1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * PKCS#12 Personal Information Exchange Syntax 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 23 * 24 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf 25 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_PKCS12_C) 35 36 #include "mbedtls/pkcs12.h" 37 #include "mbedtls/asn1.h" 38 #include "mbedtls/cipher.h" 39 #include "mbedtls/platform_util.h" 40 #include "mbedtls/error.h" 41 42 #include <string.h> 43 44 #if defined(MBEDTLS_ARC4_C) 45 #include "mbedtls/arc4.h" 46 #endif 47 48 #if defined(MBEDTLS_DES_C) 49 #include "mbedtls/des.h" 50 #endif 51 52 #if defined(MBEDTLS_ASN1_PARSE_C) 53 54 static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, 55 mbedtls_asn1_buf *salt, int *iterations ) 56 { 57 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 58 unsigned char **p = ¶ms->p; 59 const unsigned char *end = params->p + params->len; 60 61 /* 62 * pkcs-12PbeParams ::= SEQUENCE { 63 * salt OCTET STRING, 64 * iterations INTEGER 65 * } 66 * 67 */ 68 if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 69 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 70 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 71 72 if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 73 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 74 75 salt->p = *p; 76 *p += salt->len; 77 78 if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 ) 79 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 80 81 if( *p != end ) 82 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 83 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 84 85 return( 0 ); 86 } 87 88 #define PKCS12_MAX_PWDLEN 128 89 90 static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, 91 const unsigned char *pwd, size_t pwdlen, 92 unsigned char *key, size_t keylen, 93 unsigned char *iv, size_t ivlen ) 94 { 95 int ret, iterations = 0; 96 mbedtls_asn1_buf salt; 97 size_t i; 98 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; 99 100 if( pwdlen > PKCS12_MAX_PWDLEN ) 101 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 102 103 memset( &salt, 0, sizeof(mbedtls_asn1_buf) ); 104 memset( &unipwd, 0, sizeof(unipwd) ); 105 106 if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt, 107 &iterations ) ) != 0 ) 108 return( ret ); 109 110 for( i = 0; i < pwdlen; i++ ) 111 unipwd[i * 2 + 1] = pwd[i]; 112 113 if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2, 114 salt.p, salt.len, md_type, 115 MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 ) 116 { 117 return( ret ); 118 } 119 120 if( iv == NULL || ivlen == 0 ) 121 return( 0 ); 122 123 if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2, 124 salt.p, salt.len, md_type, 125 MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 ) 126 { 127 return( ret ); 128 } 129 return( 0 ); 130 } 131 132 #undef PKCS12_MAX_PWDLEN 133 134 int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode, 135 const unsigned char *pwd, size_t pwdlen, 136 const unsigned char *data, size_t len, 137 unsigned char *output ) 138 { 139 #if !defined(MBEDTLS_ARC4_C) 140 ((void) pbe_params); 141 ((void) mode); 142 ((void) pwd); 143 ((void) pwdlen); 144 ((void) data); 145 ((void) len); 146 ((void) output); 147 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 148 #else 149 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 150 unsigned char key[16]; 151 mbedtls_arc4_context ctx; 152 ((void) mode); 153 154 mbedtls_arc4_init( &ctx ); 155 156 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1, 157 pwd, pwdlen, 158 key, 16, NULL, 0 ) ) != 0 ) 159 { 160 return( ret ); 161 } 162 163 mbedtls_arc4_setup( &ctx, key, 16 ); 164 if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 ) 165 goto exit; 166 167 exit: 168 mbedtls_platform_zeroize( key, sizeof( key ) ); 169 mbedtls_arc4_free( &ctx ); 170 171 return( ret ); 172 #endif /* MBEDTLS_ARC4_C */ 173 } 174 175 int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, 176 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, 177 const unsigned char *pwd, size_t pwdlen, 178 const unsigned char *data, size_t len, 179 unsigned char *output ) 180 { 181 int ret, keylen = 0; 182 unsigned char key[32]; 183 unsigned char iv[16]; 184 const mbedtls_cipher_info_t *cipher_info; 185 mbedtls_cipher_context_t cipher_ctx; 186 size_t olen = 0; 187 188 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 189 if( cipher_info == NULL ) 190 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 191 192 keylen = cipher_info->key_bitlen / 8; 193 194 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen, 195 key, keylen, 196 iv, cipher_info->iv_size ) ) != 0 ) 197 { 198 return( ret ); 199 } 200 201 mbedtls_cipher_init( &cipher_ctx ); 202 203 if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) 204 goto exit; 205 206 if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) 207 goto exit; 208 209 if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 ) 210 goto exit; 211 212 if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 ) 213 goto exit; 214 215 if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len, 216 output, &olen ) ) != 0 ) 217 { 218 goto exit; 219 } 220 221 if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) 222 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; 223 224 exit: 225 mbedtls_platform_zeroize( key, sizeof( key ) ); 226 mbedtls_platform_zeroize( iv, sizeof( iv ) ); 227 mbedtls_cipher_free( &cipher_ctx ); 228 229 return( ret ); 230 } 231 232 #endif /* MBEDTLS_ASN1_PARSE_C */ 233 234 static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, 235 const unsigned char *filler, size_t fill_len ) 236 { 237 unsigned char *p = data; 238 size_t use_len; 239 240 while( data_len > 0 ) 241 { 242 use_len = ( data_len > fill_len ) ? fill_len : data_len; 243 memcpy( p, filler, use_len ); 244 p += use_len; 245 data_len -= use_len; 246 } 247 } 248 249 int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, 250 const unsigned char *pwd, size_t pwdlen, 251 const unsigned char *salt, size_t saltlen, 252 mbedtls_md_type_t md_type, int id, int iterations ) 253 { 254 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 255 unsigned int j; 256 257 unsigned char diversifier[128]; 258 unsigned char salt_block[128], pwd_block[128], hash_block[128]; 259 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; 260 unsigned char *p; 261 unsigned char c; 262 263 size_t hlen, use_len, v, i; 264 265 const mbedtls_md_info_t *md_info; 266 mbedtls_md_context_t md_ctx; 267 268 // This version only allows max of 64 bytes of password or salt 269 if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) 270 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 271 272 md_info = mbedtls_md_info_from_type( md_type ); 273 if( md_info == NULL ) 274 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 275 276 mbedtls_md_init( &md_ctx ); 277 278 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 279 return( ret ); 280 hlen = mbedtls_md_get_size( md_info ); 281 282 if( hlen <= 32 ) 283 v = 64; 284 else 285 v = 128; 286 287 memset( diversifier, (unsigned char) id, v ); 288 289 pkcs12_fill_buffer( salt_block, v, salt, saltlen ); 290 pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); 291 292 p = data; 293 while( datalen > 0 ) 294 { 295 // Calculate hash( diversifier || salt_block || pwd_block ) 296 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 297 goto exit; 298 299 if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) 300 goto exit; 301 302 if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) 303 goto exit; 304 305 if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) 306 goto exit; 307 308 if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) 309 goto exit; 310 311 // Perform remaining ( iterations - 1 ) recursive hash calculations 312 for( i = 1; i < (size_t) iterations; i++ ) 313 { 314 if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 ) 315 goto exit; 316 } 317 318 use_len = ( datalen > hlen ) ? hlen : datalen; 319 memcpy( p, hash_output, use_len ); 320 datalen -= use_len; 321 p += use_len; 322 323 if( datalen == 0 ) 324 break; 325 326 // Concatenating copies of hash_output into hash_block (B) 327 pkcs12_fill_buffer( hash_block, v, hash_output, hlen ); 328 329 // B += 1 330 for( i = v; i > 0; i-- ) 331 if( ++hash_block[i - 1] != 0 ) 332 break; 333 334 // salt_block += B 335 c = 0; 336 for( i = v; i > 0; i-- ) 337 { 338 j = salt_block[i - 1] + hash_block[i - 1] + c; 339 c = (unsigned char) (j >> 8); 340 salt_block[i - 1] = j & 0xFF; 341 } 342 343 // pwd_block += B 344 c = 0; 345 for( i = v; i > 0; i-- ) 346 { 347 j = pwd_block[i - 1] + hash_block[i - 1] + c; 348 c = (unsigned char) (j >> 8); 349 pwd_block[i - 1] = j & 0xFF; 350 } 351 } 352 353 ret = 0; 354 355 exit: 356 mbedtls_platform_zeroize( salt_block, sizeof( salt_block ) ); 357 mbedtls_platform_zeroize( pwd_block, sizeof( pwd_block ) ); 358 mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) ); 359 mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) ); 360 361 mbedtls_md_free( &md_ctx ); 362 363 return( ret ); 364 } 365 366 #endif /* MBEDTLS_PKCS12_C */ 367