1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * PKCS#12 Personal Information Exchange Syntax 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The PKCS #12 Personal Information Exchange Syntax Standard v1.1 23 * 24 * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf 25 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_PKCS12_C) 35 36 #include "mbedtls/pkcs12.h" 37 #include "mbedtls/asn1.h" 38 #include "mbedtls/cipher.h" 39 #include "mbedtls/platform_util.h" 40 41 #include <string.h> 42 43 #if defined(MBEDTLS_ARC4_C) 44 #include "mbedtls/arc4.h" 45 #endif 46 47 #if defined(MBEDTLS_DES_C) 48 #include "mbedtls/des.h" 49 #endif 50 51 #if defined(MBEDTLS_ASN1_PARSE_C) 52 53 static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, 54 mbedtls_asn1_buf *salt, int *iterations ) 55 { 56 int ret; 57 unsigned char **p = ¶ms->p; 58 const unsigned char *end = params->p + params->len; 59 60 /* 61 * pkcs-12PbeParams ::= SEQUENCE { 62 * salt OCTET STRING, 63 * iterations INTEGER 64 * } 65 * 66 */ 67 if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 68 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 69 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 70 71 if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 72 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 73 74 salt->p = *p; 75 *p += salt->len; 76 77 if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 ) 78 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret ); 79 80 if( *p != end ) 81 return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + 82 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 83 84 return( 0 ); 85 } 86 87 #define PKCS12_MAX_PWDLEN 128 88 89 static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type, 90 const unsigned char *pwd, size_t pwdlen, 91 unsigned char *key, size_t keylen, 92 unsigned char *iv, size_t ivlen ) 93 { 94 int ret, iterations = 0; 95 mbedtls_asn1_buf salt; 96 size_t i; 97 unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2]; 98 99 if( pwdlen > PKCS12_MAX_PWDLEN ) 100 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 101 102 memset( &salt, 0, sizeof(mbedtls_asn1_buf) ); 103 memset( &unipwd, 0, sizeof(unipwd) ); 104 105 if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt, 106 &iterations ) ) != 0 ) 107 return( ret ); 108 109 for( i = 0; i < pwdlen; i++ ) 110 unipwd[i * 2 + 1] = pwd[i]; 111 112 if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2, 113 salt.p, salt.len, md_type, 114 MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 ) 115 { 116 return( ret ); 117 } 118 119 if( iv == NULL || ivlen == 0 ) 120 return( 0 ); 121 122 if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2, 123 salt.p, salt.len, md_type, 124 MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 ) 125 { 126 return( ret ); 127 } 128 return( 0 ); 129 } 130 131 #undef PKCS12_MAX_PWDLEN 132 133 int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode, 134 const unsigned char *pwd, size_t pwdlen, 135 const unsigned char *data, size_t len, 136 unsigned char *output ) 137 { 138 #if !defined(MBEDTLS_ARC4_C) 139 ((void) pbe_params); 140 ((void) mode); 141 ((void) pwd); 142 ((void) pwdlen); 143 ((void) data); 144 ((void) len); 145 ((void) output); 146 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 147 #else 148 int ret; 149 unsigned char key[16]; 150 mbedtls_arc4_context ctx; 151 ((void) mode); 152 153 mbedtls_arc4_init( &ctx ); 154 155 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1, 156 pwd, pwdlen, 157 key, 16, NULL, 0 ) ) != 0 ) 158 { 159 return( ret ); 160 } 161 162 mbedtls_arc4_setup( &ctx, key, 16 ); 163 if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 ) 164 goto exit; 165 166 exit: 167 mbedtls_platform_zeroize( key, sizeof( key ) ); 168 mbedtls_arc4_free( &ctx ); 169 170 return( ret ); 171 #endif /* MBEDTLS_ARC4_C */ 172 } 173 174 int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, 175 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, 176 const unsigned char *pwd, size_t pwdlen, 177 const unsigned char *data, size_t len, 178 unsigned char *output ) 179 { 180 int ret, keylen = 0; 181 unsigned char key[32]; 182 unsigned char iv[16]; 183 const mbedtls_cipher_info_t *cipher_info; 184 mbedtls_cipher_context_t cipher_ctx; 185 size_t olen = 0; 186 187 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 188 if( cipher_info == NULL ) 189 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 190 191 keylen = cipher_info->key_bitlen / 8; 192 193 if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen, 194 key, keylen, 195 iv, cipher_info->iv_size ) ) != 0 ) 196 { 197 return( ret ); 198 } 199 200 mbedtls_cipher_init( &cipher_ctx ); 201 202 if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) 203 goto exit; 204 205 if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) 206 goto exit; 207 208 if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 ) 209 goto exit; 210 211 if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 ) 212 goto exit; 213 214 if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len, 215 output, &olen ) ) != 0 ) 216 { 217 goto exit; 218 } 219 220 if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) 221 ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; 222 223 exit: 224 mbedtls_platform_zeroize( key, sizeof( key ) ); 225 mbedtls_platform_zeroize( iv, sizeof( iv ) ); 226 mbedtls_cipher_free( &cipher_ctx ); 227 228 return( ret ); 229 } 230 231 #endif /* MBEDTLS_ASN1_PARSE_C */ 232 233 static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, 234 const unsigned char *filler, size_t fill_len ) 235 { 236 unsigned char *p = data; 237 size_t use_len; 238 239 while( data_len > 0 ) 240 { 241 use_len = ( data_len > fill_len ) ? fill_len : data_len; 242 memcpy( p, filler, use_len ); 243 p += use_len; 244 data_len -= use_len; 245 } 246 } 247 248 int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, 249 const unsigned char *pwd, size_t pwdlen, 250 const unsigned char *salt, size_t saltlen, 251 mbedtls_md_type_t md_type, int id, int iterations ) 252 { 253 int ret; 254 unsigned int j; 255 256 unsigned char diversifier[128]; 257 unsigned char salt_block[128], pwd_block[128], hash_block[128]; 258 unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; 259 unsigned char *p; 260 unsigned char c; 261 262 size_t hlen, use_len, v, i; 263 264 const mbedtls_md_info_t *md_info; 265 mbedtls_md_context_t md_ctx; 266 267 // This version only allows max of 64 bytes of password or salt 268 if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) 269 return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); 270 271 md_info = mbedtls_md_info_from_type( md_type ); 272 if( md_info == NULL ) 273 return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); 274 275 mbedtls_md_init( &md_ctx ); 276 277 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 278 return( ret ); 279 hlen = mbedtls_md_get_size( md_info ); 280 281 if( hlen <= 32 ) 282 v = 64; 283 else 284 v = 128; 285 286 memset( diversifier, (unsigned char) id, v ); 287 288 pkcs12_fill_buffer( salt_block, v, salt, saltlen ); 289 pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); 290 291 p = data; 292 while( datalen > 0 ) 293 { 294 // Calculate hash( diversifier || salt_block || pwd_block ) 295 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 296 goto exit; 297 298 if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) 299 goto exit; 300 301 if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) 302 goto exit; 303 304 if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) 305 goto exit; 306 307 if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) 308 goto exit; 309 310 // Perform remaining ( iterations - 1 ) recursive hash calculations 311 for( i = 1; i < (size_t) iterations; i++ ) 312 { 313 if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 ) 314 goto exit; 315 } 316 317 use_len = ( datalen > hlen ) ? hlen : datalen; 318 memcpy( p, hash_output, use_len ); 319 datalen -= use_len; 320 p += use_len; 321 322 if( datalen == 0 ) 323 break; 324 325 // Concatenating copies of hash_output into hash_block (B) 326 pkcs12_fill_buffer( hash_block, v, hash_output, hlen ); 327 328 // B += 1 329 for( i = v; i > 0; i-- ) 330 if( ++hash_block[i - 1] != 0 ) 331 break; 332 333 // salt_block += B 334 c = 0; 335 for( i = v; i > 0; i-- ) 336 { 337 j = salt_block[i - 1] + hash_block[i - 1] + c; 338 c = (unsigned char) (j >> 8); 339 salt_block[i - 1] = j & 0xFF; 340 } 341 342 // pwd_block += B 343 c = 0; 344 for( i = v; i > 0; i-- ) 345 { 346 j = pwd_block[i - 1] + hash_block[i - 1] + c; 347 c = (unsigned char) (j >> 8); 348 pwd_block[i - 1] = j & 0xFF; 349 } 350 } 351 352 ret = 0; 353 354 exit: 355 mbedtls_platform_zeroize( salt_block, sizeof( salt_block ) ); 356 mbedtls_platform_zeroize( pwd_block, sizeof( pwd_block ) ); 357 mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) ); 358 mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) ); 359 360 mbedtls_md_free( &md_ctx ); 361 362 return( ret ); 363 } 364 365 #endif /* MBEDTLS_PKCS12_C */ 366