145
enum_next_password (GkrPkixParser *parser, GQuark loc, gkrid unique,
146
GQuark type, const gchar *label, PasswordState *state)
145
enum_next_password (GkrPkixParser *parser, GQuark loc, gkrid digest,
146
GQuark type, const gchar *label, PasswordState *state,
147
const gchar **password)
148
149
GkrPkixParserPrivate *pv = GKR_PKIX_PARSER_GET_PRIVATE (parser);
149
150
gboolean first = FALSE;
150
151
gchar *display = NULL;
155
156
if (gkr_async_is_stopping ())
158
159
/* Is it a new location, reset stuff */
159
160
if (loc != state->location) {
167
168
++state->n_passes;
170
* On the first pass always try an empty password. This helps with
171
* On the first pass always try a NULL and then an empty password.
172
* This helps with two things.
173
174
* 1. Often code will call this function, without actually parsing
174
175
* any data yet. So this prevents us prompting the user without
175
176
* knowing it will parse.
177
178
* 2. In case it is actually an empty password, we don't want to
178
* prompt the user, just 'decrypt' it.
179
* prompt the user, just 'decrypt' it. Note that some systems
180
* use the null password instead of empty, so we try both.
184
193
* Next passes we look through all the passwords that the parser
185
194
* has seen so far. This is because different parts of a encrypted
200
209
/* Return first seen password? */
201
if (first && l && l->data)
202
return (const gchar*)l->data;
210
if (first && l && l->data) {
211
*password = (const gchar*)l->data;
204
215
/* Return next seen password? */
205
216
if (l && l->next) {
206
217
l = state->seen = state->seen->next;
208
return (const gchar*)l->data;
219
*password = (const gchar*)l->data;
217
230
label = display = gkr_location_to_display (loc);
219
232
g_signal_emit (parser, signals[ASK_PASSWORD], 0,
220
loc, unique, type, label, state->n_prompts, &password);
233
loc, digest, type, label, state->n_prompts, &prompted);
222
235
++state->n_prompts;
223
236
g_free (display);
225
238
/* Stash away any password */
227
pv->seen_passwords = g_slist_prepend (pv->seen_passwords, password);
240
pv->seen_passwords = g_slist_prepend (pv->seen_passwords, prompted);
241
*password = prompted;
232
249
fire_parsed_partial (GkrPkixParser *parser, GQuark location,
233
gkrconstid unique, GQuark type)
250
gkrconstid digest, GQuark type)
235
252
gboolean owned = FALSE;
237
254
g_assert (location);
239
256
if (!gkr_async_is_stopping ())
240
g_signal_emit (parser, signals[PARSED_PARTIAL], 0, location, unique, type, &owned);
257
g_signal_emit (parser, signals[PARSED_PARTIAL], 0, location, digest, type, &owned);
244
fire_parsed_sexp (GkrPkixParser *parser, GQuark location, gkrconstid unique,
261
fire_parsed_sexp (GkrPkixParser *parser, GQuark location, gkrconstid digest,
245
262
GQuark type, gcry_sexp_t sexp)
247
264
gboolean owned = FALSE;
252
269
if (!gkr_async_is_stopping ())
253
g_signal_emit (parser, signals[PARSED_SEXP], 0, location, unique, type, sexp, &owned);
270
g_signal_emit (parser, signals[PARSED_SEXP], 0, location, digest, type, sexp, &owned);
255
272
gcry_sexp_release (sexp);
259
fire_parsed_asn1 (GkrPkixParser *parser, GQuark location, gkrconstid unique,
276
fire_parsed_asn1 (GkrPkixParser *parser, GQuark location, gkrconstid digest,
260
277
GQuark type, ASN1_TYPE asn1)
262
279
gboolean owned = FALSE;
267
284
if (!gkr_async_is_stopping ())
268
g_signal_emit (parser, signals[PARSED_ASN1], 0, location, unique, type, asn1, &owned);
285
g_signal_emit (parser, signals[PARSED_ASN1], 0, location, digest, type, asn1, &owned);
270
287
asn1_delete_structure (&asn1);
300
gkr_pkix_parser_parsed_partial (GkrPkixParser *parser, GQuark loc, gkrconstid unique,
317
gkr_pkix_parser_parsed_partial (GkrPkixParser *parser, GQuark loc, gkrconstid digest,
303
320
/* Didn't take ownership of the data */
308
gkr_pkix_parser_parsed_asn1 (GkrPkixParser *parser, GQuark loc, gkrconstid unique,
325
gkr_pkix_parser_parsed_asn1 (GkrPkixParser *parser, GQuark loc, gkrconstid digest,
309
326
GQuark type, ASN1_TYPE asn1)
311
328
/* Didn't take ownership of the data */
316
gkr_pkix_parser_parsed_sexp (GkrPkixParser *parser, GQuark loc, gkrconstid unique,
333
gkr_pkix_parser_parsed_sexp (GkrPkixParser *parser, GQuark loc, gkrconstid digest,
317
334
GQuark type, gcry_sexp_t sexp)
319
336
/* Didn't take ownership of the data */
324
gkr_pkix_parser_ask_password (GkrPkixParser *parser, GQuark loc, gkrconstid unique,
341
gkr_pkix_parser_ask_password (GkrPkixParser *parser, GQuark loc, gkrconstid digest,
325
342
GQuark type, const gchar *details, guint n_prompts)
482
gkr_pkix_parsed_type_to_display (GQuark type)
484
if (type == GKR_PKIX_PRIVATE_KEY)
485
return _("private key");
486
else if (type == GKR_PKIX_CERTIFICATE)
487
return _("certificate");
488
else if (type == GKR_PKIX_PUBLIC_KEY)
489
return _("public key");
491
g_return_val_if_reached ("");
495
499
gkr_pkix_parser_parse_location (GkrPkixParser *parser, GQuark loc, GError **err)
537
541
gkr_pkix_parser_der_private_key (GkrPkixParser *parser, GQuark loc,
538
542
const guchar *data, gsize n_data)
541
545
GkrPkixResult ret;
542
546
gcry_sexp_t s_key = NULL;
544
unique = gkr_id_new_digest (data, n_data);
548
digest = gkr_id_new_digest (data, n_data);
546
550
ret = gkr_pkix_der_read_private_key_rsa (data, n_data, &s_key);
547
551
if (ret == GKR_PKIX_UNRECOGNIZED)
548
552
ret = gkr_pkix_der_read_private_key_dsa (data, n_data, &s_key);
549
553
if (ret == GKR_PKIX_SUCCESS)
550
fire_parsed_sexp (parser, loc, unique, GKR_PKIX_PRIVATE_KEY, s_key);
554
fire_parsed_sexp (parser, loc, digest, GKR_PKIX_PRIVATE_KEY, s_key);
552
gkr_id_free (unique);
556
gkr_id_free (digest);
557
561
static GkrPkixResult
558
562
parse_der_pkcs8_plain (GkrPkixParser *parser, GQuark loc,
559
gkrid unique, const guchar *data, gsize n_data)
563
gkrid digest, const guchar *data, gsize n_data)
561
565
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
562
566
GkrPkixResult ret;
624
628
if (ret == GKR_PKIX_SUCCESS)
625
fire_parsed_sexp (parser, loc, unique, GKR_PKIX_PRIVATE_KEY, s_key);
629
fire_parsed_sexp (parser, loc, digest, GKR_PKIX_PRIVATE_KEY, s_key);
627
631
} else if (ret == GKR_PKIX_FAILURE) {
628
632
g_message ("invalid PKCS#8 key");
637
641
gkr_pkix_parser_der_pkcs8_plain (GkrPkixParser *parser, GQuark location,
638
642
const guchar *data, gsize n_data)
641
645
GkrPkixResult ret;
643
unique = gkr_id_new_digest (data, n_data);
644
ret = parse_der_pkcs8_plain (parser, location, unique, data, n_data);
645
gkr_id_free (unique);
647
digest = gkr_id_new_digest (data, n_data);
648
ret = parse_der_pkcs8_plain (parser, location, digest, data, n_data);
649
gkr_id_free (digest);
650
654
static GkrPkixResult
651
655
parse_der_pkcs8_encrypted (GkrPkixParser *parser, GQuark location,
652
gkrid unique, const guchar *data, gsize n_data)
656
gkrid digest, const guchar *data, gsize n_data)
654
658
PasswordState pstate = PASSWORD_STATE_INIT;
655
659
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
684
688
g_assert (cih == NULL);
686
password = enum_next_password (parser, location, unique, GKR_PKIX_PRIVATE_KEY, NULL, &pstate);
688
/* If no password is available, we still know it's a key, so 'partial' parse */
690
fire_parsed_partial (parser, location, unique, GKR_PKIX_PRIVATE_KEY);
691
ret = GKR_PKIX_SUCCESS;
690
/* If no password is available, we still know it's a key, so 'partial' parse */
691
if (!enum_next_password (parser, location, digest, GKR_PKIX_PRIVATE_KEY, NULL, &pstate, &password)) {
692
fire_parsed_partial (parser, location, digest, GKR_PKIX_PRIVATE_KEY);
693
ret = GKR_PKIX_SUCCESS;
696
698
* Parse the encryption stuff into a cipher.
726
728
/* Try to parse the resulting key */
727
r = parse_der_pkcs8_plain (parser, location, unique, crypted, n_crypted);
729
r = parse_der_pkcs8_plain (parser, location, digest, crypted, n_crypted);
728
730
gkr_secure_free (crypted);
750
752
gkr_pkix_parser_der_pkcs8_encrypted (GkrPkixParser *parser, GQuark location,
751
753
const guchar *data, gsize n_data)
754
756
GkrPkixResult ret;
756
unique = gkr_id_new_digest (data, n_data);
757
ret = parse_der_pkcs8_encrypted (parser, location, unique, data, n_data);
758
gkr_id_free (unique);
758
digest = gkr_id_new_digest (data, n_data);
759
ret = parse_der_pkcs8_encrypted (parser, location, digest, data, n_data);
760
gkr_id_free (digest);
764
766
gkr_pkix_parser_der_pkcs8 (GkrPkixParser *parser, GQuark loc, const guchar *data,
768
770
GkrPkixResult ret;
770
unique = gkr_id_new_digest (data, n_data);
771
ret = parse_der_pkcs8_plain (parser, loc, unique, data, n_data);
772
digest = gkr_id_new_digest (data, n_data);
773
ret = parse_der_pkcs8_plain (parser, loc, digest, data, n_data);
772
774
if (ret == GKR_PKIX_UNRECOGNIZED)
773
ret = parse_der_pkcs8_encrypted (parser, loc, unique, data, n_data);
774
gkr_id_free (unique);
775
ret = parse_der_pkcs8_encrypted (parser, loc, digest, data, n_data);
776
gkr_id_free (digest);
784
786
gkr_pkix_parser_der_certificate (GkrPkixParser *parser, GQuark loc,
785
787
const guchar *data, gsize n_data)
788
790
GkrPkixResult ret;
791
unique = gkr_id_new_digest (data, n_data);
793
digest = gkr_id_new_digest (data, n_data);
793
795
ret = gkr_pkix_der_read_certificate (data, n_data, &asn1);
794
796
if(ret == GKR_PKIX_SUCCESS)
795
fire_parsed_asn1 (parser, loc, unique, GKR_PKIX_CERTIFICATE, asn1);
796
gkr_id_free (unique);
797
fire_parsed_asn1 (parser, loc, digest, GKR_PKIX_CERTIFICATE, asn1);
798
gkr_id_free (digest);
805
807
static GkrPkixResult
806
parse_pkcs12_cert_bag (GkrPkixParser *parser, GQuark loc, gkrid uni, const guchar *data, gsize n_data)
808
parse_pkcs12_cert_bag (GkrPkixParser *parser, GQuark loc, gkrid digest, const guchar *data, gsize n_data)
808
810
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
809
811
ASN1_TYPE casn = ASN1_TYPE_EMPTY;
834
836
ret = gkr_pkix_der_read_certificate (certificate, n_certificate, &casn);
835
837
if(ret == GKR_PKIX_SUCCESS)
836
fire_parsed_asn1 (parser, loc, uni, GKR_PKIX_CERTIFICATE, casn);
838
fire_parsed_asn1 (parser, loc, digest, GKR_PKIX_CERTIFICATE, casn);
845
847
static GkrPkixResult
846
parse_pkcs12_bag (GkrPkixParser *parser, GQuark loc, gkrid uni, const guchar *data, gsize n_data)
848
parse_pkcs12_bag (GkrPkixParser *parser, GQuark loc, gkrid digest, const guchar *data, gsize n_data)
848
850
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
849
851
GkrPkixResult ret, r;
853
854
const guchar *element;
857
857
ret = GKR_PKIX_UNRECOGNIZED;
871
871
* Now inside each bag are multiple elements. Who comes up
872
872
* with this stuff?
874
* But this is where we draw the line. We only support one
875
* element per bag, not multiple elements, not strange
876
* nested bags, not fairy queens with magical wands in bags...
878
* Just one element per bag.
874
for (i = 0; i < count; ++i)
876
part = g_strdup_printf ("?%u.bagId", i + 1);
877
oid = gkr_pkix_asn1_read_oid (asn, part);
882
oid = gkr_pkix_asn1_read_oid (asn, "?1.bagId");
883
part = g_strdup_printf ("?%u.bagValue", i + 1);
884
element = gkr_pkix_asn1_read_content (asn, data, n_data, part, &n_element);
886
element = gkr_pkix_asn1_read_content (asn, data, n_data, "?1.bagValue", &n_element);
890
890
/* A normal unencrypted key */
891
891
if (oid == OID_PKCS12_BAG_PKCS8_KEY) {
892
r = parse_der_pkcs8_plain (parser, loc, uni, element, n_element);
892
r = parse_der_pkcs8_plain (parser, loc, digest, element, n_element);
894
894
/* A properly encrypted key */
895
895
} else if (oid == OID_PKCS12_BAG_PKCS8_ENCRYPTED_KEY) {
896
r = parse_der_pkcs8_encrypted (parser, loc, uni, element, n_element);
896
r = parse_der_pkcs8_encrypted (parser, loc, digest, element, n_element);
898
898
/* A certificate */
899
899
} else if (oid == OID_PKCS12_BAG_CERTIFICATE) {
900
r = parse_pkcs12_cert_bag (parser, loc, uni, element, n_element);
900
r = parse_pkcs12_cert_bag (parser, loc, digest, element, n_element);
902
902
/* TODO: OID_PKCS12_BAG_CRL */
922
922
static GkrPkixResult
923
parse_pkcs12_encrypted_bag (GkrPkixParser *parser, GQuark loc, gkrid uni,
923
parse_pkcs12_encrypted_bag (GkrPkixParser *parser, GQuark loc, gkrid digest,
924
924
const guchar *data, gsize n_data)
926
926
PasswordState pstate = PASSWORD_STATE_INIT;
958
958
g_assert (cih == NULL);
960
password = enum_next_password (parser, loc, uni, 0, NULL, &pstate);
962
fire_parsed_partial (parser, loc, uni, 0);
960
if (!enum_next_password (parser, loc, digest, 0, NULL, &pstate, &password)) {
961
fire_parsed_partial (parser, loc, digest, 0);
963
962
ret = GKR_PKIX_SUCCESS;
996
995
/* Try to parse the resulting key */
997
r = parse_pkcs12_bag (parser, loc, uni, crypted, n_crypted);
996
r = parse_pkcs12_bag (parser, loc, digest, crypted, n_crypted);
998
997
gkr_secure_free (crypted);
1056
1055
if (!bag) /* A parse error */
1060
uni = gkr_id_new_digest (bag, n_bag);
1058
gkr_id_free (digest);
1059
digest = gkr_id_new_digest (bag, n_bag);
1062
1061
/* A non encrypted bag, just parse */
1063
1062
if (oid == OID_PKCS7_DATA) {
1073
r = parse_pkcs12_bag (parser, loc, uni, bag, n_bag);
1072
r = parse_pkcs12_bag (parser, loc, digest, bag, n_bag);
1075
1074
/* Encrypted data first needs decryption */
1076
1075
} else if (oid == OID_PKCS7_ENCRYPTED_DATA) {
1077
r = parse_pkcs12_encrypted_bag (parser, loc, uni, bag, n_bag);
1076
r = parse_pkcs12_encrypted_bag (parser, loc, digest, bag, n_bag);
1079
1078
/* Hmmmm, not sure what this is */
1147
1146
static GkrPkixResult
1148
parse_pkcs7_signed_data (GkrPkixParser *parser, GQuark loc, gkrid uni,
1147
parse_pkcs7_signed_data (GkrPkixParser *parser, GQuark loc, gkrid digest,
1149
1148
const guchar *data, gsize n_data)
1151
1150
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
1177
1176
ret = gkr_pkix_der_read_certificate (certificate, n_certificate, &casn);
1178
1177
if (ret == GKR_PKIX_SUCCESS)
1179
fire_parsed_asn1 (parser, loc, uni, GKR_PKIX_CERTIFICATE, casn);
1178
fire_parsed_asn1 (parser, loc, digest, GKR_PKIX_CERTIFICATE, casn);
1180
1179
if (ret == GKR_PKIX_FAILURE)
1194
1193
static GkrPkixResult
1195
parse_der_pkcs7 (GkrPkixParser *parser, GQuark loc, gkrid uni,
1194
parse_der_pkcs7 (GkrPkixParser *parser, GQuark loc, gkrid digest,
1196
1195
const guchar *data, gsize n_data)
1198
1197
ASN1_TYPE asn = ASN1_TYPE_EMPTY;
1226
ret = parse_pkcs7_signed_data (parser, loc, uni, content, n_content);
1225
ret = parse_pkcs7_signed_data (parser, loc, digest, content, n_content);
1235
1234
gkr_pkix_parser_der_pkcs7 (GkrPkixParser *parser, GQuark loc, const guchar *data, gsize n_data)
1237
1236
GkrPkixResult ret;
1240
uni = gkr_id_new_digest (data, n_data);
1241
ret = parse_der_pkcs7 (parser, loc, uni, data, n_data);
1239
digest = gkr_id_new_digest (data, n_data);
1240
ret = parse_der_pkcs7 (parser, loc, digest, data, n_data);
1241
gkr_id_free (digest);
1273
1272
static GkrPkixResult
1274
parse_plain_pem (GkrPkixParser *parser, GQuark location, gkrid unique,
1273
parse_plain_pem (GkrPkixParser *parser, GQuark location, gkrid digest,
1275
1274
GQuark type, const guchar *data, gsize n_data)
1277
1276
GkrPkixResult res;
1292
1291
res = gkr_pkix_der_read_private_key (data, n_data, &s_key);
1294
1293
} else if (type == PEM_PRIVATE_KEY) {
1295
return parse_der_pkcs8_plain (parser, location, unique, data, n_data);
1294
return parse_der_pkcs8_plain (parser, location, digest, data, n_data);
1297
1296
} else if (type == PEM_ENCRYPTED_PRIVATE_KEY) {
1298
return parse_der_pkcs8_encrypted (parser, location, unique, data, n_data);
1297
return parse_der_pkcs8_encrypted (parser, location, digest, data, n_data);
1300
1299
} else if (type == PEM_CERTIFICATE) {
1301
1300
parsed = GKR_PKIX_CERTIFICATE;
1302
1301
res = gkr_pkix_der_read_certificate (data, n_data, &asn1);
1304
1303
} else if (type == PEM_PKCS7) {
1305
return parse_der_pkcs7 (parser, location, unique, data, n_data);
1304
return parse_der_pkcs7 (parser, location, digest, data, n_data);
1307
1306
} else if (type == PEM_PKCS7) {
1308
1307
return gkr_pkix_parser_der_pkcs12 (parser, location, data, n_data);
1316
1315
g_assert (parsed);
1319
fire_parsed_sexp (parser, location, unique, parsed, s_key);
1318
fire_parsed_sexp (parser, location, digest, parsed, s_key);
1321
fire_parsed_asn1 (parser, location, unique, parsed, asn1);
1320
fire_parsed_asn1 (parser, location, digest, parsed, asn1);
1327
1326
static GkrPkixResult
1328
parse_encrypted_pem (GkrPkixParser *parser, GQuark location, gkrid unique,
1327
parse_encrypted_pem (GkrPkixParser *parser, GQuark location, gkrid digest,
1329
1328
GQuark type, GHashTable *headers, const guchar *data, gsize n_data)
1331
1330
PasswordState pstate = PASSWORD_STATE_INIT;
1355
1354
while (!gkr_async_is_stopping ()) {
1357
password = enum_next_password (parser, location, unique, parsed, NULL, &pstate);
1359
/* If no password is available, we still know what it was, so 'partial' parse */
1361
fire_parsed_partial (parser, location, unique, parsed);
1362
return GKR_PKIX_SUCCESS;
1356
/* If no password is available, we still know what it was, so 'partial' parse */
1357
if (!enum_next_password (parser, location, digest, parsed, NULL, &pstate, &password)) {
1358
fire_parsed_partial (parser, location, digest, parsed);
1359
return GKR_PKIX_SUCCESS;
1365
1362
decrypted = NULL;
1366
1363
n_decrypted = 0;
1379
1376
n_decrypted = l;
1381
1378
/* Try to parse */
1382
ret = parse_plain_pem (parser, location, unique, type, decrypted, n_decrypted);
1379
ret = parse_plain_pem (parser, location, digest, type, decrypted, n_decrypted);
1383
1380
gkr_secure_free (decrypted);
1385
1382
if (ret != GKR_PKIX_UNRECOGNIZED)
1396
1393
ParserCtx *ctx = (ParserCtx*)user_data;
1397
1394
GkrPkixResult res = GKR_PKIX_FAILURE;
1398
1395
gboolean encrypted = FALSE;
1400
1397
const gchar *val;
1402
unique = gkr_id_new_digest (data, n_data);
1399
digest = gkr_id_new_digest (data, n_data);
1404
1401
/* See if it's encrypted PEM all openssl like*/
1411
1408
if (encrypted) {
1412
res = parse_encrypted_pem (ctx->parser, ctx->location, unique,
1409
res = parse_encrypted_pem (ctx->parser, ctx->location, digest,
1413
1410
type, headers, data, n_data);
1415
res = parse_plain_pem (ctx->parser, ctx->location, unique,
1412
res = parse_plain_pem (ctx->parser, ctx->location, digest,
1416
1413
type, data, n_data);