encrypted Content = ", encSz),
2296                    p = (byte*)tmp;
2297                p < (byte*)tmp + encSz;
2298                printf("%02X", *p), p++);
2299            printf("\n");
2300        }
2301        #endif
2302
2303        idx += SetSequence(WC_PKCS12_DATA_OBJ_SZ + encSz, out + idx);
2304        idx += (word32)SetObjectId(sizeof(WC_PKCS12_DATA_OID), out + idx);
2305        if (idx + sizeof(WC_PKCS12_DATA_OID) > *outSz){
2306            WOLFSSL_MSG("Buffer not large enough for DATA OID");
2307            XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2308            return BUFFER_E;
2309        }
2310        XMEMCPY(out + idx, WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
2311        idx += (word32)sizeof(WC_PKCS12_DATA_OID);
2312
2313        /* copy over encrypted data */
2314        if (idx + encSz > *outSz){
2315            XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2316            return BUFFER_E;
2317        }
2318        XMEMCPY(out + idx, tmp, encSz);
2319        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
2320        idx += encSz;
2321        return (int)idx;
2322    }
2323
2324    /* DATA
2325     * ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC
2326     * length
2327     * ASN_OCTET_STRING
2328     * length
2329     * sequence containing all bags */
2330    if (type == WC_PKCS12_DATA) {
2331        /* calculate size */
2332        totalSz = (word32)SetObjectId(sizeof(WC_PKCS12_DATA_OID), seq);
2333        totalSz += (word32)sizeof(WC_PKCS12_DATA_OID);
2334        totalSz += ASN_TAG_SZ;
2335
2336        length   = SetOctetString(contentSz, seq);
2337        length  += contentSz;
2338        totalSz += SetLength(length, seq);
2339        totalSz += length;
2340
2341        if (out == NULL) {
2342            *outSz = totalSz + SetSequence(totalSz, seq);
2343            return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
2344        }
2345
2346        if (*outSz < (totalSz + SetSequence(totalSz, seq))) {
2347            return BUFFER_E;
2348        }
2349
2350        /* place data in output buffer */
2351        idx  = 0;
2352        idx += SetSequence(totalSz, out);
2353        idx += (word32)SetObjectId(sizeof(WC_PKCS12_DATA_OID), out + idx);
2354        if (idx + sizeof(WC_PKCS12_DATA_OID) > *outSz){
2355            WOLFSSL_MSG("Buffer not large enough for DATA OID");
2356            return BUFFER_E;
2357        }
2358        XMEMCPY(out + idx, WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
2359        idx += (word32)sizeof(WC_PKCS12_DATA_OID);
2360
2361        if (idx + 1 > *outSz){
2362            return BUFFER_E;
2363        }
2364        out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC);
2365        idx += SetLength(length, out + idx);
2366        idx += SetOctetString(contentSz, out + idx);
2367
2368        if (idx + contentSz > *outSz){
2369            return BUFFER_E;
2370        }
2371        XMEMCPY(out + idx, content, contentSz);
2372        idx += contentSz;
2373
2374        return (int)idx;
2375    }
2376
2377    WOLFSSL_MSG("Unknown/Unsupported content type");
2378    return BAD_FUNC_ARG;
2379}
2380
2381
2382/* helper function to create the PKCS12 key content
2383 * keyCiSz is output buffer size
2384 * returns a pointer to be free'd by caller on success and NULL on failure */
2385static byte* PKCS12_create_key_content(WC_PKCS12* pkcs12, int nidKey,
2386        word32* keyCiSz, WC_RNG* rng, char* pass, word32 passSz,
2387        byte* key, word32 keySz, int iter)
2388{
2389    byte*  keyBuf;
2390    word32 keyBufSz = 0;
2391    word32 keyBufAllocSz = 0;
2392    byte* keyCi = NULL;
2393    word32 tmpSz;
2394    int ret;
2395    int algo;
2396    void* heap;
2397
2398    heap = wc_PKCS12_GetHeap(pkcs12);
2399    *keyCiSz = 0;
2400    switch (nidKey) {
2401        /* supported key encryptions */
2402        case PBE_SHA1_RC4_128:
2403            algo = 1;
2404            break;
2405
2406        case PBE_SHA1_DES:
2407            algo = 2;
2408            break;
2409
2410        case PBE_SHA1_DES3:
2411            algo = 3;
2412            break;
2413
2414        case PBE_AES256_CBC:
2415            algo = PBE_AES256_CBC;
2416            break;
2417
2418        case PBE_AES128_CBC:
2419            algo = PBE_AES128_CBC;
2420            break;
2421
2422        case -1: /* no encryption */
2423            algo = -1;
2424            break;
2425
2426        default:
2427            WOLFSSL_MSG("Unknown/Unsupported key encryption");
2428            return NULL;
2429    }
2430
2431    /* get max size for key bag */
2432    ret = wc_PKCS12_create_key_bag(pkcs12, rng, NULL, &keyBufSz, key, keySz,
2433            algo, iter, pass, (int)passSz);
2434    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E) && ret < 0) {
2435        WOLFSSL_MSG("Error getting key bag size");
2436        return NULL;
2437    }
2438
2439    /* account for sequence around bag */
2440    keyBufSz += MAX_SEQ_SZ;
2441    keyBufAllocSz = keyBufSz;
2442    keyBuf = (byte*)XMALLOC(keyBufSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
2443    if (keyBuf == NULL) {
2444        WOLFSSL_MSG("Memory error creating keyBuf buffer");
2445        return NULL;
2446    }
2447
2448    ret = wc_PKCS12_create_key_bag(pkcs12, rng, keyBuf + MAX_SEQ_SZ, &keyBufSz,
2449            key, keySz, algo, iter, pass, (int)passSz);
2450    if (ret < 0) {
2451        ForceZero(keyBuf, keyBufAllocSz);
2452        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2453        WOLFSSL_MSG("Error creating key bag");
2454        return NULL;
2455    }
2456    keyBufSz = (word32)ret;
2457
2458    tmpSz = SetSequence(keyBufSz, keyBuf);
2459    XMEMMOVE(keyBuf + tmpSz, keyBuf + MAX_SEQ_SZ, keyBufSz);
2460    keyBufSz += tmpSz;
2461
2462    #ifdef WOLFSSL_DEBUG_PKCS12
2463    {
2464        word32 i;
2465        printf("(size %u) Key Bag = ", keyBufSz);
2466        for (i = 0; i < keyBufSz; i++)
2467            printf("%02X", keyBuf[i]);
2468        printf("\n");
2469    }
2470    #endif
2471    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, keyCiSz,
2472            NULL, keyBufSz, algo, pass, (int)passSz, iter, WC_PKCS12_DATA);
2473    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2474        ForceZero(keyBuf, keyBufAllocSz);
2475        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2476        WOLFSSL_MSG("Error getting key encrypt content size");
2477        return NULL;
2478    }
2479    keyCi = (byte*)XMALLOC(*keyCiSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
2480    if (keyCi == NULL) {
2481        ForceZero(keyBuf, keyBufAllocSz);
2482        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2483        return NULL;
2484    }
2485
2486    ret = wc_PKCS12_encrypt_content(pkcs12, rng, keyCi, keyCiSz,
2487            keyBuf, keyBufSz, algo, pass, (int)passSz, iter, WC_PKCS12_DATA);
2488    ForceZero(keyBuf, keyBufAllocSz);
2489    XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2490    if (ret < 0 ) {
2491        XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
2492        WOLFSSL_MSG("Error creating key encrypt content");
2493        return NULL;
2494    }
2495    *keyCiSz = (word32)ret;
2496
2497    #ifdef WOLFSSL_DEBUG_PKCS12
2498    {
2499        word32 i;
2500        printf("(size %u) Key Content Info = ", *keyCiSz);
2501        for (i = 0; i < *keyCiSz; i++)
2502            printf("%02X", keyCi[i]);
2503        printf("\n");
2504    }
2505    #endif
2506
2507    (void)heap;
2508    return keyCi;
2509}
2510
2511
2512/* helper function to create the PKCS12 certificate content
2513 * certCiSz is output buffer size
2514 * returns a pointer to be free'd by caller on success and NULL on failure */
2515static byte* PKCS12_create_cert_content(WC_PKCS12* pkcs12, int nidCert,
2516        WC_DerCertList* ca, byte* cert, word32 certSz, word32* certCiSz,
2517        WC_RNG* rng, char* pass, word32 passSz, int iter)
2518{
2519    int algo;
2520    int ret;
2521    int type;
2522
2523    byte*  certBuf = NULL;
2524    word32 certBufSz;
2525    word32 idx;
2526    word32 sz;
2527    word32 tmpSz;
2528
2529    byte* certCi;
2530    void* heap;
2531
2532    heap = wc_PKCS12_GetHeap(pkcs12);
2533    switch (nidCert) {
2534        /* supported certificate encryptions */
2535        case PBE_SHA1_RC4_128:
2536            type = WC_PKCS12_ENCRYPTED_DATA;
2537            algo = 1;
2538            break;
2539
2540        case PBE_SHA1_DES:
2541            type = WC_PKCS12_ENCRYPTED_DATA;
2542            algo = 2;
2543            break;
2544
2545        case PBE_SHA1_DES3:
2546            type = WC_PKCS12_ENCRYPTED_DATA;
2547            algo = 3;
2548            break;
2549
2550        case PBE_AES256_CBC:
2551            type = WC_PKCS12_ENCRYPTED_DATA;
2552            algo = PBE_AES256_CBC;
2553            break;
2554
2555        case PBE_AES128_CBC:
2556            type = WC_PKCS12_ENCRYPTED_DATA;
2557            algo = PBE_AES128_CBC;
2558            break;
2559
2560        case -1: /* no encryption */
2561            type = WC_PKCS12_DATA;
2562            algo = -1;
2563            break;
2564
2565        default:
2566            WOLFSSL_MSG("Unknown/Unsupported certificate encryption");
2567            return NULL;
2568    }
2569
2570    /* get max size of buffer needed */
2571    ret = wc_PKCS12_create_cert_bag(pkcs12, NULL, &certBufSz, cert, certSz);
2572    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2573        return NULL;
2574    }
2575
2576    if (ca != NULL) {
2577        WC_DerCertList* current = ca;
2578        word32 curBufSz = 0;
2579
2580        /* get max buffer size */
2581        while (current != NULL) {
2582            ret = wc_PKCS12_create_cert_bag(pkcs12, NULL, &curBufSz,
2583                    current->buffer, current->bufferSz);
2584            if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2585                return NULL;
2586            }
2587            certBufSz += curBufSz;
2588            current    = current->next;
2589        }
2590    }
2591
2592    /* account for Sequence that holds all certificate bags */
2593    certBufSz += MAX_SEQ_SZ;
2594
2595    /* completed getting max size, now create buffer and start adding bags */
2596    certBuf = (byte*)XMALLOC(certBufSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
2597    if (certBuf == NULL) {
2598        WOLFSSL_MSG("Memory error creating certificate bags");
2599        return NULL;
2600    }
2601
2602    idx = 0;
2603    idx += MAX_SEQ_SZ;
2604
2605    sz = certBufSz - idx;
2606    if ((ret = wc_PKCS12_create_cert_bag(pkcs12, certBuf + idx, &sz,
2607            cert, certSz)) < 0) {
2608        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2609        return NULL;
2610    }
2611    idx += (word32)ret;
2612
2613    if (ca != NULL) {
2614        WC_DerCertList* current = ca;
2615
2616        while (current != NULL) {
2617            sz = certBufSz - idx;
2618            if ((ret = wc_PKCS12_create_cert_bag(pkcs12, certBuf + idx, &sz,
2619               current->buffer, current->bufferSz)) < 0) {
2620                XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2621                return NULL;
2622            }
2623            idx += (word32)ret;
2624            current = current->next;
2625        }
2626    }
2627
2628    /* set sequence and create encrypted content with all certificate bags */
2629    tmpSz = SetSequence(idx - MAX_SEQ_SZ, certBuf);
2630    XMEMMOVE(certBuf + tmpSz, certBuf + MAX_SEQ_SZ, idx - MAX_SEQ_SZ);
2631    certBufSz = tmpSz + (idx - MAX_SEQ_SZ);
2632
2633    /* get buffer size needed for content info */
2634    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, certCiSz,
2635            NULL, certBufSz, algo, pass, (int)passSz, iter, type);
2636    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2637        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2638        WOLFSSL_LEAVE("wc_PKCS12_create()", ret);
2639        return NULL;
2640    }
2641    certCi = (byte*)XMALLOC(*certCiSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
2642    if (certCi == NULL) {
2643        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2644        return NULL;
2645    }
2646
2647    ret = wc_PKCS12_encrypt_content(pkcs12, rng, certCi, certCiSz,
2648            certBuf, certBufSz, algo, pass, (int)passSz, iter, type);
2649    XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
2650    if (ret < 0) {
2651        WOLFSSL_LEAVE("wc_PKCS12_create()", ret);
2652        XFREE(certCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
2653        return NULL;
2654    }
2655    *certCiSz = (word32)ret;
2656
2657    #ifdef WOLFSSL_DEBUG_PKCS12
2658    {
2659        word32 i;
2660        printf("(size %u) Encrypted Certificate Content Info = ", *certCiSz);
2661        for (i = 0; i < *certCiSz; i++)
2662            printf("%02X", certCi[i]);
2663        printf("\n");
2664    }
2665    #endif
2666
2667    (void)heap;
2668    return certCi;
2669}
2670
2671
2672/* helper function to create the PKCS12 safe
2673 * returns 0 on success */
2674static int PKCS12_create_safe(WC_PKCS12* pkcs12, byte* certCi, word32 certCiSz,
2675        byte* keyCi, word32 keyCiSz, WC_RNG* rng, char* pass, word32 passSz,
2676        int iter)
2677{
2678    int length;
2679    int ret;
2680    byte seq[MAX_SEQ_SZ];
2681    word32 safeDataSz;
2682    word32 innerDataSz;
2683    byte *innerData = NULL;
2684    byte *safeData  = NULL;
2685    word32 idx;
2686
2687    innerDataSz = certCiSz + keyCiSz+SetSequence(certCiSz + keyCiSz, seq);
2688
2689    /* add Content Info structs to safe, key first then cert */
2690    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, &safeDataSz,
2691            NULL, innerDataSz, 0, NULL, 0, 0, WC_PKCS12_DATA);
2692    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
2693        return ret;
2694    }
2695
2696    safeData = (byte*)XMALLOC(safeDataSz, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
2697    if (safeData == NULL) {
2698        WOLFSSL_MSG("Error malloc'ing safe data buffer");
2699        return MEMORY_E;
2700    }
2701
2702    /* create sequence of inner data */
2703    innerData = (byte*)XMALLOC(innerDataSz, pkcs12->heap, DYNAMIC_TYPE_PKCS);
2704    if (innerData == NULL) {
2705        WOLFSSL_MSG("Error malloc'ing inner data buffer");
2706        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
2707        return MEMORY_E;
2708    }
2709    idx  = 0;
2710    idx += SetSequence(certCiSz + keyCiSz, innerData);
2711    XMEMCPY(innerData + idx, certCi, certCiSz);
2712    XMEMCPY(innerData + idx + certCiSz, keyCi, keyCiSz);
2713
2714    ret = wc_PKCS12_encrypt_content(pkcs12, rng, safeData, &safeDataSz,
2715            innerData, innerDataSz, 0, pass, (int)passSz, iter, WC_PKCS12_DATA);
2716    XFREE(innerData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
2717    if (ret < 0 ) {
2718        WOLFSSL_MSG("Error setting data type for safe contents");
2719        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
2720        return ret;
2721    }
2722    idx = 0;
2723
2724    ret = GetSequence(safeData, &idx, &length, safeDataSz);
2725    if (ret < 0) {
2726        WOLFSSL_MSG("Error getting first sequence of safe");
2727        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
2728        return ret;
2729    }
2730
2731    ret = GetSafeContent(pkcs12, safeData, &idx, safeDataSz);
2732    XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
2733    if (ret < 0) {
2734        WOLFSSL_MSG("Unable to create safe contents");
2735        return ret;
2736    }
2737    return 0;
2738}
2739
2740
2741/*
2742 * pass : password to use with encryption
2743 * passSz : size of the password buffer
2744 * name : friendlyName to use
2745 * key  : DER format of key
2746 * keySz : size of key buffer
2747 * cert : DER format of certificate
2748 * certSz : size of the certificate buffer
2749 * ca   : a list of extra certificates
2750 * nidKey  : type of encryption to use on the key (-1 means no encryption)
2751 * nidCert : type of encryption to use on the certificate
2752 *           (-1 means no encryption)
2753 * iter    : number of iterations with encryption
2754 * macIter : number of iterations when creating MAC
2755 * keyType : flag for signature and/or encryption key
2756 * heap : pointer to allocate from memory
2757 *
2758 * returns a pointer to a new WC_PKCS12 structure on success and NULL if failed
2759 */
2760WC_PKCS12* wc_PKCS12_create(char* pass, word32 passSz, char* name,
2761        byte* key, word32 keySz, byte* cert, word32 certSz, WC_DerCertList* ca,
2762        int nidKey, int nidCert, int iter, int macIter, int keyType, void* heap)
2763{
2764    WC_PKCS12* pkcs12;
2765    WC_RNG     rng;
2766    int ret;
2767
2768    byte*  certCi = NULL;
2769    byte*  keyCi  = NULL;
2770    word32 certCiSz;
2771    word32 keyCiSz;
2772
2773    WOLFSSL_ENTER("wc_PKCS12_create");
2774
2775    if (wc_InitRng_ex(&rng, heap, INVALID_DEVID) != 0) {
2776        return NULL;
2777    }
2778
2779    if ((pkcs12 = wc_PKCS12_new_ex(heap)) == NULL) {
2780        wc_FreeRng(&rng);
2781        WOLFSSL_LEAVE("wc_PKCS12_create", MEMORY_E);
2782        return NULL;
2783    }
2784
2785    if (iter <= 0) {
2786        iter = WC_PKCS12_ITT_DEFAULT;
2787    }
2788
2789    /**** add private key bag ****/
2790    keyCi = PKCS12_create_key_content(pkcs12, nidKey, &keyCiSz, &rng,
2791            pass, passSz, key, keySz, iter);
2792    if (keyCi == NULL) {
2793        wc_PKCS12_free(pkcs12);
2794        wc_FreeRng(&rng);
2795        return NULL;
2796    }
2797
2798    /**** add main certificate bag and extras ****/
2799    certCi = PKCS12_create_cert_content(pkcs12, nidCert, ca, cert, certSz,
2800            &certCiSz, &rng, pass, passSz, iter);
2801    if (certCi == NULL) {
2802        XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
2803        wc_PKCS12_free(pkcs12);
2804        wc_FreeRng(&rng);
2805        return NULL;
2806    }
2807
2808    /**** create safe and Content Info ****/
2809    ret = PKCS12_create_safe(pkcs12, certCi, certCiSz, keyCi, keyCiSz, &rng,
2810            pass, passSz, iter);
2811    XFREE(keyCi,  heap, DYNAMIC_TYPE_TMP_BUFFER);
2812    XFREE(certCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
2813    if (ret != 0) {
2814        WOLFSSL_MSG("Unable to create PKCS12 safe");
2815        wc_PKCS12_free(pkcs12);
2816        wc_FreeRng(&rng);
2817        return NULL;
2818    }
2819
2820    /* create MAC */
2821    if (macIter > 0) {
2822        MacData* mac;
2823        byte digest[WC_MAX_DIGEST_SIZE]; /* for MAC */
2824
2825        mac = (MacData*)XMALLOC(sizeof(MacData), heap, DYNAMIC_TYPE_PKCS);
2826        if (mac == NULL) {
2827            wc_PKCS12_free(pkcs12);
2828            wc_FreeRng(&rng);
2829            WOLFSSL_MSG("Error malloc'ing mac data buffer");
2830            return NULL;
2831        }
2832        XMEMSET(mac, 0, sizeof(MacData));
2833        pkcs12->signData = mac; /* now wc_PKCS12_free will free all mac too */
2834
2835        #ifndef NO_SHA256
2836            mac->oid = SHA256h;
2837        #elif !defined(NO_SHA)
2838            mac->oid = SHA;
2839        #elif defined(WOLFSSL_SHA384)
2840            mac->oid = SHA384;
2841        #elif defined(WOLFSSL_SHA512)
2842            mac->oid = SHA512;
2843        #else
2844            WOLFSSL_MSG("No supported hash algorithm compiled in!");
2845            wc_PKCS12_free(pkcs12);
2846            wc_FreeRng(&rng);
2847            return NULL;
2848        #endif
2849
2850        /* store number of iterations */
2851        mac->itt = macIter;
2852
2853        /* set mac salt */
2854        mac->saltSz = WC_PKCS12_MAC_SALT_SZ;
2855        mac->salt = (byte*)XMALLOC(WC_PKCS12_MAC_SALT_SZ, heap,
2856                DYNAMIC_TYPE_PKCS);
2857        if (mac->salt == NULL) {
2858            wc_PKCS12_free(pkcs12);
2859            wc_FreeRng(&rng);
2860            WOLFSSL_MSG("Error malloc'ing salt data buffer");
2861            return NULL;
2862        }
2863
2864        if (wc_RNG_GenerateBlock(&rng, mac->salt, mac->saltSz) != 0) {
2865            WOLFSSL_MSG("Error generating random salt");
2866            wc_PKCS12_free(pkcs12);
2867            wc_FreeRng(&rng);
2868            return NULL;
2869        }
2870        ret = wc_PKCS12_create_mac(pkcs12, pkcs12->safe->data,
2871                pkcs12->safe->dataSz, (const byte*)pass, passSz, digest,
2872                WC_MAX_DIGEST_SIZE);
2873        if (ret < 0) {
2874            wc_PKCS12_free(pkcs12);
2875            wc_FreeRng(&rng);
2876            WOLFSSL_MSG("Error creating mac");
2877            WOLFSSL_LEAVE("wc_PKCS12_create", ret);
2878            return NULL;
2879        }
2880
2881        mac->digestSz = (word32)ret;
2882        mac->digest = (byte*)XMALLOC((size_t)ret, heap, DYNAMIC_TYPE_PKCS);
2883        if (mac->digest == NULL) {
2884            WOLFSSL_MSG("Error malloc'ing mac digest buffer");
2885            wc_PKCS12_free(pkcs12);
2886            wc_FreeRng(&rng);
2887            return NULL;
2888        }
2889        XMEMCPY(mac->digest, digest, mac->digestSz);
2890    }
2891    else {
2892        pkcs12->signData = NULL;
2893    }
2894
2895    wc_FreeRng(&rng);
2896    (void)name;
2897    (void)keyType;
2898
2899    return pkcs12;
2900}
2901
2902
2903/* if using a specific memory heap */
2904int wc_PKCS12_SetHeap(WC_PKCS12* pkcs12, void* heap)
2905{
2906    if (pkcs12 == NULL) {
2907        return BAD_FUNC_ARG;
2908    }
2909    pkcs12->heap = heap;
2910
2911    return 0;
2912}
2913
2914
2915/* getter for heap */
2916void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12)
2917{
2918    if (pkcs12 == NULL) {
2919        return NULL;
2920    }
2921
2922    return pkcs12->heap;
2923}
2924
2925#undef ERROR_OUT
2926
2927#endif /* HAVE_PKCS12 && !NO_ASN && !NO_PWDBASED && !NO_HMAC */