[apple/security.git] / libsecurity_pkcs12 / lib / pkcs12Encode.cpp

/*
 * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * pkcs12Encode.h - P12Coder encoding engine.
 * 
 * Unlike the decoding side of P12Coder, which can parse PFXs with
 * more or less arbitrary structures, this encoding engine has 
 * a specific layout for what bags go where in the jungle of 
 * SafeContents and ContentInfos. It would be impractical to allow
 * (or to expect) the app to specify this structure. 
 *
 * The knowledge of how a PFX is built out of various components
 * is encapsulated in the authSafeBuild() member function. The rest
 * of the functions in this file are pretty much "PFX-structure-
 * agnostic", so if one wanted to change the overall PFX structure,
 * one would only have to focus on the authSafeBuild() function. 
 */

#include "pkcs12Coder.h"
#include "pkcs12Debug.h"
#include "pkcs12Crypto.h"
#include "pkcs12Templates.h"
#include "pkcs12Utils.h"
#include <Security/cssmerr.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include <Security/oidsattr.h>

void P12Coder::encode(
	CFDataRef				*cpfx)		// RETURNED
{
	p12EncodeLog("encode top");
	SecNssCoder localCdr;
	NSS_P12_DecodedPFX pfx;
	
	memset(&pfx, 0, sizeof(pfx));
	p12IntToData(3, pfx.version, localCdr);
	authSafeBuild(pfx.authSafe, localCdr);
	macSignPfx(pfx, localCdr);
	CSSM_DATA derPfx = {0, NULL};
	if(localCdr.encodeItem(&pfx, NSS_P12_DecodedPFXTemplate, derPfx)) {
		p12ErrorLog("Error encoding top-level pfx\n");
		P12_THROW_ENCODE;
	}
	CFDataRef cp = CFDataCreate(NULL, derPfx.Data, derPfx.Length);
	*cpfx = cp;
}

void P12Coder::macSignPfx(
	NSS_P12_DecodedPFX &pfx,
	SecNssCoder &localCdr)
{
	p12EncodeLog("macSignPfx");
	NSS_P12_MacData *macData = localCdr.mallocn<NSS_P12_MacData>();
	pfx.macData = macData;
	p12GenSalt(macData->macSalt, localCdr);
	p12IntToData(mMacIterCount, macData->iterations, localCdr);
	NSS_P7_DigestInfo &digInfo = macData->mac;
	
	/* this is not negotiable; it's the only one P12 allows */
	localCdr.allocCopyItem(CSSMOID_SHA1, digInfo.digestAlgorithm.algorithm);
	/* null algorithm parameters */
	p12NullAlgParams(digInfo.digestAlgorithm);
	
	const CSSM_DATA *macPhrase = getMacPassPhrase();
	const CSSM_KEY *macPassKey = getMacPassKey();
	if((macPhrase == NULL) && (macPassKey == NULL)) {
		p12ErrorLog("no passphrase set\n");
		CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
	}
	
	CSSM_RETURN crtn = p12GenMac(mCspHand, 
		*pfx.authSafe.content.data, 
		CSSM_ALGID_SHA1, mMacIterCount, macData->macSalt, 
		macPhrase, macPassKey, localCdr, digInfo.digest);
	if(crtn) {
		p12ErrorLog("Error generating PFX MAC\n");
		CssmError::throwMe(crtn);
	}
}

/*
 * This is the heart of the encoding engine. All knowledge of 
 * "what bags go where" is here. The PFX structure implemented here
 * is derived from empirical observation of PFXs obtained from
 * Mozilla 1.2b and from the DoD test vectors for "Conformance 
 * Testing of Relying Party Client Certificate Path Processing 
 * Logic", written by Cygnacom, Septemtber 28, 2001. 
 *
 * The PFX structure is as follows:
 *
 * -- One AuthenticatedSafe element (a PKCS7 ContentInfo) containing
 *    all certificates and CRLs. 
 *
 *    ContentInfo.type = CT_EncryptedData
 *    Encryption algorithm is our "weak" encryption Alg, default 
 *        of CSSMOID_PKCS12_pbeWithSHAAnd40BitRC4.
 *
 * -- One AuthenticatedSafe element containing all private keys in
 *    the form of ShroudedKeyBags.
 *
 *    ContentInfo.type = CT_Data
 *    Encryption algorithm for shrouded key bags is our "strong"
 *        encryption, default CSSMOID_PKCS12_pbeWithSHAAnd3Key3DESCBC
 *
 * -- Everything else goes in another AuthenticatedSafe element.
 *
 *    ContentInfo.type = CT_EncryptedData
 *    Encryption algorithm is our "strong" encryption Alg
 */
void P12Coder::authSafeBuild(
	NSS_P7_DecodedContentInfo &authSafe,
	SecNssCoder &localCdr)
{
	p12EncodeLog("authSafeBuild top");

	/* how many contentInfos are we going to build? */
	unsigned numContents = 0;
	if(mCerts.size() || mCrls.size()) {
		numContents++;
	}
	if(mKeys.size()) {
		numContents++;
	}
	if(mOpaques.size()) {
		numContents++;
	}

	if(numContents == 0) {
		p12ErrorLog("authSafeBuild: no contents\n");
		MacOSError::throwMe(paramErr);
	}
	
	NSS_P7_DecodedContentInfo **contents = 
		(NSS_P7_DecodedContentInfo **)p12NssNullArray(numContents, 
			localCdr);
	unsigned contentDex = 0;
	
	NSS_P12_SafeBag **safeBags;

	/* certs & crls */
	unsigned numBags = mCerts.size() + mCrls.size();
	p12EncodeLog("authSafeBuild : %u certs + CRLS", numBags);
	if(numBags) {
		safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
		unsigned bagDex = 0;
		for(unsigned dex=0; dex<mCerts.size(); dex++) {
			safeBags[bagDex++] = certBagBuild(mCerts[dex], localCdr);
		} 
		for(unsigned dex=0; dex<mCrls.size(); dex++) {
			safeBags[bagDex++] = crlBagBuild(mCrls[dex], localCdr);
		} 
		contents[contentDex++] = safeContentsBuild(safeBags, 
			CT_EncryptedData, &mWeakEncrAlg, mWeakEncrIterCount, localCdr);
	}
	
	/* shrouded keys - encrypted at bag level */
	numBags = mKeys.size();
	if(numBags) {
		p12EncodeLog("authSafeBuild : %u keys", numBags);
		safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
		unsigned bagDex = 0;
		for(unsigned dex=0; dex<numBags; dex++) {
			safeBags[bagDex++] = keyBagBuild(mKeys[dex], localCdr);
		} 
		contents[contentDex++] = safeContentsBuild(safeBags, 
			CT_Data, NULL, 0, localCdr);
	}
	
	/* opaque */
	numBags = mOpaques.size();
	if(numBags) {
		p12EncodeLog("authSafeBuild : %u opaques", numBags);
		safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
		unsigned bagDex = 0;
		for(unsigned dex=0; dex<numBags; dex++) {
			safeBags[bagDex++] = opaqueBagBuild(mOpaques[dex], localCdr);
		} 
		contents[contentDex++] = safeContentsBuild(safeBags, 
			CT_EncryptedData, &mStrongEncrAlg, mStrongEncrIterCount, localCdr);
	}
	
	/*
	 * Encode the whole elements array into authSafe.content.data
	 */
	NSS_P12_AuthenticatedSafe safe;
	safe.info = contents;
	CSSM_DATA *adata = localCdr.mallocn<CSSM_DATA>();
	authSafe.content.data = adata;
	adata->Data = NULL;
	adata->Length = 0;
	if(localCdr.encodeItem(&safe, NSS_P12_AuthenticatedSafeTemplate,
			*adata)) {
		p12ErrorLog("authSafeBuild: error encoding auth safe\n");
		P12_THROW_ENCODE;
	}
	authSafe.type = CT_Data;
	authSafe.contentType = CSSMOID_PKCS7_Data;
}

/*
 * Build a AuthSafe element of specified type out of the 
 * specified array of bags.
 */
NSS_P7_DecodedContentInfo *P12Coder::safeContentsBuild(
	NSS_P12_SafeBag **bags,
	NSS_P7_CI_Type type,	// CT_Data, CT_EncryptedData
	CSSM_OID *encrOid,		// only for CT_EncryptedData
	unsigned iterCount,		// ditto
	SecNssCoder &localCdr)
{
	p12EncodeLog("safeContentsBuild type %u", (unsigned)type);

	/*
	 * First, encode the bag array as a SafeContents
	 */
	CSSM_DATA encSafeContents = {0, NULL};
	NSS_P12_SafeContents safeContents = {bags};
	if(localCdr.encodeItem(&safeContents,
			NSS_P12_SafeContentsTemplate, encSafeContents)) {
		p12ErrorLog("error encoding SafeContents\n");
		P12_THROW_ENCODE;
	}
	
	NSS_P7_DecodedContentInfo *dci = 
		localCdr.mallocn<NSS_P7_DecodedContentInfo>();
	dci->type = type;
	if(type == CT_Data) {
		/* plaintext gets encoded as an octet string */
		localCdr.allocCopyItem(CSSMOID_PKCS7_Data, dci->contentType);
		dci->content.data = localCdr.mallocn<CSSM_DATA>();
		localCdr.allocCopyItem(encSafeContents, *dci->content.data);
	}
	else if(type == CT_EncryptedData) {
		/* encrypt the encoded SafeContents */
		localCdr.allocCopyItem(CSSMOID_PKCS7_EncryptedData, 
			dci->contentType);
		dci->content.encryptData = localCdr.mallocn<NSS_P7_EncryptedData>();
		NSS_P7_EncryptedData *ed = dci->content.encryptData;
		assert(encrOid != NULL);
		encryptData(encSafeContents, *encrOid, iterCount, *ed, localCdr);
	}
	else {
		p12ErrorLog("bad type in safeContentsBuild\n");
		CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
	}
	return dci;
}

/*
 * Encrypt the specified plaintext with specified algorithm.
 * Drop result and other interesting info into an NSS_P7_EncryptedData.
 */
void P12Coder::encryptData(
	const CSSM_DATA			&ptext,
	CSSM_OID 				&encrOid,
	unsigned 				iterCount,
	NSS_P7_EncryptedData	&ed,
	SecNssCoder				&localCdr)
{
	p12EncodeLog("encryptData");

	/* do the raw encrypt first to make sure we can do it... */
	CSSM_ALGORITHMS		keyAlg;			// e.g., CSSM_ALGID_DES
	CSSM_ALGORITHMS		encrAlg;		// e.g., CSSM_ALGID_3DES_3KEY_EDE
	CSSM_ALGORITHMS		pbeHashAlg;		// SHA1 or MD5
	uint32				keySizeInBits;
	uint32				blockSizeInBytes;	// for IV, optional
	CSSM_PADDING		padding;		// CSSM_PADDING_PKCS7, etc.
	CSSM_ENCRYPT_MODE	mode;			// CSSM_ALGMODE_CBCPadIV8, etc.
	PKCS_Which			pkcs;
	
	bool found = pkcsOidToParams(&encrOid,
		keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
		padding, mode, pkcs);
	if(!found || (pkcs != PW_PKCS12)) {
		p12ErrorLog("encryptData encrAlg not understood\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
	}
	
	/* Salt: we generate random bytes */
	CSSM_DATA salt;
	p12GenSalt(salt, localCdr);

	const CSSM_DATA *pwd = getEncrPassPhrase();
	const CSSM_KEY *passKey = getEncrPassKey();
	if((pwd == NULL) && (passKey == NULL)) {
		p12ErrorLog("no passphrase set\n");
		CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
	}
	CSSM_DATA ctext = {0, NULL};
	
	CSSM_RETURN crtn = p12Encrypt(mCspHand, ptext, 
		keyAlg, encrAlg, pbeHashAlg,
		keySizeInBits, blockSizeInBytes,
		padding, mode,
		iterCount, salt,
		pwd, passKey, localCdr,
		ctext);
	if(crtn) {
		CssmError::throwMe(crtn);
	}
	
	/* Now fill in the NSS_P7_EncryptedData */
	p12IntToData(0, ed.version, localCdr);
	NSS_P7_EncrContentInfo &eci = ed.contentInfo;
	localCdr.allocCopyItem(CSSMOID_PKCS7_Data, eci.contentType);
	algIdBuild(eci.encrAlg, encrOid, salt, iterCount, localCdr);
	eci.encrContent = ctext;
}

/* 
 * Fill in an CSSM_X509_ALGORITHM_IDENTIFIER with parameters in
 * the form of an encoded NSS_P12_PBE_Params
 */
void P12Coder::algIdBuild(
	CSSM_X509_ALGORITHM_IDENTIFIER	&algId,
	const CSSM_OID &algOid,
	const CSSM_DATA &salt,
	unsigned iterCount,
	SecNssCoder &localCdr)
{
	p12EncodeLog("algIdBuild");
	localCdr.allocCopyItem(algOid, algId.algorithm);
	NSS_P12_PBE_Params pbeParams;
	pbeParams.salt = salt;
	p12IntToData(iterCount, pbeParams.iterations, localCdr);
	if(localCdr.encodeItem(&pbeParams, NSS_P12_PBE_ParamsTemplate,
			algId.parameters)) {
		p12ErrorLog("error encoding NSS_P12_PBE_Params\n");
		P12_THROW_ENCODE;
	}
}

#pragma mark --- Individual Bag Builders ---

NSS_P12_SafeBag *P12Coder::certBagBuild(
	P12CertBag *cert,
	SecNssCoder &localCdr)
{
	p12EncodeLog("certBagBuild");

	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
	safeBag->bagId = CSSMOID_PKCS12_certBag;
	safeBag->type = BT_CertBag;
	
	NSS_P12_CertBag *certBag = localCdr.mallocn<NSS_P12_CertBag>();
	safeBag->bagValue.certBag = certBag;
	const CSSM_OID *certTypeOid = NULL;
	switch(cert->certType()) {
		case CT_X509:
			certTypeOid = &CSSMOID_PKCS9_X509Certificate;
			break;
		case CT_SDSI:
			certTypeOid = &CSSMOID_PKCS9_SdsiCertificate;
			break;
		default:
			p12ErrorLog("unknown certType on encode\n");
			CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
			
	}
	
	/* copies not needed, same scope as P12CertBag */
	certBag->bagType = *certTypeOid;
	certBag->type = cert->certType();
	certBag->certValue = cert->certData();
	safeBag->bagAttrs = cert->getAllAttrs();
	return safeBag;
}

NSS_P12_SafeBag *P12Coder::crlBagBuild(
	P12CrlBag *crl,
	SecNssCoder &localCdr)
{
	p12EncodeLog("crlBagBuild");

	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
	safeBag->bagId = CSSMOID_PKCS12_crlBag;
	safeBag->type = BT_CrlBag;
	
	NSS_P12_CrlBag *crlBag = localCdr.mallocn<NSS_P12_CrlBag>();
	safeBag->bagValue.crlBag = crlBag;
	const CSSM_OID *crlTypeOid = NULL;
	switch(crl->crlType()) {
		case CRT_X509:
			crlTypeOid = &CSSMOID_PKCS9_X509Crl;
			break;
		default:
			p12ErrorLog("unknown crlType on encode\n");
			CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
			
	}
	
	/* copies not needed, same scope as P12CrlBag */
	crlBag->bagType = *crlTypeOid;
	crlBag->type = crl->crlType();
	crlBag->crlValue = crl->crlData();
	safeBag->bagAttrs = crl->getAllAttrs();
	return safeBag;
}

NSS_P12_SafeBag *P12Coder::keyBagBuild(
	P12KeyBag *key,
	SecNssCoder &localCdr)
{
	p12EncodeLog("keyBagBuild");

	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
	safeBag->bagId = CSSMOID_PKCS12_shroudedKeyBag;
	safeBag->type = BT_ShroudedKeyBag;
	
	NSS_EncryptedPrivateKeyInfo *keyInfo = localCdr.
		mallocn<NSS_EncryptedPrivateKeyInfo>();
	safeBag->bagValue.shroudedKeyBag = keyInfo;
	safeBag->bagAttrs = key->getAllAttrs();

	/* Prepare for key wrap */
	CSSM_DATA salt;
	p12GenSalt(salt, localCdr);
	algIdBuild(keyInfo->algorithm, mStrongEncrAlg, salt, 
		mStrongEncrIterCount, localCdr);
	
	CSSM_ALGORITHMS		keyAlg;			// e.g., CSSM_ALGID_DES
	CSSM_ALGORITHMS		encrAlg;		// e.g., CSSM_ALGID_3DES_3KEY_EDE
	CSSM_ALGORITHMS		pbeHashAlg;		// SHA1 or MD5
	uint32				keySizeInBits;
	uint32				blockSizeInBytes;	// for IV, optional
	CSSM_PADDING		padding;		// CSSM_PADDING_PKCS7, etc.
	CSSM_ENCRYPT_MODE	mode;			// CSSM_ALGMODE_CBCPadIV8, etc.
	PKCS_Which			pkcs;
	
	bool found = pkcsOidToParams(&mStrongEncrAlg,
		keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
		padding, mode, pkcs);
	if(!found || (pkcs != PW_PKCS12)) {
		/* app config error - they gave us bogus algorithm */
		p12ErrorLog("keyBagBuild encrAlg not understood\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
	}
	const CSSM_DATA *encrPhrase = getEncrPassPhrase();
	const CSSM_KEY *passKey = getEncrPassKey();
	if((encrPhrase == NULL) && (passKey == NULL)) {
		p12ErrorLog("no passphrase set\n");
		CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
	}
	CSSM_DATA shroudedBits = {0, NULL};
	
	CSSM_RETURN crtn = p12WrapKey(mCspHand,
		key->key(), key->privKeyCreds(),
		keyAlg, encrAlg, pbeHashAlg,
		keySizeInBits, blockSizeInBytes,
		padding, mode,
		mStrongEncrIterCount, salt,
		encrPhrase,
		passKey,
		localCdr, 
		shroudedBits);
	if(crtn) {
		p12ErrorLog("Error wrapping private key\n");
		CssmError::throwMe(crtn);
	}
	
	keyInfo->encryptedData = shroudedBits;
	return safeBag;
}

NSS_P12_SafeBag *P12Coder::opaqueBagBuild(
	P12OpaqueBag *opaque,
	SecNssCoder &localCdr)
{
	p12EncodeLog("opaqueBagBuild");
	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
	safeBag->bagId = opaque->oid();
	safeBag->bagValue.secretBag = &opaque->blob();
	safeBag->bagAttrs = opaque->getAllAttrs();
	return safeBag;
}
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* pkcs12Encode.h - P12Coder encoding engine.
	26	*
	27	* Unlike the decoding side of P12Coder, which can parse PFXs with
	28	* more or less arbitrary structures, this encoding engine has
	29	* a specific layout for what bags go where in the jungle of
	30	* SafeContents and ContentInfos. It would be impractical to allow
	31	* (or to expect) the app to specify this structure.
	32	*
	33	* The knowledge of how a PFX is built out of various components
	34	* is encapsulated in the authSafeBuild() member function. The rest
	35	* of the functions in this file are pretty much "PFX-structure-
	36	* agnostic", so if one wanted to change the overall PFX structure,
	37	* one would only have to focus on the authSafeBuild() function.
	38	*/
	39
	40	#include "pkcs12Coder.h"
	41	#include "pkcs12Debug.h"
	42	#include "pkcs12Crypto.h"
	43	#include "pkcs12Templates.h"
	44	#include "pkcs12Utils.h"
	45	#include <Security/cssmerr.h>
	46	#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
	47	#include <Security/oidsattr.h>
	48
	49	void P12Coder::encode(
	50	CFDataRef *cpfx) // RETURNED
	51	{
	52	p12EncodeLog("encode top");
	53	SecNssCoder localCdr;
	54	NSS_P12_DecodedPFX pfx;
	55
	56	memset(&pfx, 0, sizeof(pfx));
	57	p12IntToData(3, pfx.version, localCdr);
	58	authSafeBuild(pfx.authSafe, localCdr);
	59	macSignPfx(pfx, localCdr);
	60	CSSM_DATA derPfx = {0, NULL};
	61	if(localCdr.encodeItem(&pfx, NSS_P12_DecodedPFXTemplate, derPfx)) {
	62	p12ErrorLog("Error encoding top-level pfx\n");
	63	P12_THROW_ENCODE;
	64	}
65	CFDataRef cp = CFDataCreate(NULL, derPfx.Data, derPfx.Length);
66	*cpfx = cp;
67	}
68
69	void P12Coder::macSignPfx(
70	NSS_P12_DecodedPFX &pfx,
71	SecNssCoder &localCdr)
72	{
73	p12EncodeLog("macSignPfx");
74	NSS_P12_MacData *macData = localCdr.mallocn<NSS_P12_MacData>();
75	pfx.macData = macData;
76	p12GenSalt(macData->macSalt, localCdr);
77	p12IntToData(mMacIterCount, macData->iterations, localCdr);
78	NSS_P7_DigestInfo &digInfo = macData->mac;
79
80	/* this is not negotiable; it's the only one P12 allows */
81	localCdr.allocCopyItem(CSSMOID_SHA1, digInfo.digestAlgorithm.algorithm);
82	/* null algorithm parameters */
83	p12NullAlgParams(digInfo.digestAlgorithm);
84
85	const CSSM_DATA *macPhrase = getMacPassPhrase();
86	const CSSM_KEY *macPassKey = getMacPassKey();
87	if((macPhrase == NULL) && (macPassKey == NULL)) {
88	p12ErrorLog("no passphrase set\n");
89	CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
90	}
91
92	CSSM_RETURN crtn = p12GenMac(mCspHand,
93	*pfx.authSafe.content.data,
94	CSSM_ALGID_SHA1, mMacIterCount, macData->macSalt,
95	macPhrase, macPassKey, localCdr, digInfo.digest);
96	if(crtn) {
97	p12ErrorLog("Error generating PFX MAC\n");
98	CssmError::throwMe(crtn);
99	}
100	}
101
102	/*
103	* This is the heart of the encoding engine. All knowledge of
104	* "what bags go where" is here. The PFX structure implemented here
105	* is derived from empirical observation of PFXs obtained from
106	* Mozilla 1.2b and from the DoD test vectors for "Conformance
107	* Testing of Relying Party Client Certificate Path Processing
108	* Logic", written by Cygnacom, Septemtber 28, 2001.
109	*
110	* The PFX structure is as follows:
111	*
112	* -- One AuthenticatedSafe element (a PKCS7 ContentInfo) containing
113	* all certificates and CRLs.
114	*
115	* ContentInfo.type = CT_EncryptedData
116	* Encryption algorithm is our "weak" encryption Alg, default
117	* of CSSMOID_PKCS12_pbeWithSHAAnd40BitRC4.
118	*
119	* -- One AuthenticatedSafe element containing all private keys in
120	* the form of ShroudedKeyBags.
121	*
122	* ContentInfo.type = CT_Data
123	* Encryption algorithm for shrouded key bags is our "strong"
124	* encryption, default CSSMOID_PKCS12_pbeWithSHAAnd3Key3DESCBC
125	*
126	* -- Everything else goes in another AuthenticatedSafe element.
127	*
128	* ContentInfo.type = CT_EncryptedData
129	* Encryption algorithm is our "strong" encryption Alg
130	*/
131	void P12Coder::authSafeBuild(
132	NSS_P7_DecodedContentInfo &authSafe,
133	SecNssCoder &localCdr)
134	{
135	p12EncodeLog("authSafeBuild top");
136
137	/* how many contentInfos are we going to build? */
138	unsigned numContents = 0;
139	if(mCerts.size() \|\| mCrls.size()) {
140	numContents++;
141	}
142	if(mKeys.size()) {
143	numContents++;
144	}
145	if(mOpaques.size()) {
146	numContents++;
147	}
148
149	if(numContents == 0) {
150	p12ErrorLog("authSafeBuild: no contents\n");
151	MacOSError::throwMe(paramErr);
152	}
153
154	NSS_P7_DecodedContentInfo **contents =
155	(NSS_P7_DecodedContentInfo **)p12NssNullArray(numContents,
156	localCdr);
157	unsigned contentDex = 0;
158
159	NSS_P12_SafeBag **safeBags;
160
161	/* certs & crls */
162	unsigned numBags = mCerts.size() + mCrls.size();
163	p12EncodeLog("authSafeBuild : %u certs + CRLS", numBags);
164	if(numBags) {
165	safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
166	unsigned bagDex = 0;
167	for(unsigned dex=0; dex<mCerts.size(); dex++) {
168	safeBags[bagDex++] = certBagBuild(mCerts[dex], localCdr);
169	}
170	for(unsigned dex=0; dex<mCrls.size(); dex++) {
171	safeBags[bagDex++] = crlBagBuild(mCrls[dex], localCdr);
172	}
173	contents[contentDex++] = safeContentsBuild(safeBags,
174	CT_EncryptedData, &mWeakEncrAlg, mWeakEncrIterCount, localCdr);
175	}
176
177	/* shrouded keys - encrypted at bag level */
178	numBags = mKeys.size();
179	if(numBags) {
180	p12EncodeLog("authSafeBuild : %u keys", numBags);
181	safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
182	unsigned bagDex = 0;
183	for(unsigned dex=0; dex<numBags; dex++) {
184	safeBags[bagDex++] = keyBagBuild(mKeys[dex], localCdr);
185	}
186	contents[contentDex++] = safeContentsBuild(safeBags,
187	CT_Data, NULL, 0, localCdr);
188	}
189
190	/* opaque */
191	numBags = mOpaques.size();
192	if(numBags) {
193	p12EncodeLog("authSafeBuild : %u opaques", numBags);
194	safeBags = (NSS_P12_SafeBag **)p12NssNullArray(numBags, localCdr);
195	unsigned bagDex = 0;
196	for(unsigned dex=0; dex<numBags; dex++) {
197	safeBags[bagDex++] = opaqueBagBuild(mOpaques[dex], localCdr);
198	}
199	contents[contentDex++] = safeContentsBuild(safeBags,
200	CT_EncryptedData, &mStrongEncrAlg, mStrongEncrIterCount, localCdr);
201	}
202
203	/*
204	* Encode the whole elements array into authSafe.content.data
205	*/
206	NSS_P12_AuthenticatedSafe safe;
207	safe.info = contents;
208	CSSM_DATA *adata = localCdr.mallocn<CSSM_DATA>();
209	authSafe.content.data = adata;
210	adata->Data = NULL;
211	adata->Length = 0;
212	if(localCdr.encodeItem(&safe, NSS_P12_AuthenticatedSafeTemplate,
213	*adata)) {
214	p12ErrorLog("authSafeBuild: error encoding auth safe\n");
215	P12_THROW_ENCODE;
216	}
217	authSafe.type = CT_Data;
218	authSafe.contentType = CSSMOID_PKCS7_Data;
219	}
220
221	/*
222	* Build a AuthSafe element of specified type out of the
223	* specified array of bags.
224	*/
225	NSS_P7_DecodedContentInfo *P12Coder::safeContentsBuild(
226	NSS_P12_SafeBag **bags,
227	NSS_P7_CI_Type type, // CT_Data, CT_EncryptedData
228	CSSM_OID *encrOid, // only for CT_EncryptedData
229	unsigned iterCount, // ditto
230	SecNssCoder &localCdr)
231	{
232	p12EncodeLog("safeContentsBuild type %u", (unsigned)type);
233
234	/*
235	* First, encode the bag array as a SafeContents
236	*/
237	CSSM_DATA encSafeContents = {0, NULL};
238	NSS_P12_SafeContents safeContents = {bags};
239	if(localCdr.encodeItem(&safeContents,
240	NSS_P12_SafeContentsTemplate, encSafeContents)) {
241	p12ErrorLog("error encoding SafeContents\n");
242	P12_THROW_ENCODE;
243	}
244
245	NSS_P7_DecodedContentInfo *dci =
246	localCdr.mallocn<NSS_P7_DecodedContentInfo>();
247	dci->type = type;
248	if(type == CT_Data) {
249	/* plaintext gets encoded as an octet string */
250	localCdr.allocCopyItem(CSSMOID_PKCS7_Data, dci->contentType);
251	dci->content.data = localCdr.mallocn<CSSM_DATA>();
252	localCdr.allocCopyItem(encSafeContents, *dci->content.data);
253	}
254	else if(type == CT_EncryptedData) {
255	/* encrypt the encoded SafeContents */
256	localCdr.allocCopyItem(CSSMOID_PKCS7_EncryptedData,
257	dci->contentType);
258	dci->content.encryptData = localCdr.mallocn<NSS_P7_EncryptedData>();
259	NSS_P7_EncryptedData *ed = dci->content.encryptData;
260	assert(encrOid != NULL);
261	encryptData(encSafeContents, encrOid, iterCount, ed, localCdr);
262	}
263	else {
264	p12ErrorLog("bad type in safeContentsBuild\n");
265	CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
266	}
267	return dci;
268	}
269
270	/*
271	* Encrypt the specified plaintext with specified algorithm.
272	* Drop result and other interesting info into an NSS_P7_EncryptedData.
273	*/
274	void P12Coder::encryptData(
275	const CSSM_DATA &ptext,
276	CSSM_OID &encrOid,
277	unsigned iterCount,
278	NSS_P7_EncryptedData &ed,
279	SecNssCoder &localCdr)
280	{
281	p12EncodeLog("encryptData");
282
283	/* do the raw encrypt first to make sure we can do it... */
284	CSSM_ALGORITHMS keyAlg; // e.g., CSSM_ALGID_DES
285	CSSM_ALGORITHMS encrAlg; // e.g., CSSM_ALGID_3DES_3KEY_EDE
286	CSSM_ALGORITHMS pbeHashAlg; // SHA1 or MD5
287	uint32 keySizeInBits;
288	uint32 blockSizeInBytes; // for IV, optional
289	CSSM_PADDING padding; // CSSM_PADDING_PKCS7, etc.
290	CSSM_ENCRYPT_MODE mode; // CSSM_ALGMODE_CBCPadIV8, etc.
291	PKCS_Which pkcs;
292
293	bool found = pkcsOidToParams(&encrOid,
294	keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
295	padding, mode, pkcs);
296	if(!found \|\| (pkcs != PW_PKCS12)) {
297	p12ErrorLog("encryptData encrAlg not understood\n");
298	CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
299	}
300
301	/* Salt: we generate random bytes */
302	CSSM_DATA salt;
303	p12GenSalt(salt, localCdr);
304
305	const CSSM_DATA *pwd = getEncrPassPhrase();
306	const CSSM_KEY *passKey = getEncrPassKey();
307	if((pwd == NULL) && (passKey == NULL)) {
308	p12ErrorLog("no passphrase set\n");
309	CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
310	}
311	CSSM_DATA ctext = {0, NULL};
312
313	CSSM_RETURN crtn = p12Encrypt(mCspHand, ptext,
314	keyAlg, encrAlg, pbeHashAlg,
315	keySizeInBits, blockSizeInBytes,
316	padding, mode,
317	iterCount, salt,
318	pwd, passKey, localCdr,
319	ctext);
320	if(crtn) {
321	CssmError::throwMe(crtn);
322	}
323
324	/* Now fill in the NSS_P7_EncryptedData */
325	p12IntToData(0, ed.version, localCdr);
326	NSS_P7_EncrContentInfo &eci = ed.contentInfo;
327	localCdr.allocCopyItem(CSSMOID_PKCS7_Data, eci.contentType);
328	algIdBuild(eci.encrAlg, encrOid, salt, iterCount, localCdr);
329	eci.encrContent = ctext;
330	}
331
332	/*
333	* Fill in an CSSM_X509_ALGORITHM_IDENTIFIER with parameters in
334	* the form of an encoded NSS_P12_PBE_Params
335	*/
336	void P12Coder::algIdBuild(
337	CSSM_X509_ALGORITHM_IDENTIFIER &algId,
338	const CSSM_OID &algOid,
339	const CSSM_DATA &salt,
340	unsigned iterCount,
341	SecNssCoder &localCdr)
342	{
343	p12EncodeLog("algIdBuild");
344	localCdr.allocCopyItem(algOid, algId.algorithm);
345	NSS_P12_PBE_Params pbeParams;
346	pbeParams.salt = salt;
347	p12IntToData(iterCount, pbeParams.iterations, localCdr);
348	if(localCdr.encodeItem(&pbeParams, NSS_P12_PBE_ParamsTemplate,
349	algId.parameters)) {
350	p12ErrorLog("error encoding NSS_P12_PBE_Params\n");
351	P12_THROW_ENCODE;
352	}
353	}
354
355	#pragma mark --- Individual Bag Builders ---
356
357	NSS_P12_SafeBag *P12Coder::certBagBuild(
358	P12CertBag *cert,
359	SecNssCoder &localCdr)
360	{
361	p12EncodeLog("certBagBuild");
362
363	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
364	safeBag->bagId = CSSMOID_PKCS12_certBag;
365	safeBag->type = BT_CertBag;
366
367	NSS_P12_CertBag *certBag = localCdr.mallocn<NSS_P12_CertBag>();
368	safeBag->bagValue.certBag = certBag;
369	const CSSM_OID *certTypeOid = NULL;
370	switch(cert->certType()) {
371	case CT_X509:
372	certTypeOid = &CSSMOID_PKCS9_X509Certificate;
373	break;
374	case CT_SDSI:
375	certTypeOid = &CSSMOID_PKCS9_SdsiCertificate;
376	break;
377	default:
378	p12ErrorLog("unknown certType on encode\n");
379	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
380
381	}
382
383	/* copies not needed, same scope as P12CertBag */
384	certBag->bagType = *certTypeOid;
385	certBag->type = cert->certType();
386	certBag->certValue = cert->certData();
387	safeBag->bagAttrs = cert->getAllAttrs();
388	return safeBag;
389	}
390
391	NSS_P12_SafeBag *P12Coder::crlBagBuild(
392	P12CrlBag *crl,
393	SecNssCoder &localCdr)
394	{
395	p12EncodeLog("crlBagBuild");
396
397	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
398	safeBag->bagId = CSSMOID_PKCS12_crlBag;
399	safeBag->type = BT_CrlBag;
400
401	NSS_P12_CrlBag *crlBag = localCdr.mallocn<NSS_P12_CrlBag>();
402	safeBag->bagValue.crlBag = crlBag;
403	const CSSM_OID *crlTypeOid = NULL;
404	switch(crl->crlType()) {
405	case CRT_X509:
406	crlTypeOid = &CSSMOID_PKCS9_X509Crl;
407	break;
408	default:
409	p12ErrorLog("unknown crlType on encode\n");
410	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
411
412	}
413
414	/* copies not needed, same scope as P12CrlBag */
415	crlBag->bagType = *crlTypeOid;
416	crlBag->type = crl->crlType();
417	crlBag->crlValue = crl->crlData();
418	safeBag->bagAttrs = crl->getAllAttrs();
419	return safeBag;
420	}
421
422	NSS_P12_SafeBag *P12Coder::keyBagBuild(
423	P12KeyBag *key,
424	SecNssCoder &localCdr)
425	{
426	p12EncodeLog("keyBagBuild");
427
428	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
429	safeBag->bagId = CSSMOID_PKCS12_shroudedKeyBag;
430	safeBag->type = BT_ShroudedKeyBag;
431
432	NSS_EncryptedPrivateKeyInfo *keyInfo = localCdr.
433	mallocn<NSS_EncryptedPrivateKeyInfo>();
434	safeBag->bagValue.shroudedKeyBag = keyInfo;
435	safeBag->bagAttrs = key->getAllAttrs();
436
437	/* Prepare for key wrap */
438	CSSM_DATA salt;
439	p12GenSalt(salt, localCdr);
440	algIdBuild(keyInfo->algorithm, mStrongEncrAlg, salt,
441	mStrongEncrIterCount, localCdr);
442
443	CSSM_ALGORITHMS keyAlg; // e.g., CSSM_ALGID_DES
444	CSSM_ALGORITHMS encrAlg; // e.g., CSSM_ALGID_3DES_3KEY_EDE
445	CSSM_ALGORITHMS pbeHashAlg; // SHA1 or MD5
446	uint32 keySizeInBits;
447	uint32 blockSizeInBytes; // for IV, optional
448	CSSM_PADDING padding; // CSSM_PADDING_PKCS7, etc.
449	CSSM_ENCRYPT_MODE mode; // CSSM_ALGMODE_CBCPadIV8, etc.
450	PKCS_Which pkcs;
451
452	bool found = pkcsOidToParams(&mStrongEncrAlg,
453	keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
454	padding, mode, pkcs);
455	if(!found \|\| (pkcs != PW_PKCS12)) {
456	/* app config error - they gave us bogus algorithm */
457	p12ErrorLog("keyBagBuild encrAlg not understood\n");
458	CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
459	}
460	const CSSM_DATA *encrPhrase = getEncrPassPhrase();
461	const CSSM_KEY *passKey = getEncrPassKey();
462	if((encrPhrase == NULL) && (passKey == NULL)) {
463	p12ErrorLog("no passphrase set\n");
464	CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE);
465	}
466	CSSM_DATA shroudedBits = {0, NULL};
467
468	CSSM_RETURN crtn = p12WrapKey(mCspHand,
469	key->key(), key->privKeyCreds(),
470	keyAlg, encrAlg, pbeHashAlg,
471	keySizeInBits, blockSizeInBytes,
472	padding, mode,
473	mStrongEncrIterCount, salt,
474	encrPhrase,
475	passKey,
476	localCdr,
477	shroudedBits);
478	if(crtn) {
479	p12ErrorLog("Error wrapping private key\n");
480	CssmError::throwMe(crtn);
481	}
482
483	keyInfo->encryptedData = shroudedBits;
484	return safeBag;
485	}
486
487	NSS_P12_SafeBag *P12Coder::opaqueBagBuild(
488	P12OpaqueBag *opaque,
489	SecNssCoder &localCdr)
490	{
491	p12EncodeLog("opaqueBagBuild");
492	NSS_P12_SafeBag *safeBag = localCdr.mallocn<NSS_P12_SafeBag>();
493	safeBag->bagId = opaque->oid();
494	safeBag->bagValue.secretBag = &opaque->blob();
495	safeBag->bagAttrs = opaque->getAllAttrs();
496	return safeBag;
497	}