[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Thu Aug 6 22:01:01 UTC 2020
The branch master has been updated
via c5ec6dcf0bdd15354a1440632766e19540487c58 (commit)
from 15c9aa3aef77c642ef2b6c84bba2b57b35ed083e (commit)
- Log -----------------------------------------------------------------
commit c5ec6dcf0bdd15354a1440632766e19540487c58
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Thu Sep 19 15:39:13 2019 +1000
Add new APIs to get PKCS12 secretBag OID and value
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10063)
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs12.c | 14 +
crypto/err/openssl.txt | 2 +
crypto/pkcs12/p12_attr.c | 28 +-
crypto/pkcs12/p12_crt.c | 18 +
crypto/pkcs12/p12_sbag.c | 66 ++-
crypto/pkcs12/pk12err.c | 3 +-
doc/man3/PKCS12_SAFEBAG_create_cert.pod | 80 ++++
doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 74 ++++
doc/man3/PKCS12_add1_attr_by_NID.pod | 52 +++
doc/man3/PKCS12_add_cert.pod | 66 +++
doc/man3/PKCS12_add_safe.pod | 64 +++
include/openssl/pkcs12.h | 9 +
include/openssl/pkcs12err.h | 2 +
test/build.info | 7 +-
test/pkcs12_format_test.c | 444 ++++++++++++++++++++
test/pkcs12_helper.c | 708 ++++++++++++++++++++++++++++++++
test/pkcs12_helper.h | 99 +++++
test/recipes/80-test_pkcs12.t | 5 +-
util/libcrypto.num | 6 +
19 files changed, 1738 insertions(+), 9 deletions(-)
create mode 100644 doc/man3/PKCS12_SAFEBAG_create_cert.pod
create mode 100644 doc/man3/PKCS12_SAFEBAG_get1_cert.pod
create mode 100644 doc/man3/PKCS12_add1_attr_by_NID.pod
create mode 100644 doc/man3/PKCS12_add_cert.pod
create mode 100644 doc/man3/PKCS12_add_safe.pod
create mode 100644 test/pkcs12_format_test.c
create mode 100644 test/pkcs12_helper.c
create mode 100644 test/pkcs12_helper.h
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 3398250efd..46340c0d25 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -789,6 +789,16 @@ int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
X509_free(x509);
break;
+ case NID_secretBag:
+ if (options & INFO)
+ BIO_printf(bio_err, "Secret bag\n");
+ print_attribs(out, attrs, "Bag Attributes");
+ BIO_printf(bio_err, "Bag Type: ");
+ i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_bag_type(bag));
+ BIO_printf(bio_err, "\nBag Value: ");
+ print_attribute(out, PKCS12_SAFEBAG_get0_bag_obj(bag));
+ return 1;
+
case NID_safeContentsBag:
if (options & INFO)
BIO_printf(bio_err, "Safe Contents bag\n");
@@ -954,6 +964,10 @@ void print_attribute(BIO *out, const ASN1_TYPE *av)
OPENSSL_free(value);
break;
+ case V_ASN1_UTF8STRING:
+ BIO_printf(out, "%s\n", av->value.utf8string->data);
+ break;
+
case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 53becb8ed4..cbfc495a0a 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1058,6 +1058,7 @@ PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF:112:PKCS12_SAFEBAG_create0_p8inf
PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8:113:PKCS12_SAFEBAG_create0_pkcs8
PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT:133:\
PKCS12_SAFEBAG_create_pkcs8_encrypt
+PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET:134:
PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac
PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac
PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes
@@ -2760,6 +2761,7 @@ PKCS12_R_ENCRYPT_ERROR:103:encrypt error
PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE:120:error setting encrypted data type
PKCS12_R_INVALID_NULL_ARGUMENT:104:invalid null argument
PKCS12_R_INVALID_NULL_PKCS12_POINTER:105:invalid null pkcs12 pointer
+PKCS12_R_INVALID_TYPE:112:invalid type
PKCS12_R_IV_GEN_ERROR:106:iv gen error
PKCS12_R_KEY_GEN_ERROR:107:key gen error
PKCS12_R_MAC_ABSENT:108:mac absent
diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c
index e2ca95bcfa..0acecef7a3 100644
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@@ -18,7 +18,7 @@ int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
int namelen)
{
if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
- V_ASN1_OCTET_STRING, name, namelen))
+ V_ASN1_OCTET_STRING, name, namelen) != NULL)
return 1;
else
return 0;
@@ -39,7 +39,7 @@ int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
int namelen)
{
if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
- MBSTRING_ASC, (unsigned char *)name, namelen))
+ MBSTRING_ASC, (unsigned char *)name, namelen) != NULL)
return 1;
else
return 0;
@@ -49,7 +49,7 @@ int PKCS12_add_friendlyname_utf8(PKCS12_SAFEBAG *bag, const char *name,
int namelen)
{
if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
- MBSTRING_UTF8, (unsigned char *)name, namelen))
+ MBSTRING_UTF8, (unsigned char *)name, namelen) != NULL)
return 1;
else
return 0;
@@ -59,7 +59,7 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
const unsigned char *name, int namelen)
{
if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
- MBSTRING_BMP, name, namelen))
+ MBSTRING_BMP, name, namelen) != NULL)
return 1;
else
return 0;
@@ -68,7 +68,25 @@ int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
{
if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
- MBSTRING_ASC, (unsigned char *)name, namelen))
+ MBSTRING_ASC, (unsigned char *)name, namelen) != NULL)
+ return 1;
+ else
+ return 0;
+}
+
+int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
+ const unsigned char *bytes, int len)
+{
+ if (X509at_add1_attr_by_NID(&bag->attrib, nid, type, bytes, len) != NULL)
+ return 1;
+ else
+ return 0;
+}
+
+int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
+ const unsigned char *bytes, int len)
+{
+ if (X509at_add1_attr_by_txt(&bag->attrib, attrname, type, bytes, len) != NULL)
return 1;
else
return 0;
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index f75b2437c9..699f1b7d61 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -207,6 +207,24 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
}
+PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ int nid_type, const unsigned char *value, int len)
+{
+ PKCS12_SAFEBAG *bag = NULL;
+
+ /* Add secret, storing the value as an octet string */
+ if ((bag = PKCS12_SAFEBAG_create_secret(nid_type, V_ASN1_OCTET_STRING, value, len)) == NULL)
+ goto err;
+
+ if (!pkcs12_add_bag(pbags, bag))
+ goto err;
+
+ return bag;
+ err:
+ PKCS12_SAFEBAG_free(bag);
+ return NULL;
+}
+
int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
int nid_safe, int iter, const char *pass)
{
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index ccb9acb17e..3da437f7ea 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -71,6 +71,16 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
return OBJ_obj2nid(bag->value.bag->type);
}
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
+{
+ return bag->value.bag->type;
+}
+
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
+{
+ return bag->value.bag->value.other;
+}
+
X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
{
if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
@@ -103,6 +113,60 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
NID_x509Crl, NID_crlBag);
}
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len)
+{
+ PKCS12_BAGS *bag;
+ PKCS12_SAFEBAG *safebag;
+
+ if ((bag = PKCS12_BAGS_new()) == NULL) {
+ PKCS12err(0, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ bag->type = OBJ_nid2obj(type);
+
+ switch(vtype) {
+ case V_ASN1_OCTET_STRING:
+ {
+ ASN1_OCTET_STRING *strtmp = ASN1_OCTET_STRING_new();
+
+ if (strtmp == NULL) {
+ PKCS12err(0, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ /* Pack data into an octet string */
+ if (!ASN1_OCTET_STRING_set(strtmp, value, len)) {
+ ASN1_OCTET_STRING_free(strtmp);
+ PKCS12err(0, PKCS12_R_ENCODE_ERROR);
+ goto err;
+ }
+ bag->value.other = ASN1_TYPE_new();
+ if (bag->value.other == NULL) {
+ ASN1_OCTET_STRING_free(strtmp);
+ PKCS12err(0, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ ASN1_TYPE_set(bag->value.other, vtype, strtmp);
+ }
+ break;
+
+ default:
+ PKCS12err(0, PKCS12_R_INVALID_TYPE);
+ goto err;
+ }
+
+ if ((safebag = PKCS12_SAFEBAG_new()) == NULL) {
+ PKCS12err(0, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ safebag->value.bag = bag;
+ safebag->type = OBJ_nid2obj(NID_secretBag);
+ return safebag;
+
+ err:
+ PKCS12_BAGS_free(bag);
+ return NULL;
+}
+
/* Turn PKCS8 object into a keybag */
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c
index c3ad2bf708..f7789dc8d3 100644
--- a/crypto/pkcs12/pk12err.c
+++ b/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -27,6 +27,7 @@ static const ERR_STRING_DATA PKCS12_str_reasons[] = {
"invalid null argument"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_NULL_PKCS12_POINTER),
"invalid null pkcs12 pointer"},
+ {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_TYPE), "invalid type"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_IV_GEN_ERROR), "iv gen error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_KEY_GEN_ERROR), "key gen error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_ABSENT), "mac absent"},
diff --git a/doc/man3/PKCS12_SAFEBAG_create_cert.pod b/doc/man3/PKCS12_SAFEBAG_create_cert.pod
new file mode 100644
index 0000000000..380cde5612
--- /dev/null
+++ b/doc/man3/PKCS12_SAFEBAG_create_cert.pod
@@ -0,0 +1,80 @@
+=pod
+
+=head1 NAME
+
+PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl,
+PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf,
+PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt - Create
+PKCS#12 safeBag objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/pkcs12.h>
+
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509);
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl);
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype,
+ const unsigned char* value,
+ int len);
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8);
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8);
+ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
+ const char *pass,
+ int passlen,
+ unsigned char *salt,
+ int saltlen, int iter,
+ PKCS8_PRIV_KEY_INFO *p8inf);
+
+=head1 DESCRIPTION
+
+PKCS12_SAFEBAG_create_cert() creates a new B<PKCS12_SAFEBAG> of type B<NID_certBag>
+containing the supplied certificate.
+
+PKCS12_SAFEBAG_create_crl() creates a new B<PKCS12_SAFEBAG> of type B<NID_crlBag>
+containing the supplied crl.
+
+PKCS12_SAFEBAG_create_secret() creates a new B<PKCS12_SAFEBAG> of type
+corresponding to a PKCS#12 I<secretBag>. The I<secretBag> contents are tagged as
+I<type> with an ASN1 value of type I<vtype> constructed using the bytes in
+I<value> of length I<len>.
+
+PKCS12_SAFEBAG_create0_p8inf() creates a new B<PKCS12_SAFEBAG> of type B<NID_keyBag>
+containing the supplied PKCS8 structure.
+
+PKCS12_SAFEBAG_create0_pkcs8() creates a new B<PKCS12_SAFEBAG> of type
+B<NID_pkcs8ShroudedKeyBag> containing the supplied PKCS8 structure.
+
+PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B<PKCS12_SAFEBAG> of type
+B<NID_pkcs8ShroudedKeyBag> by encrypting the supplied PKCS8 I<p8inf>.
+If I<pbe_nid> is 0, a default encryption algorithm is used. I<pass> is the
+passphrase and I<iter> is the iteration count. If I<iter> is zero then a default
+value of 2048 is used. If I<salt> is NULL then a salt is generated randomly.
+
+=head1 NOTES
+
+PKCS12_SAFEBAG_create_pkcs8_encrypt() makes assumptions regarding the encoding of the given pass
+phrase.
+See L<passphrase-encoding(7)> for more information.
+
+PKCS12_SAFEBAG_create_secret() was added in OpenSSL 3.0.
+
+=head1 RETURN VALUES
+
+All of these functions return a valid B<PKCS12_SAFEBAG> structure or NULL if an error occurred.
+
+=head1 SEE ALSO
+
+L<PKCS12_create(3)>,
+L<PKCS12_add_safe(3)>,
+L<PKCS12_add_safes(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod
new file mode 100644
index 0000000000..e1bff6a1c8
--- /dev/null
+++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod
@@ -0,0 +1,74 @@
+=pod
+
+=head1 NAME
+
+PKCS12_SAFEBAG_get0_attr, PKCS12_SAFEBAG_get0_type,
+PKCS12_SAFEBAG_get_nid, PKCS12_SAFEBAG_get_bag_nid,
+PKCS12_SAFEBAG_get0_bag_obj, PKCS12_SAFEBAG_get0_bag_type,
+PKCS12_SAFEBAG_get1_cert, PKCS12_SAFEBAG_get1_crl,
+PKCS12_SAFEBAG_get0_safes, PKCS12_SAFEBAG_get0_p8inf,
+PKCS12_SAFEBAG_get0_pkcs8 - Get objects from a PKCS#12 safeBag
+
+=head1 SYNOPSIS
+
+ #include <openssl/pkcs12.h>
+
+ const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
+ int attr_nid);
+ const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag);
+ int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag);
+ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag);
+ const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag);
+ const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag);
+ X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag);
+ X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag);
+ const STACK_OF(PKCS12_SAFEBAG) *PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag);
+ const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag);
+ const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag);
+
+=head1 DESCRIPTION
+
+PKCS12_SAFEBAG_get0_attr() gets the attribute value corresponding to the B<attr_nid>.
+
+PKCS12_SAFEBAG_get0_type() gets the B<safeBag> type as an OID, whereas
+PKCS12_SAFEBAG_get_nid() gets the B<safeBag> type as an NID, which could be
+B<NID_certBag>, B<NID_crlBag>, B<NID_keyBag>, B<NID_secretBag>, B<NID_safeContentsBag>
+or B<NID_pkcs8ShroudedKeyBag>.
+
+PKCS12_SAFEBAG_get_bag_nid() gets the type of the object contained within the
+B<PKCS12_SAFEBAG>. This corresponds to the bag type for most bags, but can be
+arbitrary for B<secretBag>s. PKCS12_SAFEBAG_get0_bag_type() gets this type as an OID.
+
+PKCS12_SAFEBAG_get0_bag_obj() retrieves the object contained within the safeBag.
+
+PKCS12_SAFEBAG_get1_cert() and PKCS12_SAFEBAG_get1_crl() return new B<X509> or
+B<X509_CRL> objects from the item in the safeBag.
+
+PKCS12_SAFEBAG_get0_p8inf() and PKCS12_SAFEBAG_get0_pkcs8() return the PKCS8 object
+from a PKCS8shroudedKeyBag or a keyBag.
+
+PKCS12_SAFEBAG_get0_safes() retrieves the set of B<safeBags> contained within a
+safeContentsBag.
+
+=head1 RETURN VALUES
+
+PKCS12_SAFEBAG_get_nid() and PKCS12_SAFEBAG_get_bag_nid() return the NID of the safeBag
+or bag object, or -1 if there is no corresponding NID.
+Other functions return a valid object of the specified type or NULL if an error occurred.
+
+=head1 SEE ALSO
+
+L<PKCS12_create(3)>,
+L<PKCS12_add_safe(3)>,
+L<PKCS12_add_safes(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/PKCS12_add1_attr_by_NID.pod b/doc/man3/PKCS12_add1_attr_by_NID.pod
new file mode 100644
index 0000000000..4871da35d7
--- /dev/null
+++ b/doc/man3/PKCS12_add1_attr_by_NID.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+PKCS12_add1_attr_by_NID, PKCS12_add1_attr_by_txt - Add an attribute to a PKCS#12
+safeBag structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/pkcs12.h>
+
+ int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
+ const unsigned char *bytes, int len);
+ int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
+ const unsigned char *bytes, int len);
+
+=head1 DESCRIPTION
+
+These functions add a PKCS#12 Attribute to the Attribute Set of the B<bag>.
+
+PKCS12_add1_attr_by_NID() adds an attribute of type B<nid> with a value of ASN1
+type B<type> constructed using B<len> bytes from B<bytes>.
+
+PKCS12_add1_attr_by_txt() adds an attribute of type B<attrname> with a value of
+ASN1 type B<type> constructed using B<len> bytes from B<bytes>.
+
+=head1 NOTES
+
+These functions do not check whether an existing attribute of the same type is
+present. There can be multiple attributes with the same type assigned to a
+safeBag.
+
+Both functions were added in OpenSSL 3.0.
+
+=head1 RETURN VALUES
+
+A return value of 1 indicates success, 0 indicates failure.
+
+=head1 SEE ALSO
+
+L<PKCS12_create(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/PKCS12_add_cert.pod b/doc/man3/PKCS12_add_cert.pod
new file mode 100644
index 0000000000..bb326f7f4c
--- /dev/null
+++ b/doc/man3/PKCS12_add_cert.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+PKCS12_add_cert, PKCS12_add_key,
+PKCS12_add_secret - Add an object to a set of PKCS#12 safeBags
+
+=head1 SYNOPSIS
+
+ #include <openssl/pkcs12.h>
+
+ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
+ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ EVP_PKEY *key, int key_usage, int iter,
+ int key_nid, const char *pass);
+ PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ int nid_type, const unsigned char *value, int len);
+
+=head1 DESCRIPTION
+
+These functions create a new B<PKCS12_SAFEBAG> and add it to the set of safeBags
+in I<pbags>.
+
+PKCS12_add_cert() creates a PKCS#12 certBag containing the supplied
+certificate and adds this to the set of PKCS#12 safeBags.
+
+PKCS12_add_key() creates a PKCS#12 keyBag (unencrypted) or a pkcs8shroudedKeyBag
+(encrypted) containing the supplied B<EVP_PKEY> and adds this to the set of PKCS#12
+safeBags. If I<key_nid> is not -1 then the key is encrypted with the supplied
+algorithm, using I<pass> as the passphrase and I<iter> as the iteration count. If
+I<iter> is zero then a default value for iteration count of 2048 is used.
+
+PKCS12_add_secret() creates a PKCS#12 secretBag with an OID corresponding to
+the supplied B<nid_type> containing the supplied value as an ASN1 octet string.
+This is then added to the set of PKCS#12 safeBags.
+
+=head1 NOTES
+
+If a certificate contains an B<alias> or a B<keyid> then this will be
+used for the corresponding B<friendlyName> or B<localKeyID> in the
+PKCS12 structure.
+
+PKCS12_add_key() makes assumptions regarding the encoding of the given pass
+phrase.
+See L<passphrase-encoding(7)> for more information.
+
+PKCS12_add_secret() was added in OpenSSL 3.0.
+
+=head1 RETURN VALUES
+
+A valid B<PKCS12_SAFEBAG> structure or NULL if an error occurred.
+
+=head1 SEE ALSO
+
+L<PKCS12_create(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/PKCS12_add_safe.pod b/doc/man3/PKCS12_add_safe.pod
new file mode 100644
index 0000000000..ec657aaa07
--- /dev/null
+++ b/doc/man3/PKCS12_add_safe.pod
@@ -0,0 +1,64 @@
+=pod
+
+=head1 NAME
+
+PKCS12_add_safe, PKCS12_add_safes - Create and add objects to a PKCS#12 structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/pkcs12.h>
+
+ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
+ int safe_nid, int iter, const char *pass);
+ PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
+
+=head1 DESCRIPTION
+
+PKCS12_add_safe() creates a new PKCS7 contentInfo containing the supplied
+B<PKCS12_SAFEBAG>s and adds this to a set of PKCS7 contentInfos. Its type
+depends on the value of B<safe_nid>:
+
+=over 4
+
+=item * If I<safe_nid> is -1, a plain PKCS7 I<data> contentInfo is created.
+
+=item * If I<safe_nid> is a valid PBE algorithm NID, a PKCS7 B<encryptedData>
+contentInfo is created. The algorithm uses I<pass> as the passphrase and I<iter>
+as the iteration count. If I<iter> is zero then a default value for iteration
+count of 2048 is used.
+
+=item * If I<safe_nid> is 0, a PKCS7 B<encryptedData> contentInfo is created using
+a default encryption algorithm, currently B<NID_pbe_WithSHA1And3_Key_TripleDES_CBC>.
+
+=back
+
+PKCS12_add_safes() creates a B<PKCS12> structure containing the supplied set of
+PKCS7 contentInfos. The I<safes> are enclosed first within a PKCS7 contentInfo
+of type I<p7_nid>. Currently the only supported type is B<NID_pkcs7_data>.
+
+=head1 NOTES
+
+PKCS12_add_safe() makes assumptions regarding the encoding of the given pass
+phrase.
+See L<passphrase-encoding(7)> for more information.
+
+=head1 RETURN VALUES
+
+PKCS12_add_safe() returns a value of 1 indicating success or 0 for failure.
+
+PKCS12_add_safes() returns a valid B<PKCS12> structure or NULL if an error occurred.
+
+=head1 SEE ALSO
+
+L<PKCS12_create(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h
index abf124f27a..46e95c11b6 100644
--- a/include/openssl/pkcs12.h
+++ b/include/openssl/pkcs12.h
@@ -93,6 +93,8 @@ const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag);
int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag);
int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag);
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag);
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag);
X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag);
X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag);
@@ -103,6 +105,7 @@ const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag);
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509);
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned char *value, int len);
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8);
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8);
PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
@@ -144,6 +147,10 @@ int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
int namelen);
int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
const unsigned char *name, int namelen);
+int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
+ const unsigned char *bytes, int len);
+int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
+ const unsigned char *bytes, int len);
int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
int attr_nid);
@@ -209,6 +216,8 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
EVP_PKEY *key, int key_usage, int iter,
int key_nid, const char *pass);
+PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags,
+ int nid_type, const unsigned char *value, int len);
int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
int safe_nid, int iter, const char *pass);
PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h
index 8d69b63f1a..0a3f42bd62 100644
--- a/include/openssl/pkcs12err.h
+++ b/include/openssl/pkcs12err.h
@@ -47,6 +47,7 @@ int ERR_load_PKCS12_strings(void);
# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF 0
# define PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8 0
# define PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT 0
+# define PKCS12_F_PKCS12_SAFEBAG_CREATE_SECRET 0
# define PKCS12_F_PKCS12_SETUP_MAC 0
# define PKCS12_F_PKCS12_SET_MAC 0
# define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 0
@@ -67,6 +68,7 @@ int ERR_load_PKCS12_strings(void);
# define PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE 120
# define PKCS12_R_INVALID_NULL_ARGUMENT 104
# define PKCS12_R_INVALID_NULL_PKCS12_POINTER 105
+# define PKCS12_R_INVALID_TYPE 112
# define PKCS12_R_IV_GEN_ERROR 106
# define PKCS12_R_KEY_GEN_ERROR 107
# define PKCS12_R_MAC_ABSENT 108
diff --git a/test/build.info b/test/build.info
index d15ee75814..a3e5857b99 100644
--- a/test/build.info
+++ b/test/build.info
@@ -30,7 +30,7 @@ IF[{- !$disabled{tests} -}]
PROGRAMS{noinst}= \
confdump \
versions \
- aborttest test_test \
+ aborttest test_test pkcs12_format_test \
sanitytest rsa_complex exdatatest bntest \
ectest ecstresstest gmdifftest pbelutest \
destest mdc2test \
@@ -234,6 +234,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[memleaktest]=../include ../apps/include
DEPEND[memleaktest]=../libcrypto libtestutil.a
+ SOURCE[pkcs12_format_test]=pkcs12_format_test.c pkcs12_helper.c
+ INCLUDE[pkcs12_format_test]=../include ../apps/include
+ DEPEND[pkcs12_format_test]=../libcrypto libtestutil.a
+
SOURCE[stack_test]=stack_test.c
INCLUDE[stack_test]=../include ../apps/include
DEPEND[stack_test]=../libcrypto libtestutil.a
@@ -276,6 +280,7 @@ IF[{- !$disabled{tests} -}]
INCLUDE[ssl_test_ctx.o]=../include
INCLUDE[handshake_helper.o]=.. ../include
+ INCLUDE[pkcs12_helper.o]=.. ../include
INCLUDE[ssltestlib.o]=.. ../include
INCLUDE[cmp_testlib.o]=.. ../include ../apps/include
diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c
new file mode 100644
index 0000000000..4b638af82d
--- /dev/null
+++ b/test/pkcs12_format_test.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "internal/nelem.h"
+
+#include <openssl/pkcs12.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#include "testutil.h"
+#include "pkcs12_helper.h"
+
+
+/* --------------------------------------------------------------------------
+ * PKCS12 component test data
+ */
+
+static const unsigned char CERT1[] =
+{
+ 0x30, 0x82, 0x01, 0xed, 0x30, 0x82, 0x01, 0x56, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
+ 0x8b, 0x4b, 0x5e, 0x6c, 0x03, 0x28, 0x4e, 0xe6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x19, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x0e, 0x50, 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x52, 0x6f, 0x6f, 0x74,
+ 0x2d, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x39, 0x33, 0x30, 0x30, 0x30, 0x34, 0x36,
+ 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x39, 0x32, 0x37, 0x30, 0x30, 0x34, 0x36, 0x35,
+ 0x36, 0x5a, 0x30, 0x1b, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x50,
+ 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2d, 0x31, 0x30,
+ 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xbc, 0xdc, 0x6f, 0x8c,
+ 0x7a, 0x2a, 0x4b, 0xea, 0x66, 0x66, 0x04, 0xa9, 0x05, 0x92, 0x53, 0xd7, 0x13, 0x3c, 0x49, 0xe1,
+ 0xc8, 0xbb, 0xdf, 0x3d, 0xcb, 0x88, 0x31, 0x07, 0x20, 0x59, 0x93, 0x24, 0x7f, 0x7d, 0xc6, 0x84,
+ 0x81, 0x16, 0x64, 0x4a, 0x52, 0xa6, 0x30, 0x44, 0xdc, 0x1a, 0x30, 0xde, 0xae, 0x29, 0x18, 0xcf,
+ 0xc7, 0xf3, 0xcf, 0x0c, 0xb7, 0x8e, 0x2b, 0x1e, 0x21, 0x01, 0x0b, 0xfb, 0xe5, 0xe6, 0xcf, 0x2b,
+ 0x84, 0xe1, 0x33, 0xf8, 0xba, 0x02, 0xfc, 0x30, 0xfa, 0xc4, 0x33, 0xc7, 0x37, 0xc6, 0x7f, 0x72,
+ 0x31, 0x92, 0x1d, 0x8f, 0xa0, 0xfb, 0xe5, 0x4a, 0x08, 0x31, 0x78, 0x80, 0x9c, 0x23, 0xb4, 0xe9,
+ 0x19, 0x56, 0x04, 0xfa, 0x0d, 0x07, 0x04, 0xb7, 0x43, 0xac, 0x4c, 0x49, 0x7c, 0xc2, 0xa1, 0x44,
+ 0xc1, 0x48, 0x7d, 0x28, 0xe5, 0x23, 0x66, 0x07, 0x22, 0xd5, 0xf0, 0xf1, 0x02, 0x03, 0x01, 0x00,
+ 0x01, 0xa3, 0x3b, 0x30, 0x39, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
+ 0x80, 0x14, 0xdb, 0xbb, 0xb8, 0x92, 0x4e, 0x24, 0x0b, 0x1b, 0xbb, 0x78, 0x33, 0xf9, 0x01, 0x02,
+ 0x23, 0x0d, 0x96, 0x18, 0x30, 0x47, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
+ 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81,
+ 0x00, 0x1c, 0x13, 0xdc, 0x02, 0xf1, 0x44, 0x36, 0x65, 0xa9, 0xbe, 0x30, 0x1c, 0x66, 0x14, 0x20,
+ 0x86, 0x5a, 0xa8, 0x69, 0x25, 0xf8, 0x1a, 0xb6, 0x9e, 0x5e, 0xe9, 0x89, 0xb8, 0x67, 0x70, 0x19,
+ 0x87, 0x60, 0xeb, 0x4b, 0x11, 0x71, 0x85, 0xf8, 0xe9, 0xa7, 0x3e, 0x20, 0x42, 0xec, 0x43, 0x25,
+ 0x01, 0x03, 0xe5, 0x4d, 0x83, 0x22, 0xf5, 0x8e, 0x3a, 0x1a, 0x1b, 0xd4, 0x1c, 0xda, 0x6b, 0x9d,
+ 0x10, 0x1b, 0xee, 0x67, 0x4e, 0x1f, 0x69, 0xab, 0xbc, 0xaa, 0x62, 0x8e, 0x9e, 0xc6, 0xee, 0xd6,
+ 0x09, 0xc0, 0xca, 0xe0, 0xaa, 0x9f, 0x07, 0xb2, 0xc2, 0xbb, 0x31, 0x96, 0xa2, 0x04, 0x62, 0xd3,
+ 0x13, 0x32, 0x29, 0x67, 0x6e, 0xad, 0x2e, 0x0b, 0xea, 0x04, 0x7c, 0x8c, 0x5a, 0x5d, 0xac, 0x14,
+ 0xaa, 0x61, 0x7f, 0x28, 0x6c, 0x2d, 0x64, 0x2d, 0xc3, 0xaf, 0x77, 0x52, 0x90, 0xb4, 0x37, 0xc0,
+ 0x30,
+};
+
+static const unsigned char CERT2[] =
+{
+ 0x30, 0x82, 0x01, 0xed, 0x30, 0x82, 0x01, 0x56, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
+ 0x8b, 0x4b, 0x5e, 0x6c, 0x03, 0x28, 0x4e, 0xe7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x19, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x0e, 0x50, 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x52, 0x6f, 0x6f, 0x74,
+ 0x2d, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x39, 0x33, 0x30, 0x30, 0x30, 0x34, 0x36,
+ 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x39, 0x32, 0x37, 0x30, 0x30, 0x34, 0x36, 0x35,
+ 0x36, 0x5a, 0x30, 0x1b, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x50,
+ 0x31, 0x32, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2d, 0x31, 0x30,
+ 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa8, 0x6e, 0x40, 0x86,
+ 0x9f, 0x98, 0x59, 0xfb, 0x57, 0xbf, 0xc1, 0x55, 0x12, 0x38, 0xeb, 0xb3, 0x46, 0x34, 0xc9, 0x35,
+ 0x4d, 0xfd, 0x03, 0xe9, 0x3a, 0x88, 0x9e, 0x97, 0x8f, 0xf4, 0xec, 0x36, 0x7b, 0x3f, 0xba, 0xb8,
+ 0xa5, 0x96, 0x30, 0x03, 0xc5, 0xc6, 0xd9, 0xa8, 0x4e, 0xbc, 0x23, 0x51, 0xa1, 0x96, 0xd2, 0x03,
+ 0x98, 0x73, 0xb6, 0x17, 0x9c, 0x77, 0xd4, 0x95, 0x1e, 0x1b, 0xb3, 0x1b, 0xc8, 0x71, 0xd1, 0x2e,
+ 0x31, 0xc7, 0x6a, 0x75, 0x57, 0x08, 0x7f, 0xba, 0x70, 0x76, 0xf7, 0x67, 0xf4, 0x4e, 0xbe, 0xfc,
+ 0x70, 0x61, 0x41, 0x07, 0x2b, 0x7c, 0x3c, 0x3b, 0xb3, 0xbc, 0xd5, 0xa8, 0xbd, 0x28, 0xd8, 0x49,
+ 0xd3, 0xe1, 0x78, 0xc8, 0xc1, 0x42, 0x5e, 0x18, 0x36, 0xa8, 0x41, 0xf7, 0xc8, 0xaa, 0x35, 0xfe,
+ 0x2d, 0xd1, 0xb4, 0xcc, 0x00, 0x67, 0xae, 0x79, 0xd3, 0x28, 0xd5, 0x5b, 0x02, 0x03, 0x01, 0x00,
+ 0x01, 0xa3, 0x3b, 0x30, 0x39, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
+ 0x80, 0x14, 0xdb, 0xbb, 0xb8, 0x92, 0x4e, 0x24, 0x0b, 0x1b, 0xbb, 0x78, 0x33, 0xf9, 0x01, 0x02,
+ 0x23, 0x0d, 0x96, 0x18, 0x30, 0x47, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
+ 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81,
+ 0x00, 0x3b, 0xa6, 0x73, 0xbe, 0xe0, 0x28, 0xed, 0x1f, 0x29, 0x78, 0x4c, 0xc0, 0x1f, 0xe9, 0x85,
+ 0xc6, 0x8f, 0xe3, 0x87, 0x7c, 0xd9, 0xe7, 0x0a, 0x37, 0xe8, 0xaa, 0xb5, 0xd2, 0x7f, 0xf8, 0x90,
+ 0x20, 0x80, 0x35, 0xa7, 0x79, 0x2b, 0x04, 0xa7, 0xbf, 0xe6, 0x7b, 0x58, 0xcb, 0xec, 0x0e, 0x58,
+ 0xef, 0x2a, 0x70, 0x8a, 0x56, 0x8a, 0xcf, 0x6b, 0x7a, 0x74, 0x0c, 0xf4, 0x15, 0x37, 0x93, 0xcd,
+ 0xe6, 0xb2, 0xa1, 0x83, 0x09, 0xdb, 0x9e, 0x4f, 0xff, 0x6a, 0x17, 0x4f, 0x33, 0xc9, 0xcc, 0x90,
+ 0x2a, 0x67, 0xff, 0x16, 0x78, 0xa8, 0x2c, 0x10, 0xe0, 0x52, 0x8c, 0xe6, 0xe9, 0x90, 0x8d, 0xe0,
+ 0x62, 0x04, 0x9a, 0x0f, 0x44, 0x01, 0x82, 0x14, 0x92, 0x44, 0x25, 0x69, 0x22, 0xb7, 0xb8, 0xc5,
+ 0x94, 0x4c, 0x4b, 0x1c, 0x9b, 0x92, 0x60, 0x66, 0x90, 0x4e, 0xb9, 0xa8, 0x4c, 0x89, 0xbb, 0x0f,
+ 0x0b,
+};
+
+static const unsigned char KEY1[] =
+{
+ 0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xbc, 0xdc, 0x6f, 0x8c, 0x7a,
+ 0x2a, 0x4b, 0xea, 0x66, 0x66, 0x04, 0xa9, 0x05, 0x92, 0x53, 0xd7, 0x13, 0x3c, 0x49, 0xe1, 0xc8,
+ 0xbb, 0xdf, 0x3d, 0xcb, 0x88, 0x31, 0x07, 0x20, 0x59, 0x93, 0x24, 0x7f, 0x7d, 0xc6, 0x84, 0x81,
+ 0x16, 0x64, 0x4a, 0x52, 0xa6, 0x30, 0x44, 0xdc, 0x1a, 0x30, 0xde, 0xae, 0x29, 0x18, 0xcf, 0xc7,
+ 0xf3, 0xcf, 0x0c, 0xb7, 0x8e, 0x2b, 0x1e, 0x21, 0x01, 0x0b, 0xfb, 0xe5, 0xe6, 0xcf, 0x2b, 0x84,
+ 0xe1, 0x33, 0xf8, 0xba, 0x02, 0xfc, 0x30, 0xfa, 0xc4, 0x33, 0xc7, 0x37, 0xc6, 0x7f, 0x72, 0x31,
+ 0x92, 0x1d, 0x8f, 0xa0, 0xfb, 0xe5, 0x4a, 0x08, 0x31, 0x78, 0x80, 0x9c, 0x23, 0xb4, 0xe9, 0x19,
+ 0x56, 0x04, 0xfa, 0x0d, 0x07, 0x04, 0xb7, 0x43, 0xac, 0x4c, 0x49, 0x7c, 0xc2, 0xa1, 0x44, 0xc1,
+ 0x48, 0x7d, 0x28, 0xe5, 0x23, 0x66, 0x07, 0x22, 0xd5, 0xf0, 0xf1, 0x02, 0x03, 0x01, 0x00, 0x01,
+ 0x02, 0x81, 0x81, 0x00, 0xa5, 0x6d, 0xf9, 0x8f, 0xf5, 0x5a, 0xa3, 0x50, 0xd9, 0x0d, 0x37, 0xbb,
+ 0xce, 0x13, 0x94, 0xb8, 0xea, 0x32, 0x7f, 0x0c, 0xf5, 0x46, 0x0b, 0x90, 0x17, 0x7e, 0x5e, 0x63,
+ 0xbd, 0xa4, 0x78, 0xcd, 0x19, 0x97, 0xd4, 0x92, 0x30, 0x78, 0xaa, 0xb4, 0xa7, 0x9c, 0xc6, 0xdf,
+ 0x2a, 0x65, 0x0e, 0xb5, 0x9f, 0x9c, 0x84, 0x0d, 0x4d, 0x3a, 0x74, 0xfc, 0xd0, 0xb4, 0x09, 0x74,
+ 0xc4, 0xb8, 0x24, 0x03, 0xa8, 0xf0, 0xf8, 0x0d, 0x5c, 0x8e, 0xdf, 0x4b, 0xe1, 0x0a, 0x8f, 0x4f,
+ 0xd5, 0xc7, 0x9b, 0x54, 0x55, 0x8f, 0x00, 0x5c, 0xea, 0x4c, 0x73, 0xf9, 0x1b, 0xbf, 0xb8, 0x93,
+ 0x33, 0x20, 0xce, 0x45, 0xd9, 0x03, 0x02, 0xb2, 0x36, 0xc5, 0x0a, 0x30, 0x50, 0x78, 0x80, 0x66,
+ 0x00, 0x22, 0x38, 0x86, 0xcf, 0x63, 0x4a, 0x5c, 0xbf, 0x2b, 0xd9, 0x6e, 0xe6, 0xf0, 0x39, 0xad,
+ 0x12, 0x25, 0x41, 0xb9, 0x02, 0x41, 0x00, 0xf3, 0x7c, 0x07, 0x99, 0x64, 0x3a, 0x28, 0x8c, 0x8d,
+ 0x05, 0xfe, 0x32, 0xb5, 0x4c, 0x8c, 0x6d, 0xde, 0x3d, 0x16, 0x08, 0xa0, 0x01, 0x61, 0x4f, 0x8e,
+ 0xa0, 0xf7, 0x26, 0x26, 0xb5, 0x8e, 0xc0, 0x7a, 0xce, 0x86, 0x34, 0xde, 0xb8, 0xef, 0x86, 0x01,
+ 0xbe, 0x24, 0xaa, 0x9b, 0x36, 0x93, 0x72, 0x9b, 0xf9, 0xc6, 0xcb, 0x76, 0x84, 0x67, 0x06, 0x06,
+ 0x30, 0x50, 0xdf, 0x42, 0x17, 0xe0, 0xa7, 0x02, 0x41, 0x00, 0xc6, 0x91, 0xa0, 0x41, 0x34, 0x11,
+ 0x67, 0x4b, 0x08, 0x0f, 0xda, 0xa7, 0x99, 0xec, 0x58, 0x11, 0xa5, 0x82, 0xdb, 0x50, 0xfe, 0x77,
+ 0xe2, 0xd1, 0x53, 0x9c, 0x7d, 0xe8, 0xbf, 0xe7, 0x7c, 0xa9, 0x01, 0xb1, 0x87, 0xc3, 0x52, 0x79,
+ 0x9e, 0x2c, 0xa7, 0x6f, 0x02, 0x37, 0x32, 0xef, 0x24, 0x31, 0x21, 0x0b, 0x86, 0x05, 0x32, 0x4a,
+ 0x2e, 0x0b, 0x65, 0x05, 0xd3, 0xd6, 0x30, 0xb2, 0xfc, 0xa7, 0x02, 0x41, 0x00, 0xc2, 0xed, 0x31,
+ 0xdc, 0x40, 0x9c, 0x3a, 0xe8, 0x42, 0xe2, 0x60, 0x5e, 0x52, 0x3c, 0xc5, 0x54, 0x14, 0x0e, 0x8d,
+ 0x7c, 0x3c, 0x34, 0xbe, 0xa6, 0x05, 0x86, 0xa2, 0x36, 0x5d, 0xd9, 0x0e, 0x3e, 0xd4, 0x52, 0x50,
+ 0xa9, 0x35, 0x01, 0x93, 0x68, 0x92, 0x2e, 0x9a, 0x86, 0x27, 0x1a, 0xab, 0x32, 0x9e, 0xe2, 0x79,
+ 0x9f, 0x5b, 0xf3, 0xa5, 0xd2, 0xf1, 0xd3, 0x6e, 0x7b, 0x3e, 0x1b, 0x85, 0x93, 0x02, 0x40, 0x68,
+ 0xb8, 0xb6, 0x7e, 0x8c, 0xba, 0x3c, 0xf2, 0x8a, 0x2e, 0xea, 0x4f, 0x07, 0xd3, 0x68, 0x62, 0xee,
+ 0x1a, 0x04, 0x16, 0x44, 0x0d, 0xef, 0xf6, 0x1b, 0x95, 0x65, 0xa5, 0xd1, 0x47, 0x81, 0x2c, 0x14,
+ 0xb3, 0x8e, 0xf9, 0x08, 0xcf, 0x11, 0x07, 0x55, 0xca, 0x2a, 0xad, 0xf7, 0xd3, 0xbd, 0x0f, 0x97,
+ 0xf0, 0xde, 0xde, 0x70, 0xb6, 0x44, 0x70, 0x47, 0xf7, 0xf9, 0xcf, 0x75, 0x61, 0x7f, 0xf3, 0x02,
+ 0x40, 0x38, 0x4a, 0x67, 0xaf, 0xae, 0xb6, 0xb2, 0x6a, 0x00, 0x25, 0x5a, 0xa4, 0x65, 0x20, 0xb1,
+ 0x13, 0xbd, 0x83, 0xff, 0xb4, 0xbc, 0xf4, 0xdd, 0xa1, 0xbb, 0x1c, 0x96, 0x37, 0x35, 0xf4, 0xbf,
+ 0xed, 0x4c, 0xed, 0x92, 0xe8, 0xac, 0xc9, 0xc1, 0xa5, 0xa3, 0x23, 0x66, 0x40, 0x8a, 0xa1, 0xe6,
+ 0xe3, 0x95, 0xfe, 0xc4, 0x53, 0xf5, 0x7d, 0x6e, 0xca, 0x45, 0x42, 0xe4, 0xc2, 0x9f, 0xe5, 0x1e,
+ 0xb5,
+};
+
+
+static const unsigned char KEY2[] =
+{
+ 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xa8, 0x6e, 0x40, 0x86, 0x9f,
+ 0x98, 0x59, 0xfb, 0x57, 0xbf, 0xc1, 0x55, 0x12, 0x38, 0xeb, 0xb3, 0x46, 0x34, 0xc9, 0x35, 0x4d,
+ 0xfd, 0x03, 0xe9, 0x3a, 0x88, 0x9e, 0x97, 0x8f, 0xf4, 0xec, 0x36, 0x7b, 0x3f, 0xba, 0xb8, 0xa5,
+ 0x96, 0x30, 0x03, 0xc5, 0xc6, 0xd9, 0xa8, 0x4e, 0xbc, 0x23, 0x51, 0xa1, 0x96, 0xd2, 0x03, 0x98,
+ 0x73, 0xb6, 0x17, 0x9c, 0x77, 0xd4, 0x95, 0x1e, 0x1b, 0xb3, 0x1b, 0xc8, 0x71, 0xd1, 0x2e, 0x31,
+ 0xc7, 0x6a, 0x75, 0x57, 0x08, 0x7f, 0xba, 0x70, 0x76, 0xf7, 0x67, 0xf4, 0x4e, 0xbe, 0xfc, 0x70,
+ 0x61, 0x41, 0x07, 0x2b, 0x7c, 0x3c, 0x3b, 0xb3, 0xbc, 0xd5, 0xa8, 0xbd, 0x28, 0xd8, 0x49, 0xd3,
+ 0xe1, 0x78, 0xc8, 0xc1, 0x42, 0x5e, 0x18, 0x36, 0xa8, 0x41, 0xf7, 0xc8, 0xaa, 0x35, 0xfe, 0x2d,
+ 0xd1, 0xb4, 0xcc, 0x00, 0x67, 0xae, 0x79, 0xd3, 0x28, 0xd5, 0x5b, 0x02, 0x03, 0x01, 0x00, 0x01,
+ 0x02, 0x81, 0x81, 0x00, 0xa6, 0x00, 0x83, 0xf8, 0x2b, 0x33, 0xac, 0xfb, 0xdb, 0xf0, 0x52, 0x4b,
+ 0xd6, 0x39, 0xe3, 0x94, 0x3d, 0x8d, 0xa9, 0x01, 0xb0, 0x6b, 0xbe, 0x7f, 0x10, 0x01, 0xb6, 0xcd,
+ 0x0a, 0x45, 0x0a, 0xca, 0x67, 0x8e, 0xd8, 0x29, 0x44, 0x8a, 0x51, 0xa8, 0x66, 0x35, 0x26, 0x30,
+ 0x8b, 0xe9, 0x41, 0xa6, 0x22, 0xec, 0xd2, 0xf0, 0x58, 0x41, 0x33, 0x26, 0xf2, 0x3f, 0xe8, 0x75,
+ 0x4f, 0xc7, 0x5d, 0x2e, 0x5a, 0xa8, 0x7a, 0xd2, 0xbf, 0x59, 0xa0, 0x86, 0x79, 0x0b, 0x92, 0x6c,
+ 0x95, 0x5d, 0x87, 0x63, 0x5c, 0xd6, 0x1a, 0xc0, 0xf6, 0x7a, 0x15, 0x8d, 0xc7, 0x3c, 0xb6, 0x9e,
+ 0xa6, 0x58, 0x46, 0x9b, 0xbf, 0x3e, 0x28, 0x8c, 0xdf, 0x1a, 0x87, 0xaa, 0x7e, 0xf5, 0xf2, 0xcb,
+ 0x5e, 0x84, 0x2d, 0xf6, 0x82, 0x7e, 0x89, 0x4e, 0xf5, 0xe6, 0x3c, 0x92, 0x80, 0x1e, 0x98, 0x1c,
+ 0x6a, 0x7b, 0x57, 0x01, 0x02, 0x41, 0x00, 0xdd, 0x60, 0x95, 0xd7, 0xa1, 0x9d, 0x0c, 0xa1, 0x84,
+ 0xc5, 0x39, 0xca, 0x67, 0x4c, 0x1c, 0x06, 0x71, 0x5b, 0x5c, 0x2d, 0x8d, 0xce, 0xcd, 0xe2, 0x79,
+ 0xc8, 0x33, 0xbe, 0x50, 0x37, 0x60, 0x9f, 0x3b, 0xb9, 0x59, 0x55, 0x22, 0x1f, 0xa5, 0x4b, 0x1d,
+ 0xca, 0x38, 0xa0, 0xab, 0x87, 0x9c, 0x86, 0x0e, 0xdb, 0x1c, 0x4f, 0x4f, 0x07, 0xed, 0x18, 0x3f,
+ 0x05, 0x3c, 0xec, 0x78, 0x11, 0xf6, 0x99, 0x02, 0x41, 0x00, 0xc2, 0xc5, 0xcf, 0xbe, 0x95, 0x91,
+ 0xeb, 0xcf, 0x47, 0xf3, 0x33, 0x32, 0xc7, 0x7e, 0x93, 0x56, 0xf7, 0xd8, 0xf9, 0xd4, 0xb6, 0xd6,
+ 0x20, 0xac, 0xba, 0x8a, 0x20, 0x19, 0x14, 0xab, 0xc5, 0x5d, 0xb2, 0x08, 0xcc, 0x77, 0x7c, 0x65,
+ 0xa8, 0xdb, 0x66, 0x97, 0x36, 0x44, 0x2c, 0x63, 0xc0, 0x6a, 0x7e, 0xb0, 0x0b, 0x5c, 0x90, 0x12,
+ 0x50, 0xb4, 0x36, 0x60, 0xc3, 0x1f, 0x22, 0x0c, 0xc8, 0x13, 0x02, 0x40, 0x33, 0xc8, 0x7e, 0x04,
+ 0x7c, 0x97, 0x61, 0xf6, 0xfe, 0x39, 0xac, 0x34, 0xfe, 0x48, 0xbd, 0x5d, 0x7c, 0x72, 0xa4, 0x73,
+ 0x3b, 0x72, 0x9e, 0x92, 0x55, 0x6e, 0x51, 0x3c, 0x39, 0x43, 0x5a, 0xe4, 0xa4, 0x71, 0xcc, 0xc5,
+ 0xaf, 0x3f, 0xbb, 0xc8, 0x80, 0x65, 0x67, 0x2d, 0x9e, 0x32, 0x10, 0x99, 0x03, 0x2c, 0x99, 0xc8,
+ 0xab, 0x71, 0xed, 0x31, 0xf8, 0xbb, 0xde, 0xee, 0x69, 0x7f, 0xba, 0x31, 0x02, 0x40, 0x7e, 0xbc,
+ 0x60, 0x55, 0x4e, 0xd5, 0xc8, 0x6e, 0xf4, 0x0e, 0x57, 0xbe, 0x2e, 0xf9, 0x39, 0xbe, 0x59, 0x3f,
+ 0xa2, 0x30, 0xbb, 0x57, 0xd1, 0xa3, 0x13, 0x2e, 0x55, 0x7c, 0x7c, 0x6a, 0xd8, 0xde, 0x02, 0xbe,
+ 0x9e, 0xed, 0x10, 0xd0, 0xc5, 0x73, 0x1d, 0xea, 0x3e, 0xb1, 0x55, 0x81, 0x02, 0xef, 0x48, 0xc8,
+ 0x1c, 0x5c, 0x7a, 0x92, 0xb0, 0x58, 0xd3, 0x19, 0x5b, 0x5d, 0xa2, 0xb6, 0x56, 0x69, 0x02, 0x40,
+ 0x1e, 0x00, 0x6a, 0x9f, 0xba, 0xee, 0x46, 0x5a, 0xc5, 0xb5, 0x9f, 0x91, 0x33, 0xdd, 0xc9, 0x96,
+ 0x75, 0xb7, 0x87, 0xcf, 0x18, 0x1c, 0xb7, 0xb9, 0x3f, 0x04, 0x10, 0xb8, 0x75, 0xa9, 0xb8, 0xa0,
+ 0x31, 0x35, 0x03, 0x30, 0x89, 0xc8, 0x37, 0x68, 0x20, 0x30, 0x99, 0x39, 0x96, 0xd6, 0x2b, 0x3d,
+ 0x5e, 0x45, 0x84, 0xf7, 0xd2, 0x61, 0x50, 0xc9, 0x50, 0xba, 0x8d, 0x08, 0xaa, 0xd0, 0x08, 0x1e,
+};
+
+
+static const PKCS12_ATTR ATTRS1[] = {
+ { "friendlyName", "george" },
+ { "localKeyID", "1234567890" },
+ { "1.2.3.4.5", "MyCustomAttribute" },
+ { NULL, NULL }
+};
+
+static const PKCS12_ATTR ATTRS2[] = {
+ { "friendlyName", "janet" },
+ { "localKeyID", "987654321" },
+ { "1.2.3.5.8.13", "AnotherCustomAttribute" },
+ { NULL, NULL }
+};
+
+static const PKCS12_ENC enc_default = {
+ NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+ "Password1",
+ 1000
+};
+
+static const PKCS12_ENC mac_default = {
+ NID_sha1,
+ "Password1",
+ 1000
+};
+
+
+/* --------------------------------------------------------------------------
+ * Local functions
+ */
+
+static int get_custom_oid(void)
+{
+ static int sec_nid = -1;
+
+ if (sec_nid != -1)
+ return sec_nid;
+ if (!TEST_true(OBJ_create("1.3.5.7.9", "CustomSecretOID", "My custom secret OID")))
+ return -1;
+ return sec_nid = OBJ_txt2nid("CustomSecretOID");
+}
+
+
+/* --------------------------------------------------------------------------
+ * PKCS12 format tests
+ */
+
+static int test_single_cert_no_attrs(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("1cert.p12");
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_certbag(pb, CERT1, sizeof(CERT1), NULL);
+
+ end_contentinfo(pb);
+
+ end_pkcs12(pb);
+
+ /* Read/decode */
+ start_check_pkcs12(pb);
+
+ start_check_contentinfo(pb);
+
+ check_certbag(pb, CERT1, sizeof(CERT1), NULL);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_single_key_with_attrs(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("1key.p12");
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_contentinfo(pb);
+
+ end_pkcs12(pb);
+
+ /* Read/decode */
+ start_check_pkcs12(pb);
+
+ start_check_contentinfo(pb);
+
+ check_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_cert_key_with_attrs_and_mac(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("1cert1key.p12");
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ add_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_contentinfo(pb);
+
+ end_pkcs12_with_mac(pb, &mac_default);
+
+ /* Read/decode */
+ start_check_pkcs12_with_mac(pb, &mac_default);
+
+ start_check_contentinfo(pb);
+
+ check_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ check_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_cert_key_encrypted_content(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("1cert1key_enc.p12");
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ add_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_contentinfo_encrypted(pb, &enc_default);
+
+ end_pkcs12_with_mac(pb, &mac_default);
+
+ /* Read/decode */
+ start_check_pkcs12_with_mac(pb, &mac_default);
+
+ start_check_contentinfo_encrypted(pb, &enc_default);
+
+ check_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ check_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_single_secret_encrypted_content(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("1secret.p12");
+ int custom_nid = get_custom_oid();
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_secretbag(pb, custom_nid, "VerySecretMessage", ATTRS1);
+
+ end_contentinfo_encrypted(pb, &enc_default);
+
+ end_pkcs12_with_mac(pb, &mac_default);
+
+ /* Read/decode */
+ start_check_pkcs12_with_mac(pb, &mac_default);
+
+ start_check_contentinfo_encrypted(pb, &enc_default);
+
+ check_secretbag(pb, custom_nid, "VerySecretMessage", ATTRS1);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+static int test_multiple_contents(void)
+{
+ PKCS12_BUILDER *pb = new_pkcs12_builder("multi_contents.p12");
+ int custom_nid = get_custom_oid();
+
+ /* Generate/encode */
+ start_pkcs12(pb);
+
+ start_contentinfo(pb);
+
+ add_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ add_certbag(pb, CERT2, sizeof(CERT2), ATTRS2);
+ add_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+ add_keybag(pb, KEY2, sizeof(KEY2), ATTRS2, &enc_default);
+
+ end_contentinfo(pb);
+
+ start_contentinfo(pb);
+
+ add_secretbag(pb, custom_nid, "VeryVerySecretMessage", ATTRS1);
+
+ end_contentinfo_encrypted(pb, &enc_default);
+
+ end_pkcs12_with_mac(pb, &mac_default);
+
+ /* Read/decode */
+ start_check_pkcs12_with_mac(pb, &mac_default);
+
+ start_check_contentinfo(pb);
+
+ check_certbag(pb, CERT1, sizeof(CERT1), ATTRS1);
+ check_certbag(pb, CERT2, sizeof(CERT2), ATTRS2);
+ check_keybag(pb, KEY1, sizeof(KEY1), ATTRS1, &enc_default);
+ check_keybag(pb, KEY2, sizeof(KEY2), ATTRS2, &enc_default);
+
+ end_check_contentinfo(pb);
+
+ start_check_contentinfo_encrypted(pb, &enc_default);
+
+ check_secretbag(pb, custom_nid, "VeryVerySecretMessage", ATTRS1);
+
+ end_check_contentinfo(pb);
+
+ end_check_pkcs12(pb);
+
+ return end_pkcs12_builder(pb);
+}
+
+
+int setup_tests(void)
+{
+ ADD_TEST(test_single_cert_no_attrs);
+ ADD_TEST(test_single_key_with_attrs);
+ ADD_TEST(test_cert_key_with_attrs_and_mac);
+ ADD_TEST(test_cert_key_encrypted_content);
+ ADD_TEST(test_single_secret_encrypted_content);
+ ADD_TEST(test_multiple_contents);
+ return 1;
+}
+
diff --git a/test/pkcs12_helper.c b/test/pkcs12_helper.c
new file mode 100644
index 0000000000..22bebe8e2b
--- /dev/null
+++ b/test/pkcs12_helper.c
@@ -0,0 +1,708 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "internal/nelem.h"
+
+#include <openssl/pkcs12.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#include "testutil.h"
+#include "pkcs12_helper.h"
+
+
+DEFINE_STACK_OF(PKCS7)
+DEFINE_STACK_OF(PKCS12_SAFEBAG)
+DEFINE_STACK_OF(X509_ATTRIBUTE)
+
+/* Set this to > 0 write test data to file */
+int write_files = 0;
+
+/* -------------------------------------------------------------------------
+ * Local function declarations
+ */
+
+static X509 *load_cert(const unsigned char *bytes, int len);
+static EVP_PKEY *load_pkey(const unsigned char *bytes, int len);
+
+static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs);
+
+static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
+static int write_p12(PKCS12 *p12, const char *outfile);
+
+static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac);
+static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac);
+static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac);
+static int check_asn1_string(const ASN1_TYPE *av, const char *txt);
+static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs);
+
+
+/* --------------------------------------------------------------------------
+ * Test data load functions
+ */
+
+static X509 *load_cert(const unsigned char *bytes, int len)
+{
+ X509 *cert = NULL;
+
+ cert = d2i_X509(NULL, &bytes, len);
+ if (!TEST_ptr(cert))
+ goto err;
+err:
+ return cert;
+}
+
+static EVP_PKEY *load_pkey(const unsigned char *bytes, int len)
+{
+ EVP_PKEY *pkey = NULL;
+
+ pkey = d2i_AutoPrivateKey(NULL, &bytes, len);
+ if (!TEST_ptr(pkey))
+ goto err;
+err:
+ return pkey;
+}
+
+
+/* -------------------------------------------------------------------------
+ * PKCS12 builder
+ */
+
+PKCS12_BUILDER *new_pkcs12_builder(const char *filename)
+{
+ PKCS12_BUILDER *pb = OPENSSL_malloc(sizeof(PKCS12_BUILDER));
+ if (!TEST_ptr(pb))
+ return NULL;
+
+ pb->filename = filename;
+ pb->success = 1;
+ return pb;
+}
+
+int end_pkcs12_builder(PKCS12_BUILDER *pb)
+{
+ int result = pb->success;
+
+ OPENSSL_free(pb);
+ return result;
+}
+
+
+void start_pkcs12(PKCS12_BUILDER *pb)
+{
+ pb->safes = NULL;
+}
+
+
+void end_pkcs12(PKCS12_BUILDER *pb)
+{
+ if (!pb->success)
+ return;
+ generate_p12(pb, NULL);
+}
+
+
+void end_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
+{
+ if (!pb->success)
+ return;
+ generate_p12(pb, mac);
+}
+
+
+/* Generate the PKCS12 encoding and write to memory bio */
+static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
+{
+ PKCS12 *p12;
+
+ if (!pb->success)
+ return;
+
+ pb->p12bio = BIO_new(BIO_s_mem());
+ if (!TEST_ptr(pb->p12bio)) {
+ pb->success = 0;
+ return;
+ }
+ p12 = PKCS12_add_safes(pb->safes, 0);
+ if (!TEST_ptr(p12)) {
+ pb->success = 0;
+ goto err;
+ }
+ sk_PKCS7_pop_free(pb->safes, PKCS7_free);
+
+ if (mac != NULL) {
+ if (!TEST_true(PKCS12_set_mac(p12, mac->pass, strlen(mac->pass),
+ NULL, 0, mac->iter, EVP_get_digestbynid(mac->nid)))) {
+ pb->success = 0;
+ goto err;
+ }
+ }
+ i2d_PKCS12_bio(pb->p12bio, p12);
+
+ /* Can write to file here for debug */
+ if (write_files)
+ write_p12(p12, pb->filename);
+err:
+ PKCS12_free(p12);
+}
+
+
+static int write_p12(PKCS12 *p12, const char *outfile)
+{
+ int ret = 0;
+ BIO *out = BIO_new_file(outfile, "w");
+
+ if (out == NULL)
+ goto err;
+
+ if (!TEST_int_eq(i2d_PKCS12_bio(out, p12), 1))
+ goto err;
+ ret = 1;
+err:
+ BIO_free(out);
+ return ret;
+}
+
+static PKCS12 *from_bio_p12(BIO *bio, const PKCS12_ENC *mac)
+{
+ PKCS12 *p12 = NULL;
+
+ p12 = d2i_PKCS12_bio(bio, NULL);
+ BIO_free(bio);
+ if (!TEST_ptr(p12))
+ goto err;
+ if (mac == NULL) {
+ if (!TEST_false(PKCS12_mac_present(p12)))
+ goto err;
+ } else {
+ if (!check_p12_mac(p12, mac))
+ goto err;
+ }
+ return p12;
+err:
+ PKCS12_free(p12);
+ return NULL;
+}
+
+
+/* For use with existing files */
+static PKCS12 *read_p12(const char *infile, const PKCS12_ENC *mac)
+{
+ PKCS12 *p12 = NULL;
+ BIO *in = BIO_new_file(infile, "r");
+
+ if (in == NULL)
+ goto err;
+ p12 = d2i_PKCS12_bio(in, NULL);
+ BIO_free(in);
+ if (!TEST_ptr(p12))
+ goto err;
+ if (mac == NULL) {
+ if (!TEST_false(PKCS12_mac_present(p12)))
+ goto err;
+ } else {
+ if (!check_p12_mac(p12, mac))
+ goto err;
+ }
+ return p12;
+err:
+ PKCS12_free(p12);
+ return NULL;
+}
+
+static int check_p12_mac(PKCS12 *p12, const PKCS12_ENC *mac)
+{
+ return TEST_true(PKCS12_mac_present(p12))
+ && TEST_true(PKCS12_verify_mac(p12, mac->pass, strlen(mac->pass)));
+}
+
+
+/* -------------------------------------------------------------------------
+ * PKCS7 content info builder
+ */
+
+void start_contentinfo(PKCS12_BUILDER *pb)
+{
+ pb->bags = NULL;
+}
+
+
+void end_contentinfo(PKCS12_BUILDER *pb)
+{
+ if (pb->success) {
+ if (pb->bags && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, -1, 0, NULL))) {
+ pb->success = 0;
+ return;
+ }
+ }
+ sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
+ pb->bags = NULL;
+}
+
+
+void end_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
+{
+ if (pb->success) {
+ if (pb->bags
+ && !TEST_true(PKCS12_add_safe(&pb->safes, pb->bags, enc->nid, enc->iter, enc->pass))) {
+ pb->success = 0;
+ return;
+ }
+ }
+ sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
+ pb->bags = NULL;
+}
+
+
+static STACK_OF(PKCS12_SAFEBAG) *decode_contentinfo(STACK_OF(PKCS7) *safes, int idx, const PKCS12_ENC *enc)
+{
+ STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
+ PKCS7 *p7 = sk_PKCS7_value(safes, idx);
+ int bagnid = OBJ_obj2nid(p7->type);
+
+ if (enc) {
+ if (!TEST_int_eq(bagnid, NID_pkcs7_encrypted))
+ goto err;
+ /* TODO: Check algorithm (iterations?) against what we originally set */
+ bags = PKCS12_unpack_p7encdata(p7, enc->pass, strlen(enc->pass));
+ } else {
+ if (!TEST_int_eq(bagnid, NID_pkcs7_data))
+ goto err;
+ bags = PKCS12_unpack_p7data(p7);
+ }
+ if (!TEST_ptr(bags))
+ goto err;
+
+ return bags;
+err:
+ return NULL;
+}
+
+
+/* -------------------------------------------------------------------------
+ * PKCS12 safeBag/attribute builder
+ */
+
+static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs)
+{
+ int ret = 0;
+ int attr_nid;
+ const PKCS12_ATTR *p_attr = attrs;
+
+ if (attrs == NULL)
+ return 1;
+
+ while (p_attr->oid != NULL) {
+ TEST_info("Adding attribute %s = %s", p_attr->oid, p_attr->value);
+ attr_nid = OBJ_txt2nid(p_attr->oid);
+
+ if (attr_nid == NID_friendlyName) {
+ if (!TEST_true(PKCS12_add_friendlyname(bag, p_attr->value, -1)))
+ goto err;
+ } else if (attr_nid == NID_localKeyID) {
+ if (!TEST_true(PKCS12_add_localkeyid(bag, (unsigned char *)p_attr->value,
+ strlen(p_attr->value))))
+ goto err;
+ } else {
+ /* Custom attribute values limited to ASCII in these tests */
+ if (!TEST_true(PKCS12_add1_attr_by_txt(bag, p_attr->oid, MBSTRING_ASC,
+ (unsigned char *)p_attr->value,
+ strlen(p_attr->value))))
+ goto err;
+ }
+ p_attr++;
+ }
+ ret = 1;
+err:
+ return ret;
+}
+
+void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs)
+{
+ PKCS12_SAFEBAG *bag = NULL;
+ X509 *cert = NULL;
+ char *name;
+
+ if (!pb->success)
+ return;
+
+ cert = load_cert(bytes, len);
+ if (!TEST_ptr(cert)) {
+ pb->success = 0;
+ return;
+ }
+
+ name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+ TEST_info("Adding certificate <%s>", name);
+ OPENSSL_free(name);
+
+ bag = PKCS12_add_cert(&pb->bags, cert);
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ goto err;
+ }
+
+ if (!TEST_true(add_attributes(bag, attrs))) {
+ pb->success = 0;
+ goto err;
+ }
+err:
+ X509_free(cert);
+}
+
+void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
+{
+ PKCS12_SAFEBAG *bag = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ if (!pb->success)
+ return;
+
+ TEST_info("Adding key");
+
+ pkey = load_pkey(bytes, len);
+ if (!TEST_ptr(pkey)) {
+ pb->success = 0;
+ return;
+ }
+
+ bag = PKCS12_add_key(&pb->bags, pkey, 0 /*keytype*/, enc->iter, enc->nid, enc->pass);
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ goto err;
+ }
+ if (!add_attributes(bag, attrs))
+ pb->success = 0;
+err:
+ EVP_PKEY_free(pkey);
+}
+
+void add_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret,
+ const PKCS12_ATTR *attrs)
+{
+ PKCS12_SAFEBAG *bag = NULL;
+
+ if (!pb->success)
+ return;
+
+ TEST_info("Adding secret <%s>", secret);
+
+ bag = PKCS12_add_secret(&pb->bags, secret_nid, (const unsigned char *)secret, strlen(secret));
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ return;
+ }
+ if (!add_attributes(bag, attrs))
+ pb->success = 0;
+}
+
+
+/* -------------------------------------------------------------------------
+ * PKCS12 structure checking
+ */
+
+static int check_asn1_string(const ASN1_TYPE *av, const char *txt)
+{
+ int ret = 0;
+ char *value = NULL;
+
+ if (!TEST_ptr(av))
+ goto err;
+
+ switch (av->type) {
+ case V_ASN1_BMPSTRING:
+ value = OPENSSL_uni2asc(av->value.bmpstring->data,
+ av->value.bmpstring->length);
+ if (!TEST_str_eq(txt, (char *)value))
+ goto err;
+ break;
+
+ case V_ASN1_UTF8STRING:
+ if (!TEST_str_eq(txt, (char *)av->value.utf8string->data))
+ goto err;
+ break;
+
+ case V_ASN1_OCTET_STRING:
+ if (!TEST_str_eq(txt, (char *)av->value.octet_string->data))
+ goto err;
+ break;
+
+ default:
+ /* Tests do not support other attribute types currently */
+ goto err;
+ }
+ ret = 1;
+err:
+ OPENSSL_free(value);
+ return ret;
+}
+
+static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_ATTR *attrs)
+{
+ int ret = 0;
+ X509_ATTRIBUTE *attr;
+ ASN1_TYPE *av;
+ int i, j;
+ char attr_txt[100];
+
+ for (i = 0; i < sk_X509_ATTRIBUTE_num(bag_attrs); i++) {
+ const PKCS12_ATTR *p_attr = attrs;
+ ASN1_OBJECT *attr_obj;
+
+ attr = sk_X509_ATTRIBUTE_value(bag_attrs, i);
+ attr_obj = X509_ATTRIBUTE_get0_object(attr);
+ OBJ_obj2txt(attr_txt, 100, attr_obj, 0);
+
+ while(p_attr->oid != NULL) {
+ /* Find a matching attribute type */
+ if (strcmp(p_attr->oid, attr_txt) == 0) {
+
+ /* TODO: Handle multi-value attributes */
+ if (!TEST_int_eq(X509_ATTRIBUTE_count(attr), 1))
+ goto err;
+
+ for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
+ {
+ av = X509_ATTRIBUTE_get0_type(attr, j);
+ if (!TEST_true(check_asn1_string(av, p_attr->value)))
+ goto err;
+ }
+ break;
+ }
+ p_attr++;
+ }
+ }
+ ret = 1;
+err:
+ return ret;
+}
+
+void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs)
+{
+ X509 *x509 = NULL;
+ X509 *ref_x509 = NULL;
+ const PKCS12_SAFEBAG *bag;
+
+ if (!pb->success)
+ return;
+
+ bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ return;
+ }
+ if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
+ || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_certBag)
+ || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), NID_x509Certificate)) {
+ pb->success = 0;
+ return;
+ }
+ x509 = PKCS12_SAFEBAG_get1_cert(bag);
+ if (!TEST_ptr(x509)) {
+ pb->success = 0;
+ goto err;
+ }
+ ref_x509 = load_cert(bytes, len);
+ if (!TEST_false(X509_cmp(x509, ref_x509)))
+ pb->success = 0;
+err:
+ X509_free(x509);
+ X509_free(ref_x509);
+}
+
+void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs, const PKCS12_ENC *enc)
+{
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY *ref_pkey = NULL;
+ PKCS8_PRIV_KEY_INFO *p8;
+ const PKCS8_PRIV_KEY_INFO *p8c;
+ const PKCS12_SAFEBAG *bag;
+
+ if (!pb->success)
+ return;
+
+ bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ return;
+ }
+
+ if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)) {
+ pb->success = 0;
+ return;
+ }
+
+ switch (PKCS12_SAFEBAG_get_nid(bag)) {
+ case NID_keyBag:
+ p8c = PKCS12_SAFEBAG_get0_p8inf(bag);
+ if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8c))) {
+ pb->success = 0;
+ goto err;
+ }
+ /* TODO: handle key attributes */
+ /* PKCS8_pkey_get0_attrs(p8c); */
+ break;
+
+ case NID_pkcs8ShroudedKeyBag:
+ if (!TEST_ptr(p8 = PKCS12_decrypt_skey(bag, enc->pass, strlen(enc->pass)))) {
+ pb->success = 0;
+ goto err;
+ }
+ if (!TEST_ptr(pkey = EVP_PKCS82PKEY(p8))) {
+ PKCS8_PRIV_KEY_INFO_free(p8);
+ pb->success = 0;
+ goto err;
+ }
+ /* TODO: handle key attributes */
+ /* PKCS8_pkey_get0_attrs(p8); */
+ PKCS8_PRIV_KEY_INFO_free(p8);
+ break;
+
+ default:
+ pb->success = 0;
+ goto err;
+ }
+
+ /* PKEY compare returns 1 for match */
+ ref_pkey = load_pkey(bytes, len);
+ if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey)))
+ pb->success = 0;
+err:
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_free(ref_pkey);
+}
+
+void check_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret, const PKCS12_ATTR *attrs)
+{
+ const PKCS12_SAFEBAG *bag;
+
+ if (!pb->success)
+ return;
+
+ bag = sk_PKCS12_SAFEBAG_value(pb->bags, pb->bag_idx++);
+ if (!TEST_ptr(bag)) {
+ pb->success = 0;
+ return;
+ }
+
+ if (!check_attrs(PKCS12_SAFEBAG_get0_attrs(bag), attrs)
+ || !TEST_int_eq(PKCS12_SAFEBAG_get_nid(bag), NID_secretBag)
+ || !TEST_int_eq(PKCS12_SAFEBAG_get_bag_nid(bag), secret_nid)
+ || !TEST_true(check_asn1_string(PKCS12_SAFEBAG_get0_bag_obj(bag), secret)))
+ pb->success = 0;
+}
+
+
+void start_check_pkcs12(PKCS12_BUILDER *pb)
+{
+ PKCS12 *p12 = from_bio_p12(pb->p12bio, NULL);
+ if (!TEST_ptr(p12)) {
+ pb->success = 0;
+ return;
+ }
+ pb->safes = PKCS12_unpack_authsafes(p12);
+ if (!TEST_ptr(pb->safes))
+ pb->success = 0;
+
+ pb->safe_idx = 0;
+ PKCS12_free(p12);
+}
+
+void start_check_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
+{
+ PKCS12 *p12 = from_bio_p12(pb->p12bio, mac);
+ if (!TEST_ptr(p12)) {
+ pb->success = 0;
+ return;
+ }
+ pb->safes = PKCS12_unpack_authsafes(p12);
+ if (!TEST_ptr(pb->safes))
+ pb->success = 0;
+
+ pb->safe_idx = 0;
+ PKCS12_free(p12);
+}
+
+void start_check_pkcs12_file(PKCS12_BUILDER *pb)
+{
+ PKCS12 *p12 = read_p12(pb->filename, NULL);
+ if (!TEST_ptr(p12)) {
+ pb->success = 0;
+ return;
+ }
+ pb->safes = PKCS12_unpack_authsafes(p12);
+ if (!TEST_ptr(pb->safes))
+ pb->success = 0;
+
+ pb->safe_idx = 0;
+ PKCS12_free(p12);
+}
+
+void start_check_pkcs12_file_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac)
+{
+ PKCS12 *p12 = read_p12(pb->filename, mac);
+ if (!TEST_ptr(p12)) {
+ pb->success = 0;
+ return;
+ }
+ pb->safes = PKCS12_unpack_authsafes(p12);
+ if (!TEST_ptr(pb->safes))
+ pb->success = 0;
+
+ pb->safe_idx = 0;
+ PKCS12_free(p12);
+}
+
+void end_check_pkcs12(PKCS12_BUILDER *pb)
+{
+ sk_PKCS7_pop_free(pb->safes, PKCS7_free);
+}
+
+
+void start_check_contentinfo(PKCS12_BUILDER *pb)
+{
+ pb->bag_idx = 0;
+ pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, NULL);
+ if (!TEST_ptr(pb->bags)) {
+ pb->success = 0;
+ return;
+ }
+ TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
+}
+
+void start_check_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc)
+{
+ pb->bag_idx = 0;
+ pb->bags = decode_contentinfo(pb->safes, pb->safe_idx++, enc);
+ if (!TEST_ptr(pb->bags)) {
+ pb->success = 0;
+ return;
+ }
+ TEST_info("Decoding %d bags", sk_PKCS12_SAFEBAG_num(pb->bags));
+}
+
+
+void end_check_contentinfo(PKCS12_BUILDER *pb)
+{
+ if (!TEST_int_eq(sk_PKCS12_SAFEBAG_num(pb->bags), pb->bag_idx))
+ pb->success = 0;
+ sk_PKCS12_SAFEBAG_pop_free(pb->bags, PKCS12_SAFEBAG_free);
+ pb->bags = NULL;
+}
+
+
diff --git a/test/pkcs12_helper.h b/test/pkcs12_helper.h
new file mode 100644
index 0000000000..8ae640d7f8
--- /dev/null
+++ b/test/pkcs12_helper.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "internal/nelem.h"
+
+#include <openssl/pkcs12.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#include "testutil.h"
+
+/* Set this to > 0 write test data to file */
+extern int write_files;
+
+/* -------------------------------------------------------------------------
+ * PKCS#12 Test structures
+ */
+
+/* Holds a set of Attributes */
+typedef struct pkcs12_attr {
+ char *oid;
+ char *value;
+} PKCS12_ATTR;
+
+
+/* Holds encryption parameters */
+typedef struct pkcs12_enc {
+ int nid;
+ char *pass;
+ int iter;
+} PKCS12_ENC;
+
+/* Set of variables required for constructing the PKCS#12 structure */
+typedef struct pkcs12_builder {
+ const char *filename;
+ int success;
+ BIO *p12bio;
+ STACK_OF(PKCS7) *safes;
+ int safe_idx;
+ STACK_OF(PKCS12_SAFEBAG) *bags;
+ int bag_idx;
+} PKCS12_BUILDER;
+
+
+/* -------------------------------------------------------------------------
+ * PKCS#12 Test function declarations
+ */
+
+/* Allocate and initialise a PKCS#12 builder object */
+PKCS12_BUILDER *new_pkcs12_builder(const char *filename);
+
+/* Finalise and free the PKCS#12 builder object, returning the success/fail flag */
+int end_pkcs12_builder(PKCS12_BUILDER *pb);
+
+/* Encode/build functions */
+void start_pkcs12(PKCS12_BUILDER *pb);
+void end_pkcs12(PKCS12_BUILDER *pb);
+void end_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
+
+void start_contentinfo(PKCS12_BUILDER *pb);
+void end_contentinfo(PKCS12_BUILDER *pb);
+void end_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc);
+
+void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs);
+void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs, const PKCS12_ENC *enc);
+void add_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret,
+ const PKCS12_ATTR *attrs);
+
+/* Decode/check functions */
+void start_check_pkcs12(PKCS12_BUILDER *pb);
+void start_check_pkcs12_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
+void start_check_pkcs12_file(PKCS12_BUILDER *pb);
+void start_check_pkcs12_file_with_mac(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
+void end_check_pkcs12(PKCS12_BUILDER *pb);
+
+void start_check_contentinfo(PKCS12_BUILDER *pb);
+void start_check_contentinfo_encrypted(PKCS12_BUILDER *pb, const PKCS12_ENC *enc);
+void end_check_contentinfo(PKCS12_BUILDER *pb);
+
+void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs);
+void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
+ const PKCS12_ATTR *attrs, const PKCS12_ENC *enc);
+void check_secretbag(PKCS12_BUILDER *pb, int secret_nid, const char *secret,
+ const PKCS12_ATTR *attrs);
+
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 77a442f765..fa95649212 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -57,7 +57,10 @@ if (eval { require Win32::API; 1; }) {
}
$ENV{OPENSSL_WIN32_UTF8}=1;
-plan tests => 1;
+plan tests => 2;
+
+# Test different PKCS#12 formats
+ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
# just see that we can read shibboleth.pfx protected with $pass
ok(run(app(["openssl", "pkcs12", "-noout",
diff --git a/util/libcrypto.num b/util/libcrypto.num
index b1c7947b86..f1614c7813 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5197,3 +5197,9 @@ OSSL_DESERIALIZER_CTX_set_cleanup ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_construct ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_construct_data ? 3_0_0 EXIST::FUNCTION:
OSSL_DESERIALIZER_CTX_get_cleanup ? 3_0_0 EXIST::FUNCTION:
+PKCS12_SAFEBAG_get0_bag_obj ? 3_0_0 EXIST::FUNCTION:
+PKCS12_SAFEBAG_get0_bag_type ? 3_0_0 EXIST::FUNCTION:
+PKCS12_SAFEBAG_create_secret ? 3_0_0 EXIST::FUNCTION:
+PKCS12_add1_attr_by_NID ? 3_0_0 EXIST::FUNCTION:
+PKCS12_add1_attr_by_txt ? 3_0_0 EXIST::FUNCTION:
+PKCS12_add_secret ? 3_0_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list