source-git / osbuild-composer

Clone
Source Code
GIT

Blame vendor/golang.org/x/crypto/pkcs12/pkcs12.go

c8 c8s master
  1.   63bb0d93b11f02080a820729a2ebb0b69465a352
  2.   vendor
  3.   golang.org
  4.   x
  5.   crypto
  6.   pkcs12
  7.   pkcs12.go
Blob History Raw
Packit 63bb0d 
// Copyright 2015 The Go Authors. All rights reserved.
Packit 63bb0d 
// Use of this source code is governed by a BSD-style
Packit 63bb0d 
// license that can be found in the LICENSE file.
Packit 63bb0d
Packit 63bb0d 
// Package pkcs12 implements some of PKCS#12.
Packit 63bb0d 
//
Packit 63bb0d 
// This implementation is distilled from https://tools.ietf.org/html/rfc7292
Packit 63bb0d 
// and referenced documents. It is intended for decoding P12/PFX-stored
Packit 63bb0d 
// certificates and keys for use with the crypto/tls package.
Packit 63bb0d 
//
Packit 63bb0d 
// This package is frozen. If it's missing functionality you need, consider
Packit 63bb0d 
// an alternative like software.sslmate.com/src/go-pkcs12.
Packit 63bb0d 
package pkcs12
Packit 63bb0d
Packit 63bb0d 
import (
Packit 63bb0d 
	"crypto/ecdsa"
Packit 63bb0d 
	"crypto/rsa"
Packit 63bb0d 
	"crypto/x509"
Packit 63bb0d 
	"crypto/x509/pkix"
Packit 63bb0d 
	"encoding/asn1"
Packit 63bb0d 
	"encoding/hex"
Packit 63bb0d 
	"encoding/pem"
Packit 63bb0d 
	"errors"
Packit 63bb0d 
)
Packit 63bb0d
Packit 63bb0d 
var (
Packit 63bb0d 
	oidDataContentType          = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 7, 1})
Packit 63bb0d 
	oidEncryptedDataContentType = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 7, 6})
Packit 63bb0d
Packit 63bb0d 
	oidFriendlyName     = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 20})
Packit 63bb0d 
	oidLocalKeyID       = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 21})
Packit 63bb0d 
	oidMicrosoftCSPName = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 311, 17, 1})
Packit 63bb0d 
)
Packit 63bb0d
Packit 63bb0d 
type pfxPdu struct {
Packit 63bb0d 
	Version  int
Packit 63bb0d 
	AuthSafe contentInfo
Packit 63bb0d 
	MacData  macData `asn1:"optional"`
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
type contentInfo struct {
Packit 63bb0d 
	ContentType asn1.ObjectIdentifier
Packit 63bb0d 
	Content     asn1.RawValue `asn1:"tag:0,explicit,optional"`
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
type encryptedData struct {
Packit 63bb0d 
	Version              int
Packit 63bb0d 
	EncryptedContentInfo encryptedContentInfo
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
type encryptedContentInfo struct {
Packit 63bb0d 
	ContentType                asn1.ObjectIdentifier
Packit 63bb0d 
	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
Packit 63bb0d 
	EncryptedContent           []byte `asn1:"tag:0,optional"`
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func (i encryptedContentInfo) Algorithm() pkix.AlgorithmIdentifier {
Packit 63bb0d 
	return i.ContentEncryptionAlgorithm
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func (i encryptedContentInfo) Data() []byte { return i.EncryptedContent }
Packit 63bb0d
Packit 63bb0d 
type safeBag struct {
Packit 63bb0d 
	Id         asn1.ObjectIdentifier
Packit 63bb0d 
	Value      asn1.RawValue     `asn1:"tag:0,explicit"`
Packit 63bb0d 
	Attributes []pkcs12Attribute `asn1:"set,optional"`
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
type pkcs12Attribute struct {
Packit 63bb0d 
	Id    asn1.ObjectIdentifier
Packit 63bb0d 
	Value asn1.RawValue `asn1:"set"`
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
type encryptedPrivateKeyInfo struct {
Packit 63bb0d 
	AlgorithmIdentifier pkix.AlgorithmIdentifier
Packit 63bb0d 
	EncryptedData       []byte
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func (i encryptedPrivateKeyInfo) Algorithm() pkix.AlgorithmIdentifier {
Packit 63bb0d 
	return i.AlgorithmIdentifier
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func (i encryptedPrivateKeyInfo) Data() []byte {
Packit 63bb0d 
	return i.EncryptedData
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
// PEM block types
Packit 63bb0d 
const (
Packit 63bb0d 
	certificateType = "CERTIFICATE"
Packit 63bb0d 
	privateKeyType  = "PRIVATE KEY"
Packit 63bb0d 
)
Packit 63bb0d
Packit 63bb0d 
// unmarshal calls asn1.Unmarshal, but also returns an error if there is any
Packit 63bb0d 
// trailing data after unmarshaling.
Packit 63bb0d 
func unmarshal(in []byte, out interface{}) error {
Packit 63bb0d 
	trailing, err := asn1.Unmarshal(in, out)
Packit 63bb0d 
	if err != nil {
Packit 63bb0d 
		return err
Packit 63bb0d 
	}
Packit 63bb0d 
	if len(trailing) != 0 {
Packit 63bb0d 
		return errors.New("pkcs12: trailing data found")
Packit 63bb0d 
	}
Packit 63bb0d 
	return nil
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
// ToPEM converts all "safe bags" contained in pfxData to PEM blocks.
Packit 63bb0d 
func ToPEM(pfxData []byte, password string) ([]*pem.Block, error) {
Packit 63bb0d 
	encodedPassword, err := bmpString(password)
Packit 63bb0d 
	if err != nil {
Packit 63bb0d 
		return nil, ErrIncorrectPassword
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
Packit 63bb0d
Packit 63bb0d 
	if err != nil {
Packit 63bb0d 
		return nil, err
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	blocks := make([]*pem.Block, 0, len(bags))
Packit 63bb0d 
	for _, bag := range bags {
Packit 63bb0d 
		block, err := convertBag(&bag, encodedPassword)
Packit 63bb0d 
		if err != nil {
Packit 63bb0d 
			return nil, err
Packit 63bb0d 
		}
Packit 63bb0d 
		blocks = append(blocks, block)
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	return blocks, nil
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func convertBag(bag *safeBag, password []byte) (*pem.Block, error) {
Packit 63bb0d 
	block := &pem.Block{
Packit 63bb0d 
		Headers: make(map[string]string),
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	for _, attribute := range bag.Attributes {
Packit 63bb0d 
		k, v, err := convertAttribute(&attribute)
Packit 63bb0d 
		if err != nil {
Packit 63bb0d 
			return nil, err
Packit 63bb0d 
		}
Packit 63bb0d 
		block.Headers[k] = v
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	switch {
Packit 63bb0d 
	case bag.Id.Equal(oidCertBag):
Packit 63bb0d 
		block.Type = certificateType
Packit 63bb0d 
		certsData, err := decodeCertBag(bag.Value.Bytes)
Packit 63bb0d 
		if err != nil {
Packit 63bb0d 
			return nil, err
Packit 63bb0d 
		}
Packit 63bb0d 
		block.Bytes = certsData
Packit 63bb0d 
	case bag.Id.Equal(oidPKCS8ShroundedKeyBag):
Packit 63bb0d 
		block.Type = privateKeyType
Packit 63bb0d
Packit 63bb0d 
		key, err := decodePkcs8ShroudedKeyBag(bag.Value.Bytes, password)
Packit 63bb0d 
		if err != nil {
Packit 63bb0d 
			return nil, err
Packit 63bb0d 
		}
Packit 63bb0d
Packit 63bb0d 
		switch key := key.(type) {
Packit 63bb0d 
		case *rsa.PrivateKey:
Packit 63bb0d 
			block.Bytes = x509.MarshalPKCS1PrivateKey(key)
Packit 63bb0d 
		case *ecdsa.PrivateKey:
Packit 63bb0d 
			block.Bytes, err = x509.MarshalECPrivateKey(key)
Packit 63bb0d 
			if err != nil {
Packit 63bb0d 
				return nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
		default:
Packit 63bb0d 
			return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
Packit 63bb0d 
		}
Packit 63bb0d 
	default:
Packit 63bb0d 
		return nil, errors.New("don't know how to convert a safe bag of type " + bag.Id.String())
Packit 63bb0d 
	}
Packit 63bb0d 
	return block, nil
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func convertAttribute(attribute *pkcs12Attribute) (key, value string, err error) {
Packit 63bb0d 
	isString := false
Packit 63bb0d
Packit 63bb0d 
	switch {
Packit 63bb0d 
	case attribute.Id.Equal(oidFriendlyName):
Packit 63bb0d 
		key = "friendlyName"
Packit 63bb0d 
		isString = true
Packit 63bb0d 
	case attribute.Id.Equal(oidLocalKeyID):
Packit 63bb0d 
		key = "localKeyId"
Packit 63bb0d 
	case attribute.Id.Equal(oidMicrosoftCSPName):
Packit 63bb0d 
		// This key is chosen to match OpenSSL.
Packit 63bb0d 
		key = "Microsoft CSP Name"
Packit 63bb0d 
		isString = true
Packit 63bb0d 
	default:
Packit 63bb0d 
		return "", "", errors.New("pkcs12: unknown attribute with OID " + attribute.Id.String())
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if isString {
Packit 63bb0d 
		if err := unmarshal(attribute.Value.Bytes, &attribute.Value); err != nil {
Packit 63bb0d 
			return "", "", err
Packit 63bb0d 
		}
Packit 63bb0d 
		if value, err = decodeBMPString(attribute.Value.Bytes); err != nil {
Packit 63bb0d 
			return "", "", err
Packit 63bb0d 
		}
Packit 63bb0d 
	} else {
Packit 63bb0d 
		var id []byte
Packit 63bb0d 
		if err := unmarshal(attribute.Value.Bytes, &id;; err != nil {
Packit 63bb0d 
			return "", "", err
Packit 63bb0d 
		}
Packit 63bb0d 
		value = hex.EncodeToString(id)
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	return key, value, nil
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
// Decode extracts a certificate and private key from pfxData. This function
Packit 63bb0d 
// assumes that there is only one certificate and only one private key in the
Packit 63bb0d 
// pfxData; if there are more use ToPEM instead.
Packit 63bb0d 
func Decode(pfxData []byte, password string) (privateKey interface{}, certificate *x509.Certificate, err error) {
Packit 63bb0d 
	encodedPassword, err := bmpString(password)
Packit 63bb0d 
	if err != nil {
Packit 63bb0d 
		return nil, nil, err
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
Packit 63bb0d 
	if err != nil {
Packit 63bb0d 
		return nil, nil, err
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if len(bags) != 2 {
Packit 63bb0d 
		err = errors.New("pkcs12: expected exactly two safe bags in the PFX PDU")
Packit 63bb0d 
		return
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	for _, bag := range bags {
Packit 63bb0d 
		switch {
Packit 63bb0d 
		case bag.Id.Equal(oidCertBag):
Packit 63bb0d 
			if certificate != nil {
Packit 63bb0d 
				err = errors.New("pkcs12: expected exactly one certificate bag")
Packit 63bb0d 
			}
Packit 63bb0d
Packit 63bb0d 
			certsData, err := decodeCertBag(bag.Value.Bytes)
Packit 63bb0d 
			if err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
			certs, err := x509.ParseCertificates(certsData)
Packit 63bb0d 
			if err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
			if len(certs) != 1 {
Packit 63bb0d 
				err = errors.New("pkcs12: expected exactly one certificate in the certBag")
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
			certificate = certs[0]
Packit 63bb0d
Packit 63bb0d 
		case bag.Id.Equal(oidPKCS8ShroundedKeyBag):
Packit 63bb0d 
			if privateKey != nil {
Packit 63bb0d 
				err = errors.New("pkcs12: expected exactly one key bag")
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d
Packit 63bb0d 
			if privateKey, err = decodePkcs8ShroudedKeyBag(bag.Value.Bytes, encodedPassword); err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
		}
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if certificate == nil {
Packit 63bb0d 
		return nil, nil, errors.New("pkcs12: certificate missing")
Packit 63bb0d 
	}
Packit 63bb0d 
	if privateKey == nil {
Packit 63bb0d 
		return nil, nil, errors.New("pkcs12: private key missing")
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	return
Packit 63bb0d 
}
Packit 63bb0d
Packit 63bb0d 
func getSafeContents(p12Data, password []byte) (bags []safeBag, updatedPassword []byte, err error) {
Packit 63bb0d 
	pfx := new(pfxPdu)
Packit 63bb0d 
	if err := unmarshal(p12Data, pfx); err != nil {
Packit 63bb0d 
		return nil, nil, errors.New("pkcs12: error reading P12 data: " + err.Error())
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if pfx.Version != 3 {
Packit 63bb0d 
		return nil, nil, NotImplementedError("can only decode v3 PFX PDU's")
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if !pfx.AuthSafe.ContentType.Equal(oidDataContentType) {
Packit 63bb0d 
		return nil, nil, NotImplementedError("only password-protected PFX is implemented")
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	// unmarshal the explicit bytes in the content for type 'data'
Packit 63bb0d 
	if err := unmarshal(pfx.AuthSafe.Content.Bytes, &pfx.AuthSafe.Content); err != nil {
Packit 63bb0d 
		return nil, nil, err
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if len(pfx.MacData.Mac.Algorithm.Algorithm) == 0 {
Packit 63bb0d 
		return nil, nil, errors.New("pkcs12: no MAC in data")
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if err := verifyMac(&pfx.MacData, pfx.AuthSafe.Content.Bytes, password); err != nil {
Packit 63bb0d 
		if err == ErrIncorrectPassword && len(password) == 2 && password[0] == 0 && password[1] == 0 {
Packit 63bb0d 
			// some implementations use an empty byte array
Packit 63bb0d 
			// for the empty string password try one more
Packit 63bb0d 
			// time with empty-empty password
Packit 63bb0d 
			password = nil
Packit 63bb0d 
			err = verifyMac(&pfx.MacData, pfx.AuthSafe.Content.Bytes, password)
Packit 63bb0d 
		}
Packit 63bb0d 
		if err != nil {
Packit 63bb0d 
			return nil, nil, err
Packit 63bb0d 
		}
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	var authenticatedSafe []contentInfo
Packit 63bb0d 
	if err := unmarshal(pfx.AuthSafe.Content.Bytes, &authenticatedSafe); err != nil {
Packit 63bb0d 
		return nil, nil, err
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	if len(authenticatedSafe) != 2 {
Packit 63bb0d 
		return nil, nil, NotImplementedError("expected exactly two items in the authenticated safe")
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	for _, ci := range authenticatedSafe {
Packit 63bb0d 
		var data []byte
Packit 63bb0d
Packit 63bb0d 
		switch {
Packit 63bb0d 
		case ci.ContentType.Equal(oidDataContentType):
Packit 63bb0d 
			if err := unmarshal(ci.Content.Bytes, &data); err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
		case ci.ContentType.Equal(oidEncryptedDataContentType):
Packit 63bb0d 
			var encryptedData encryptedData
Packit 63bb0d 
			if err := unmarshal(ci.Content.Bytes, &encryptedData); err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
			if encryptedData.Version != 0 {
Packit 63bb0d 
				return nil, nil, NotImplementedError("only version 0 of EncryptedData is supported")
Packit 63bb0d 
			}
Packit 63bb0d 
			if data, err = pbDecrypt(encryptedData.EncryptedContentInfo, password); err != nil {
Packit 63bb0d 
				return nil, nil, err
Packit 63bb0d 
			}
Packit 63bb0d 
		default:
Packit 63bb0d 
			return nil, nil, NotImplementedError("only data and encryptedData content types are supported in authenticated safe")
Packit 63bb0d 
		}
Packit 63bb0d
Packit 63bb0d 
		var safeContents []safeBag
Packit 63bb0d 
		if err := unmarshal(data, &safeContents); err != nil {
Packit 63bb0d 
			return nil, nil, err
Packit 63bb0d 
		}
Packit 63bb0d 
		bags = append(bags, safeContents...)
Packit 63bb0d 
	}
Packit 63bb0d
Packit 63bb0d 
	return bags, password, nil
Packit 63bb0d 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation