PKCS#5 v2 PBES2 support and use in PKCS#8 encrypted certificates
The error code POLARSSL_ERR_X509_PASSWORD_MISMATCH is now properly
returned in case of an encryption failure in the padding. The
POLARSSL_ERR_X509_PASSWORD_REQUIRED error code is only returned for PEM
formatted private keys as for DER formatted ones it is impossible to
distinguish if a DER blob is PKCS#8 encrypted or not.
diff --git a/include/polarssl/error.h b/include/polarssl/error.h
index 24e61d9..cc1b4c7 100644
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@@ -69,14 +69,14 @@
* SHA1 1 0x0076-0x0076
* SHA2 1 0x0078-0x0078
* SHA4 1 0x007A-0x007A
- * PKCS5 1 0x007C-0x007C
*
* High-level module nr (3 bits - 0x1...-0x8...)
* Name ID Nr of Errors
* PEM 1 9
* PKCS#12 1 3 (Started from top)
- * X509 2 21
+ * X509 2 23
* DHM 3 6
+ * PKCS5 3 4 (Started from top)
* RSA 4 9
* MD 5 4
* CIPHER 6 5
diff --git a/include/polarssl/pkcs5.h b/include/polarssl/pkcs5.h
index 5530b58..b8c742e 100644
--- a/include/polarssl/pkcs5.h
+++ b/include/polarssl/pkcs5.h
@@ -31,6 +31,7 @@
#include <string.h>
+#include "asn1.h"
#include "md.h"
#ifdef _MSC_VER
@@ -40,13 +41,55 @@
#include <inttypes.h>
#endif
-#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA -0x007C /**< Bad input parameters to function. */
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA -0x3f80 /**< Bad input parameters to function. */
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT -0x3f00 /**< Unexpected ASN.1 data. */
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE -0x3e80 /**< Requested encryption or digest alg not available. */
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH -0x3e00 /**< Given private key password does not allow for correct decryption. */
+
+#define PKCS5_DECRYPT 0
+#define PKCS5_ENCRYPT 1
+
+/*
+ * PKCS#5 OIDs
+ */
+#define OID_PKCS5 "\x2a\x86\x48\x86\xf7\x0d\x01\x05"
+#define OID_PKCS5_PBES2 OID_PKCS5 "\x0d"
+#define OID_PKCS5_PBKDF2 OID_PKCS5 "\x0c"
+
+/*
+ * Encryption Algorithm OIDs
+ */
+#define OID_DES_CBC "\x2b\x0e\x03\x02\x07"
+#define OID_DES_EDE3_CBC "\x2a\x86\x48\x86\xf7\x0d\x03\x07"
+
+/*
+ * Digest Algorithm OIDs
+ */
+#define OID_HMAC_SHA1 "\x2a\x86\x48\x86\xf7\x0d\x02\x07"
#ifdef __cplusplus
extern "C" {
#endif
/**
+ * \brief PKCS#5 PBES2 function
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode either PKCS5_DECRYPT or PKCS5_ENCRYPT
+ * \param pwd password to use when generating key
+ * \param plen length of password
+ * \param data data to process
+ * \param datalen length of data
+ * \param output output buffer
+ *
+ * \returns 0 on success, or a PolarSSL error code if verification fails.
+ */
+int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *output );
+
+/**
* \brief PKCS#5 PBKDF2 using HMAC
*
* \param ctx Generic HMAC context
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 296925f..6dabf37 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -62,6 +62,8 @@
#define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */
#define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */
#define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */
+#define POLARSSL_ERR_X509_PASSWORD_REQUIRED -0x2B80 /**< Private key password can't be empty. */
+#define POLARSSL_ERR_X509_PASSWORD_MISMATCH -0x2C00 /**< Given private key password does not allow for correct decryption. */
/* \} name */