1 /**
2  * \file pkcs12.h
3  *
4  * \brief PKCS#12 Personal Information Exchange Syntax
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  */
10 #ifndef MBEDTLS_PKCS12_H
11 #define MBEDTLS_PKCS12_H
12 
13 #include "mbedtls/build_info.h"
14 
15 #include "mbedtls/md.h"
16 #include "mbedtls/cipher.h"
17 #include "mbedtls/asn1.h"
18 
19 #include <stddef.h>
20 
21 /** Bad input parameters to function. */
22 #define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80
23 /** Feature not available, e.g. unsupported encryption scheme. */
24 #define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00
25 /** PBE ASN.1 data not as expected. */
26 #define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80
27 /** Given private key password does not allow for correct decryption. */
28 #define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00
29 
30 #define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
31 #define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
32 #define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
33 
34 #define MBEDTLS_PKCS12_PBE_DECRYPT      MBEDTLS_DECRYPT
35 #define MBEDTLS_PKCS12_PBE_ENCRYPT      MBEDTLS_ENCRYPT
36 
37 #ifdef __cplusplus
38 extern "C" {
39 #endif
40 
41 #if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
42 
43 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
44 /**
45  * \brief            PKCS12 Password Based function (encryption / decryption)
46  *                   for cipher-based and mbedtls_md-based PBE's
47  *
48  * \note             When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
49  *                   be enabled at compile time.
50  *
51  * \deprecated       This function is deprecated and will be removed in a
52  *                   future version of the library.
53  *                   Please use mbedtls_pkcs12_pbe_ext() instead.
54  *
55  * \warning          When decrypting:
56  *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
57  *                     time, this function validates the CBC padding and returns
58  *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
59  *                     invalid. Note that this can help active adversaries
60  *                     attempting to brute-forcing the password. Note also that
61  *                     there is no guarantee that an invalid password will be
62  *                     detected (the chances of a valid padding with a random
63  *                     password are about 1/255).
64  *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
65  *                     time, this function does not validate the CBC padding.
66  *
67  * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
68  * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
69  *                   #MBEDTLS_PKCS12_PBE_DECRYPT
70  * \param cipher_type the cipher used
71  * \param md_type    the mbedtls_md used
72  * \param pwd        Latin1-encoded password used. This may only be \c NULL when
73  *                   \p pwdlen is 0. No null terminator should be used.
74  * \param pwdlen     length of the password (may be 0)
75  * \param data       the input data
76  * \param len        data length
77  * \param output     Output buffer.
78  *                   On success, it contains the encrypted or decrypted data,
79  *                   possibly followed by the CBC padding.
80  *                   On failure, the content is indeterminate.
81  *                   For decryption, there must be enough room for \p len
82  *                   bytes.
83  *                   For encryption, there must be enough room for
84  *                   \p len + 1 bytes, rounded up to the block size of
85  *                   the block cipher identified by \p pbe_params.
86  *
87  * \return           0 if successful, or a MBEDTLS_ERR_XXX code
88  */
89 int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
90                                           mbedtls_cipher_type_t cipher_type,
91                                           mbedtls_md_type_t md_type,
92                                           const unsigned char *pwd,  size_t pwdlen,
93                                           const unsigned char *data, size_t len,
94                                           unsigned char *output);
95 #endif /* MBEDTLS_DEPRECATED_REMOVED */
96 
97 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
98 
99 /**
100  * \brief            PKCS12 Password Based function (encryption / decryption)
101  *                   for cipher-based and mbedtls_md-based PBE's
102  *
103  *
104  * \warning          When decrypting:
105  *                   - This function validates the CBC padding and returns
106  *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
107  *                     invalid. Note that this can help active adversaries
108  *                     attempting to brute-forcing the password. Note also that
109  *                     there is no guarantee that an invalid password will be
110  *                     detected (the chances of a valid padding with a random
111  *                     password are about 1/255).
112  *
113  * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
114  * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
115  *                   #MBEDTLS_PKCS12_PBE_DECRYPT
116  * \param cipher_type the cipher used
117  * \param md_type    the mbedtls_md used
118  * \param pwd        Latin1-encoded password used. This may only be \c NULL when
119  *                   \p pwdlen is 0. No null terminator should be used.
120  * \param pwdlen     length of the password (may be 0)
121  * \param data       the input data
122  * \param len        data length
123  * \param output     Output buffer.
124  *                   On success, it contains the encrypted or decrypted data,
125  *                   possibly followed by the CBC padding.
126  *                   On failure, the content is indeterminate.
127  *                   For decryption, there must be enough room for \p len
128  *                   bytes.
129  *                   For encryption, there must be enough room for
130  *                   \p len + 1 bytes, rounded up to the block size of
131  *                   the block cipher identified by \p pbe_params.
132  * \param output_size size of output buffer.
133  *                    This must be big enough to accommodate for output plus
134  *                    padding data.
135  * \param output_len On success, length of actual data written to the output buffer.
136  *
137  * \return           0 if successful, or a MBEDTLS_ERR_XXX code
138  */
139 int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
140                            mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
141                            const unsigned char *pwd,  size_t pwdlen,
142                            const unsigned char *data, size_t len,
143                            unsigned char *output, size_t output_size,
144                            size_t *output_len);
145 
146 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
147 
148 #endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
149 
150 /**
151  * \brief            The PKCS#12 derivation function uses a password and a salt
152  *                   to produce pseudo-random bits for a particular "purpose".
153  *
154  *                   Depending on the given id, this function can produce an
155  *                   encryption/decryption key, an initialization vector or an
156  *                   integrity key.
157  *
158  * \param data       buffer to store the derived data in
159  * \param datalen    length of buffer to fill
160  * \param pwd        The password to use. For compliance with PKCS#12 §B.1, this
161  *                   should be a BMPString, i.e. a Unicode string where each
162  *                   character is encoded as 2 bytes in big-endian order, with
163  *                   no byte order mark and with a null terminator (i.e. the
164  *                   last two bytes should be 0x00 0x00).
165  * \param pwdlen     length of the password (may be 0).
166  * \param salt       Salt buffer to use. This may only be \c NULL when
167  *                   \p saltlen is 0.
168  * \param saltlen    length of the salt (may be zero)
169  * \param mbedtls_md mbedtls_md type to use during the derivation
170  * \param id         id that describes the purpose (can be
171  *                   #MBEDTLS_PKCS12_DERIVE_KEY, #MBEDTLS_PKCS12_DERIVE_IV or
172  *                   #MBEDTLS_PKCS12_DERIVE_MAC_KEY)
173  * \param iterations number of iterations
174  *
175  * \return          0 if successful, or a MD, BIGNUM type error.
176  */
177 int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
178                               const unsigned char *pwd, size_t pwdlen,
179                               const unsigned char *salt, size_t saltlen,
180                               mbedtls_md_type_t mbedtls_md, int id, int iterations);
181 
182 #ifdef __cplusplus
183 }
184 #endif
185 
186 #endif /* pkcs12.h */
187