mirror of https://github.com/wolfSSL/wolfssl.git
Merge pull request #8859 from kojiws/clarify_supported_pkcs12_enc_algos
Clarify supported encryption algorithms on wc_PKCS12_create()pull/8865/head
JacobBarthelmeh
GitHub
commit
4ae8ca03ac
|
|
@ -19069,6 +19069,14 @@ static int test_wc_PKCS12_create_once(int keyEncType, int certEncType)
|
||||||
static int test_wc_PKCS12_create(void)
|
static int test_wc_PKCS12_create(void)
|
||||||
{
|
{
|
||||||
EXPECT_DECLS;
|
EXPECT_DECLS;
|
||||||
|
|
||||||
|
EXPECT_TEST(test_wc_PKCS12_create_once(-1, -1));
|
||||||
|
#if !defined(NO_RC4) && !defined(NO_SHA)
|
||||||
|
EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_RC4_128, PBE_SHA1_RC4_128));
|
||||||
|
#endif
|
||||||
|
#if !defined(NO_DES3) && !defined(NO_SHA)
|
||||||
|
EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_DES, PBE_SHA1_DES));
|
||||||
|
#endif
|
||||||
#if !defined(NO_DES3) && !defined(NO_SHA)
|
#if !defined(NO_DES3) && !defined(NO_SHA)
|
||||||
EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_DES3, PBE_SHA1_DES3));
|
EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_DES3, PBE_SHA1_DES3));
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -1760,6 +1760,51 @@ exit_pk12par:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Helper function to get parameters for key and cert encryptions */
|
||||||
|
static int wc_PKCS12_get_enc_params(int inAlgo, int* vPKCS, int* outAlgo,
|
||||||
|
int* blkOid, int* hmacOid)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
if (inAlgo == PBE_SHA1_RC4_128) {
|
||||||
|
*vPKCS = 1; /* PKCS#12 */
|
||||||
|
*outAlgo = PBE_SHA1_RC4_128;
|
||||||
|
*blkOid = 0; /* Unused */
|
||||||
|
*hmacOid = 0; /* Use SHA1 as default */
|
||||||
|
}
|
||||||
|
else if (inAlgo == PBE_SHA1_DES) {
|
||||||
|
*vPKCS = PKCS5;
|
||||||
|
*outAlgo = PBES1_SHA1_DES;
|
||||||
|
*blkOid = 0; /* Unused */
|
||||||
|
*hmacOid = 0; /* Use SHA1 as default */
|
||||||
|
}
|
||||||
|
else if (inAlgo == PBE_SHA1_DES3) {
|
||||||
|
*vPKCS = 1; /* PKCS#12 */
|
||||||
|
*outAlgo = PBE_SHA1_DES3;
|
||||||
|
*blkOid = 0; /* Unused */
|
||||||
|
*hmacOid = 0; /* Use SHA1 as default */
|
||||||
|
}
|
||||||
|
else if (inAlgo == PBE_AES256_CBC) {
|
||||||
|
*vPKCS = PKCS5;
|
||||||
|
*outAlgo = PBES2;
|
||||||
|
*blkOid = AES256CBCb;
|
||||||
|
*hmacOid = HMAC_SHA256_OID;
|
||||||
|
}
|
||||||
|
else if (inAlgo == PBE_AES128_CBC) {
|
||||||
|
*vPKCS = PKCS5;
|
||||||
|
*outAlgo = PBES2;
|
||||||
|
*blkOid = AES128CBCb;
|
||||||
|
*hmacOid = HMAC_SHA256_OID;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
WOLFSSL_MSG("Unsupported algorithm for PKCS12 encryption");
|
||||||
|
ret = ALGO_ID_E;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Helper function to shroud keys.
|
/* Helper function to shroud keys.
|
||||||
*
|
*
|
||||||
* pkcs12 structure to use with shrouding key
|
* pkcs12 structure to use with shrouding key
|
||||||
|
|
@ -1781,15 +1826,15 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
{
|
{
|
||||||
void* heap;
|
void* heap;
|
||||||
word32 tmpIdx = 0;
|
word32 tmpIdx = 0;
|
||||||
int vPKCS = 1; /* PKCS#12 default set to 1 */
|
|
||||||
word32 sz;
|
word32 sz;
|
||||||
word32 totalSz = 0;
|
word32 totalSz = 0;
|
||||||
int ret;
|
int ret;
|
||||||
byte* pkcs8Key = NULL;
|
byte* pkcs8Key = NULL;
|
||||||
|
|
||||||
/* The blkOid and hmacOid are only valid for PKCS#5v2 (PBES2) */
|
int vPKCS = -1;
|
||||||
|
int outAlgo = -1;
|
||||||
int blkOid = 0;
|
int blkOid = 0;
|
||||||
int hmacOid = 0; /* If 0, use the default HMAC algorithm */
|
int hmacOid = 0;
|
||||||
|
|
||||||
if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL ||
|
if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL ||
|
||||||
pass == NULL) {
|
pass == NULL) {
|
||||||
|
|
@ -1826,25 +1871,13 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
else {
|
else {
|
||||||
WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag");
|
WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag");
|
||||||
|
|
||||||
/* Need to handle PKCS#5v1/v2 (=non-PKCS#12v1) encryptions */
|
if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid,
|
||||||
if (vAlgo == PBE_SHA1_DES) {
|
&hmacOid)) < 0) {
|
||||||
vPKCS = PKCS5;
|
return ret;
|
||||||
vAlgo = 10;
|
|
||||||
}
|
|
||||||
else if (vAlgo == PBE_AES256_CBC) {
|
|
||||||
vPKCS = PKCS5;
|
|
||||||
vAlgo = PBES2;
|
|
||||||
blkOid = AES256CBCb;
|
|
||||||
hmacOid = HMAC_SHA256_OID;
|
|
||||||
}
|
|
||||||
else if (vAlgo == PBE_AES128_CBC) {
|
|
||||||
vPKCS = PKCS5;
|
|
||||||
vAlgo = PBES2;
|
|
||||||
blkOid = AES128CBCb;
|
|
||||||
hmacOid = HMAC_SHA256_OID;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = TraditionalEnc_ex(key, keySz, pkcs8Key, &sz, pass, passSz,
|
ret = TraditionalEnc_ex(key, keySz, pkcs8Key, &sz, pass, passSz,
|
||||||
vPKCS, vAlgo, blkOid, NULL, 0, itt, hmacOid, rng, heap);
|
vPKCS, outAlgo, blkOid, NULL, 0, itt, hmacOid, rng, heap);
|
||||||
}
|
}
|
||||||
if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
|
if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
|
||||||
*outSz = sz + MAX_LENGTH_SZ + 1;
|
*outSz = sz + MAX_LENGTH_SZ + 1;
|
||||||
|
|
@ -2084,7 +2117,6 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
const char* pass, int passSz, int iter, int type)
|
const char* pass, int passSz, int iter, int type)
|
||||||
{
|
{
|
||||||
void* heap;
|
void* heap;
|
||||||
int vPKCS = 1; /* PKCS#12 is always set to 1 */
|
|
||||||
int ret;
|
int ret;
|
||||||
byte* tmp;
|
byte* tmp;
|
||||||
word32 idx = 0;
|
word32 idx = 0;
|
||||||
|
|
@ -2092,6 +2124,9 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
word32 length = 0;
|
word32 length = 0;
|
||||||
word32 tmpSz;
|
word32 tmpSz;
|
||||||
word32 encSz;
|
word32 encSz;
|
||||||
|
|
||||||
|
int vPKCS = -1;
|
||||||
|
int outAlgo = -1;
|
||||||
int blkOid = 0;
|
int blkOid = 0;
|
||||||
int hmacOid = 0;
|
int hmacOid = 0;
|
||||||
|
|
||||||
|
|
@ -2111,23 +2146,14 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
if (type == WC_PKCS12_ENCRYPTED_DATA) {
|
if (type == WC_PKCS12_ENCRYPTED_DATA) {
|
||||||
word32 outerSz = 0;
|
word32 outerSz = 0;
|
||||||
|
|
||||||
/* Need to handle PKCS#5v1/v2 (=non-PKCS#12v1) encryptions */
|
if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid,
|
||||||
if (vAlgo == PBE_AES256_CBC) {
|
&hmacOid)) < 0) {
|
||||||
vPKCS = PKCS5;
|
return ret;
|
||||||
vAlgo = PBES2;
|
|
||||||
blkOid = AES256CBCb;
|
|
||||||
hmacOid = HMAC_SHA256_OID;
|
|
||||||
}
|
|
||||||
else if (vAlgo == PBE_AES128_CBC) {
|
|
||||||
vPKCS = PKCS5;
|
|
||||||
vAlgo = PBES2;
|
|
||||||
blkOid = AES128CBCb;
|
|
||||||
hmacOid = HMAC_SHA256_OID;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
encSz = contentSz;
|
encSz = contentSz;
|
||||||
if ((ret = EncryptContent(NULL, contentSz, NULL, &encSz,
|
if ((ret = EncryptContent(NULL, contentSz, NULL, &encSz,
|
||||||
pass, passSz, vPKCS, vAlgo, blkOid, NULL, 0, iter, hmacOid,
|
pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid,
|
||||||
rng, heap)) < 0) {
|
rng, heap)) < 0) {
|
||||||
if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
|
if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
|
||||||
return ret;
|
return ret;
|
||||||
|
|
@ -2180,7 +2206,7 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = EncryptContent(content, contentSz, tmp, &encSz,
|
if ((ret = EncryptContent(content, contentSz, tmp, &encSz,
|
||||||
pass, passSz, vPKCS, vAlgo, blkOid, NULL, 0, iter, hmacOid,
|
pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid,
|
||||||
rng, heap)) < 0) {
|
rng, heap)) < 0) {
|
||||||
XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
return ret;
|
return ret;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue