Logo Search packages:      
Sourcecode: samba4 version File versions  Download package

crypto.c

/*
 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "hx_locl.h"

struct hx509_crypto;

struct signature_alg;

struct hx509_generate_private_context {
    const heim_oid *key_oid;
    int isCA;
    unsigned long num_bits;
};

struct hx509_private_key_ops {
    const char *pemtype;
    const heim_oid *key_oid;
    int (*available)(const hx509_private_key,
                 const AlgorithmIdentifier *);
    int (*get_spki)(hx509_context,
                const hx509_private_key,
                SubjectPublicKeyInfo *);
    int (*export)(hx509_context context,
              const hx509_private_key,
              heim_octet_string *);
    int (*import)(hx509_context, const AlgorithmIdentifier *,
              const void *, size_t, hx509_private_key);
    int (*generate_private_key)(hx509_context,
                        struct hx509_generate_private_context *,
                        hx509_private_key);
    BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
};

struct hx509_private_key {
    unsigned int ref;
    const struct signature_alg *md;
    const heim_oid *signature_alg;
    union {
      RSA *rsa;
      void *keydata;
#ifdef HAVE_OPENSSL
      EC_KEY *ecdsa;
#endif
    } private_key;
    hx509_private_key_ops *ops;
};

/*
 *
 */

struct signature_alg {
    const char *name;
    const heim_oid *sig_oid;
    const AlgorithmIdentifier *sig_alg;
    const heim_oid *key_oid;
    const AlgorithmIdentifier *digest_alg;
    int flags;
#define PROVIDE_CONF    0x1
#define REQUIRE_SIGNER  0x2
#define SELF_SIGNED_OK  0x4

#define SIG_DIGEST      0x100
#define SIG_PUBLIC_SIG  0x200
#define SIG_SECRET      0x400

#define RA_RSA_USES_DIGEST_INFO 0x1000000

    time_t best_before; /* refuse signature made after best before date */
    const EVP_MD *(*evp_md)(void);
    int (*verify_signature)(hx509_context context,
                      const struct signature_alg *,
                      const Certificate *,
                      const AlgorithmIdentifier *,
                      const heim_octet_string *,
                      const heim_octet_string *);
    int (*create_signature)(hx509_context,
                      const struct signature_alg *,
                      const hx509_private_key,
                      const AlgorithmIdentifier *,
                      const heim_octet_string *,
                      AlgorithmIdentifier *,
                      heim_octet_string *);
    int digest_size;
};

static const struct signature_alg *
find_sig_alg(const heim_oid *oid);

/*
 *
 */

static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };

static const unsigned sha512_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 3 };
const AlgorithmIdentifier _hx509_signature_sha512_data = {
    { 9, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned sha384_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 2 };
const AlgorithmIdentifier _hx509_signature_sha384_data = {
    { 9, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
const AlgorithmIdentifier _hx509_signature_sha256_data = {
    { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 };
const AlgorithmIdentifier _hx509_signature_sha1_data = {
    { 6, rk_UNCONST(sha1_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned md5_oid_tree[] = { 1, 2, 840, 113549, 2, 5 };
const AlgorithmIdentifier _hx509_signature_md5_data = {
    { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned md2_oid_tree[] = { 1, 2, 840, 113549, 2, 2 };
const AlgorithmIdentifier _hx509_signature_md2_data = {
    { 6, rk_UNCONST(md2_oid_tree) }, rk_UNCONST(&null_entry_oid)
};

static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
    { 6, rk_UNCONST(ecPublicKey) }, NULL
};

static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
    { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
};

static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
    { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
};

static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = {
    { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL
};

static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = {
    { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL
};

static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = {
    { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL
};

static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 };
const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = {
    { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL
};

static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 };
const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = {
    { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL
};

static const unsigned rsa_with_md2_oid[] ={ 1, 2, 840, 113549, 1, 1, 2 };
const AlgorithmIdentifier _hx509_signature_rsa_with_md2_data = {
    { 7, rk_UNCONST(rsa_with_md2_oid) }, NULL
};

static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 };
const AlgorithmIdentifier _hx509_signature_rsa_data = {
    { 7, rk_UNCONST(rsa_oid) }, NULL
};

static const unsigned rsa_pkcs1_x509_oid[] ={ 1, 2, 752, 43, 16, 1 };
const AlgorithmIdentifier _hx509_signature_rsa_pkcs1_x509_data = {
    { 6, rk_UNCONST(rsa_pkcs1_x509_oid) }, NULL
};

static const unsigned des_rsdi_ede3_cbc_oid[] ={ 1, 2, 840, 113549, 3, 7 };
const AlgorithmIdentifier _hx509_des_rsdi_ede3_cbc_oid = {
    { 6, rk_UNCONST(des_rsdi_ede3_cbc_oid) }, NULL
};

static const unsigned aes128_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 2 };
const AlgorithmIdentifier _hx509_crypto_aes128_cbc_data = {
    { 9, rk_UNCONST(aes128_cbc_oid) }, NULL
};

static const unsigned aes256_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 42 };
const AlgorithmIdentifier _hx509_crypto_aes256_cbc_data = {
    { 9, rk_UNCONST(aes256_cbc_oid) }, NULL
};

/*
 *
 */

static BIGNUM *
heim_int2BN(const heim_integer *i)
{
    BIGNUM *bn;

    bn = BN_bin2bn(i->data, i->length, NULL);
    BN_set_negative(bn, i->negative);
    return bn;
}

/*
 *
 */

static int
set_digest_alg(DigestAlgorithmIdentifier *id,
             const heim_oid *oid,
             const void *param, size_t length)
{
    int ret;
    if (param) {
      id->parameters = malloc(sizeof(*id->parameters));
      if (id->parameters == NULL)
          return ENOMEM;
      id->parameters->data = malloc(length);
      if (id->parameters->data == NULL) {
          free(id->parameters);
          id->parameters = NULL;
          return ENOMEM;
      }
      memcpy(id->parameters->data, param, length);
      id->parameters->length = length;
    } else
      id->parameters = NULL;
    ret = der_copy_oid(oid, &id->algorithm);
    if (ret) {
      if (id->parameters) {
          free(id->parameters->data);
          free(id->parameters);
          id->parameters = NULL;
      }
      return ret;
    }
    return 0;
}

#ifdef HAVE_OPENSSL

static int
heim_oid2ecnid(heim_oid *oid)
{
    /*
     * Now map to openssl OID fun
     */

    if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp256r1) == 0)
      return NID_X9_62_prime256v1;
    else if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp160r1) == 0)
      return NID_secp160r1;
    else if (der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp160r2) == 0)
      return NID_secp160r2;

    return -1;
}

static int
parse_ECParameters(hx509_context context, 
               heim_octet_string *parameters, int *nid)
{
    ECParameters ecparam;
    size_t size;
    int ret;

    if (parameters == NULL) {
      ret = HX509_PARSING_KEY_FAILED;
      hx509_set_error_string(context, 0, ret,
                         "EC parameters missing");
      return ret;
    }

    ret = decode_ECParameters(parameters->data, parameters->length,
                        &ecparam, &size);
    if (ret) {
      hx509_set_error_string(context, 0, ret,
                         "Failed to decode EC parameters");
      return ret;
    }

    if (ecparam.element != choice_ECParameters_namedCurve) {
      free_ECParameters(&ecparam);
      hx509_set_error_string(context, 0, ret,
                         "EC parameters is not a named curve");
      return HX509_CRYPTO_SIG_INVALID_FORMAT;
    }

    *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
    free_ECParameters(&ecparam);
    if (*nid == -1) {
      hx509_set_error_string(context, 0, ret,
                         "Failed to find matcing NID for EC curve");
      return HX509_CRYPTO_SIG_INVALID_FORMAT;
    }
    return 0;
}


/*
 *
 */

static int
ecdsa_verify_signature(hx509_context context,
                   const struct signature_alg *sig_alg,
                   const Certificate *signer,
                   const AlgorithmIdentifier *alg,
                   const heim_octet_string *data,
                   const heim_octet_string *sig)
{
    const AlgorithmIdentifier *digest_alg;
    const SubjectPublicKeyInfo *spi;
    heim_octet_string digest;
    int ret;
    EC_KEY *key = NULL;
    int groupnid;
    EC_GROUP *group;
    const unsigned char *p;
    long len;

    digest_alg = sig_alg->digest_alg;

    ret = _hx509_create_signature(context,
                          NULL,
                          digest_alg,
                          data,
                          NULL,
                          &digest);
    if (ret)
      return ret;

    /* set up EC KEY */
    spi = &signer->tbsCertificate.subjectPublicKeyInfo;

    if (der_heim_oid_cmp(&spi->algorithm.algorithm, &asn1_oid_id_ecPublicKey) != 0)
      return HX509_CRYPTO_SIG_INVALID_FORMAT;

#ifdef HAVE_OPENSSL
    /*
     * Find the group id
     */

    ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
    if (ret) {
      der_free_octet_string(&digest);
      return ret;
    }

    /*
     * Create group, key, parse key
     */

    key = EC_KEY_new();
    group = EC_GROUP_new_by_curve_name(groupnid);
    EC_KEY_set_group(key, group);
    EC_GROUP_free(group);

    p = spi->subjectPublicKey.data;
    len = spi->subjectPublicKey.length / 8;

    if (o2i_ECPublicKey(&key, &p, len) == NULL) {
      EC_KEY_free(key);
      return HX509_CRYPTO_SIG_INVALID_FORMAT;
    }
#else
    key = SubjectPublicKeyInfo2EC_KEY(spi);
#endif

    ret = ECDSA_verify(-1, digest.data, digest.length,
                   sig->data, sig->length, key);
    der_free_octet_string(&digest);
    EC_KEY_free(key);
    if (ret != 1) {
      ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
      return ret;
    }
    
    return 0;
}

static int
ecdsa_create_signature(hx509_context context,
                   const struct signature_alg *sig_alg,
                   const hx509_private_key signer,
                   const AlgorithmIdentifier *alg,
                   const heim_octet_string *data,
                   AlgorithmIdentifier *signatureAlgorithm,
                   heim_octet_string *sig)
{
    const AlgorithmIdentifier *digest_alg;
    heim_octet_string indata;
    const heim_oid *sig_oid;
    unsigned int siglen;
    int ret;

    if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
      _hx509_abort("internal error passing private key to wrong ops");

    sig_oid = sig_alg->sig_oid;
    digest_alg = sig_alg->digest_alg;

    if (signatureAlgorithm) {
      ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
      if (ret) {
          hx509_clear_error_string(context);
          goto error;
      }
    }

    ret = _hx509_create_signature(context,
                          NULL,
                          digest_alg,
                          data,
                          NULL,
                          &indata);
    if (ret) {
      if (signatureAlgorithm)
          free_AlgorithmIdentifier(signatureAlgorithm);
      goto error;
    }

    sig->length = ECDSA_size(signer->private_key.ecdsa);
    sig->data = malloc(sig->length);
    if (sig->data == NULL) {
      der_free_octet_string(&indata);
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "out of memory");
      goto error;
    }

    siglen = sig->length;

    ret = ECDSA_sign(-1, indata.data, indata.length,
                 sig->data, &siglen, signer->private_key.ecdsa);
    der_free_octet_string(&indata);
    if (ret != 1) {
      ret = HX509_CMS_FAILED_CREATE_SIGATURE;
      hx509_set_error_string(context, 0, ret,
                         "ECDSA sign failed: %d", ret);
      goto error;
    }
    if (siglen > sig->length)
      _hx509_abort("ECDSA signature prelen longer the output len");

    sig->length = siglen;

    return 0;
 error:
    if (signatureAlgorithm)
      free_AlgorithmIdentifier(signatureAlgorithm);
    return ret;
}

static int
ecdsa_available(const hx509_private_key signer,
            const AlgorithmIdentifier *sig_alg)
{
    const struct signature_alg *sig;
    const EC_GROUP *group;
    BN_CTX *bnctx = NULL;
    BIGNUM *order = NULL;
    int ret = 0;

    if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
      _hx509_abort("internal error passing private key to wrong ops");

    sig = find_sig_alg(&sig_alg->algorithm);

    if (sig == NULL || sig->digest_size == 0)
      return 0;

    group = EC_KEY_get0_group(signer->private_key.ecdsa);
    if (group == NULL)
      return 0;

    bnctx = BN_CTX_new();
    order = BN_new();
    if (order == NULL)
      goto err;

    if (EC_GROUP_get_order(group, order, bnctx) != 1)
      goto err;

    if (BN_num_bytes(order) > sig->digest_size)
      ret = 1;
 err:
    if (bnctx)
      BN_CTX_free(bnctx);
    if (order)
      BN_clear_free(order);

    return ret;
}


#endif /* HAVE_OPENSSL */

/*
 *
 */

static int
rsa_verify_signature(hx509_context context,
                 const struct signature_alg *sig_alg,
                 const Certificate *signer,
                 const AlgorithmIdentifier *alg,
                 const heim_octet_string *data,
                 const heim_octet_string *sig)
{
    const SubjectPublicKeyInfo *spi;
    DigestInfo di;
    unsigned char *to;
    int tosize, retsize;
    int ret;
    RSA *rsa;
    size_t size;
    const unsigned char *p;

    memset(&di, 0, sizeof(di));

    spi = &signer->tbsCertificate.subjectPublicKeyInfo;

    p = spi->subjectPublicKey.data;
    size = spi->subjectPublicKey.length / 8;
    
    rsa = d2i_RSAPublicKey(NULL, &p, size);
    if (rsa == NULL) {
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "out of memory");
      goto out;
    }

    tosize = RSA_size(rsa);
    to = malloc(tosize);
    if (to == NULL) {
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "out of memory");
      goto out;
    }

    retsize = RSA_public_decrypt(sig->length, (unsigned char *)sig->data,
                         to, rsa, RSA_PKCS1_PADDING);
    if (retsize <= 0) {
      ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
      hx509_set_error_string(context, 0, ret,
                         "RSA public decrypt failed: %d", retsize);
      free(to);
      goto out;
    }
    if (retsize > tosize)
      _hx509_abort("internal rsa decryption failure: ret > tosize");

    if (sig_alg->flags & RA_RSA_USES_DIGEST_INFO) {

      ret = decode_DigestInfo(to, retsize, &di, &size);
      free(to);
      if (ret) {
          goto out;
      }
      
      /* Check for extra data inside the sigature */
      if (size != retsize) {
          ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
          hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
          goto out;
      }
      
      if (sig_alg->digest_alg &&
          der_heim_oid_cmp(&di.digestAlgorithm.algorithm,
                       &sig_alg->digest_alg->algorithm) != 0)
      {
          ret = HX509_CRYPTO_OID_MISMATCH;
          hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch");
          goto out;
      }
      
      /* verify that the parameters are NULL or the NULL-type */
      if (di.digestAlgorithm.parameters != NULL &&
          (di.digestAlgorithm.parameters->length != 2 ||
           memcmp(di.digestAlgorithm.parameters->data, "\x05\x00", 2) != 0))
      {
          ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
          hx509_set_error_string(context, 0, ret, "Extra parameters inside RSA signature");
          goto out;
      }

      ret = _hx509_verify_signature(context,
                              NULL,
                              &di.digestAlgorithm,
                              data,
                              &di.digest);
    } else {
      if (retsize != data->length ||
          ct_memcmp(to, data->data, retsize) != 0)
      {
          ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
          hx509_set_error_string(context, 0, ret, "RSA Signature incorrect");
          goto out;
      }
      free(to);
    }
    ret = 0;

 out:
    free_DigestInfo(&di);
    if (rsa)
      RSA_free(rsa);
    return ret;
}

static int
rsa_create_signature(hx509_context context,
                 const struct signature_alg *sig_alg,
                 const hx509_private_key signer,
                 const AlgorithmIdentifier *alg,
                 const heim_octet_string *data,
                 AlgorithmIdentifier *signatureAlgorithm,
                 heim_octet_string *sig)
{
    const AlgorithmIdentifier *digest_alg;
    heim_octet_string indata;
    const heim_oid *sig_oid;
    size_t size;
    int ret;

    if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) != 0)
      return HX509_ALG_NOT_SUPP;

    if (alg)
      sig_oid = &alg->algorithm;
    else
      sig_oid = signer->signature_alg;

    if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_sha256WithRSAEncryption) == 0) {
      digest_alg = hx509_signature_sha256();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_sha1WithRSAEncryption) == 0) {
      digest_alg = hx509_signature_sha1();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_md5WithRSAEncryption) == 0) {
      digest_alg = hx509_signature_md5();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_md5WithRSAEncryption) == 0) {
      digest_alg = hx509_signature_md5();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_dsa_with_sha1) == 0) {
      digest_alg = hx509_signature_sha1();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0) {
      digest_alg = hx509_signature_sha1();
    } else if (der_heim_oid_cmp(sig_oid, &asn1_oid_id_heim_rsa_pkcs1_x509) == 0) {
      digest_alg = NULL;
    } else
      return HX509_ALG_NOT_SUPP;

    if (signatureAlgorithm) {
      ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
      if (ret) {
          hx509_clear_error_string(context);
          return ret;
      }
    }

    if (digest_alg) {
      DigestInfo di;
      memset(&di, 0, sizeof(di));

      ret = _hx509_create_signature(context,
                              NULL,
                              digest_alg,
                              data,
                              &di.digestAlgorithm,
                              &di.digest);
      if (ret)
          return ret;
      ASN1_MALLOC_ENCODE(DigestInfo,
                     indata.data,
                     indata.length,
                     &di,
                     &size,
                     ret);
      free_DigestInfo(&di);
      if (ret) {
          hx509_set_error_string(context, 0, ret, "out of memory");
          return ret;
      }
      if (indata.length != size)
          _hx509_abort("internal ASN.1 encoder error");
    } else {
      indata = *data;
    }

    sig->length = RSA_size(signer->private_key.rsa);
    sig->data = malloc(sig->length);
    if (sig->data == NULL) {
      der_free_octet_string(&indata);
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }

    ret = RSA_private_encrypt(indata.length, indata.data,
                        sig->data,
                        signer->private_key.rsa,
                        RSA_PKCS1_PADDING);
    if (indata.data != data->data)
      der_free_octet_string(&indata);
    if (ret <= 0) {
      ret = HX509_CMS_FAILED_CREATE_SIGATURE;
      hx509_set_error_string(context, 0, ret,
                         "RSA private encrypt failed: %d", ret);
      return ret;
    }
    if (ret > sig->length)
      _hx509_abort("RSA signature prelen longer the output len");

    sig->length = ret;

    return 0;
}

static int
rsa_private_key_import(hx509_context context,
                   const AlgorithmIdentifier *keyai,
                   const void *data,
                   size_t len,
                   hx509_private_key private_key)
{
    const unsigned char *p = data;

    private_key->private_key.rsa =
      d2i_RSAPrivateKey(NULL, &p, len);
    if (private_key->private_key.rsa == NULL) {
      hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
                         "Failed to parse RSA key");
      return HX509_PARSING_KEY_FAILED;
    }
    private_key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption;

    return 0;
}

static int
rsa_private_key2SPKI(hx509_context context,
                 hx509_private_key private_key,
                 SubjectPublicKeyInfo *spki)
{
    int len, ret;

    memset(spki, 0, sizeof(*spki));

    len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);

    spki->subjectPublicKey.data = malloc(len);
    if (spki->subjectPublicKey.data == NULL) {
      hx509_set_error_string(context, 0, ENOMEM, "malloc - out of memory");
      return ENOMEM;
    }
    spki->subjectPublicKey.length = len * 8;

    ret = set_digest_alg(&spki->algorithm, &asn1_oid_id_pkcs1_rsaEncryption,
                   "\x05\x00", 2);
    if (ret) {
      hx509_set_error_string(context, 0, ret, "malloc - out of memory");
      free(spki->subjectPublicKey.data);
      spki->subjectPublicKey.data = NULL;
      spki->subjectPublicKey.length = 0;
      return ret;
    }

    {
      unsigned char *pp = spki->subjectPublicKey.data;
      i2d_RSAPublicKey(private_key->private_key.rsa, &pp);
    }

    return 0;
}

static int
rsa_generate_private_key(hx509_context context,
                   struct hx509_generate_private_context *ctx,
                   hx509_private_key private_key)
{
    BIGNUM *e;
    int ret;
    unsigned long bits;

    static const int default_rsa_e = 65537;
    static const int default_rsa_bits = 1024;

    private_key->private_key.rsa = RSA_new();
    if (private_key->private_key.rsa == NULL) {
      hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
                         "Failed to generate RSA key");
      return HX509_PARSING_KEY_FAILED;
    }

    e = BN_new();
    BN_set_word(e, default_rsa_e);

    bits = default_rsa_bits;

    if (ctx->num_bits)
      bits = ctx->num_bits;
    else if (ctx->isCA)
      bits *= 2;

    ret = RSA_generate_key_ex(private_key->private_key.rsa, bits, e, NULL);
    BN_free(e);
    if (ret != 1) {
      hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
                         "Failed to generate RSA key");
      return HX509_PARSING_KEY_FAILED;
    }
    private_key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption;

    return 0;
}

static int
rsa_private_key_export(hx509_context context,
                   const hx509_private_key key,
                   heim_octet_string *data)
{
    int ret;

    data->data = NULL;
    data->length = 0;

    ret = i2d_RSAPrivateKey(key->private_key.rsa, NULL);
    if (ret <= 0) {
      ret = EINVAL;
      hx509_set_error_string(context, 0, ret,
                         "Private key is not exportable");
      return ret;
    }

    data->data = malloc(ret);
    if (data->data == NULL) {
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "malloc out of memory");
      return ret;
    }
    data->length = ret;

    {
      unsigned char *p = data->data;
      i2d_RSAPrivateKey(key->private_key.rsa, &p);
    }

    return 0;
}

static BIGNUM *
rsa_get_internal(hx509_context context,
             hx509_private_key key,
             const char *type)
{
    if (strcasecmp(type, "rsa-modulus") == 0) {
      return BN_dup(key->private_key.rsa->n);
    } else if (strcasecmp(type, "rsa-exponent") == 0) {
      return BN_dup(key->private_key.rsa->e);
    } else
      return NULL;
}



static hx509_private_key_ops rsa_private_key_ops = {
    "RSA PRIVATE KEY",
    &asn1_oid_id_pkcs1_rsaEncryption,
    NULL,
    rsa_private_key2SPKI,
    rsa_private_key_export,
    rsa_private_key_import,
    rsa_generate_private_key,
    rsa_get_internal
};

#ifdef HAVE_OPENSSL

static int
ecdsa_private_key2SPKI(hx509_context context,
                   hx509_private_key private_key,
                   SubjectPublicKeyInfo *spki)
{
    memset(spki, 0, sizeof(*spki));
    return ENOMEM;
}

static int
ecdsa_private_key_export(hx509_context context,
                   const hx509_private_key key,
                   heim_octet_string *data)
{
    return ENOMEM;
}

static int
ecdsa_private_key_import(hx509_context context,
                   const AlgorithmIdentifier *keyai,
                   const void *data,
                   size_t len,
                   hx509_private_key private_key)
{
    const unsigned char *p = data;
    EC_KEY **pkey = NULL;

    if (keyai->parameters) {
      EC_GROUP *group;
      int groupnid;
      EC_KEY *key;
      int ret;

      ret = parse_ECParameters(context, keyai->parameters, &groupnid);
      if (ret)
          return ret;
      
      key = EC_KEY_new();
      if (key == NULL)
          return ENOMEM;
      
      group = EC_GROUP_new_by_curve_name(groupnid);
      if (group == NULL) {
          EC_KEY_free(key);
          return ENOMEM;
      }
      EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
      if (EC_KEY_set_group(key, group) == 0) {
          EC_KEY_free(key);
          EC_GROUP_free(group);
          return ENOMEM;
      }
      EC_GROUP_free(group);
      pkey = &key;
    }

    private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
    if (private_key->private_key.ecdsa == NULL) {
      hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
                         "Failed to parse EC private key");
      return HX509_PARSING_KEY_FAILED;
    }
    private_key->signature_alg = &asn1_oid_id_ecdsa_with_SHA256;

    return 0;
}

static int
ecdsa_generate_private_key(hx509_context context,
                     struct hx509_generate_private_context *ctx,
                     hx509_private_key private_key)
{
    return ENOMEM;
}

static BIGNUM *
ecdsa_get_internal(hx509_context context, 
               hx509_private_key key, 
               const char *type)
{
    return NULL;
}


static hx509_private_key_ops ecdsa_private_key_ops = {
    "EC PRIVATE KEY",
    &asn1_oid_id_ecPublicKey,
    ecdsa_available,
    ecdsa_private_key2SPKI,
    ecdsa_private_key_export,
    ecdsa_private_key_import,
    ecdsa_generate_private_key,
    ecdsa_get_internal
};

#endif /* HAVE_OPENSSL */

/*
 *
 */

static int
dsa_verify_signature(hx509_context context,
                 const struct signature_alg *sig_alg,
                 const Certificate *signer,
                 const AlgorithmIdentifier *alg,
                 const heim_octet_string *data,
                 const heim_octet_string *sig)
{
    const SubjectPublicKeyInfo *spi;
    DSAPublicKey pk;
    DSAParams param;
    size_t size;
    DSA *dsa;
    int ret;

    spi = &signer->tbsCertificate.subjectPublicKeyInfo;

    dsa = DSA_new();
    if (dsa == NULL) {
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }

    ret = decode_DSAPublicKey(spi->subjectPublicKey.data,
                        spi->subjectPublicKey.length / 8,
                        &pk, &size);
    if (ret)
      goto out;

    dsa->pub_key = heim_int2BN(&pk);

    free_DSAPublicKey(&pk);

    if (dsa->pub_key == NULL) {
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "out of memory");
      goto out;
    }

    if (spi->algorithm.parameters == NULL) {
      ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
      hx509_set_error_string(context, 0, ret, "DSA parameters missing");
      goto out;
    }

    ret = decode_DSAParams(spi->algorithm.parameters->data,
                     spi->algorithm.parameters->length,
                     &param,
                     &size);
    if (ret) {
      hx509_set_error_string(context, 0, ret, "DSA parameters failed to decode");
      goto out;
    }

    dsa->p = heim_int2BN(&param.p);
    dsa->q = heim_int2BN(&param.q);
    dsa->g = heim_int2BN(&param.g);

    free_DSAParams(&param);

    if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
      ret = ENOMEM;
      hx509_set_error_string(context, 0, ret, "out of memory");
      goto out;
    }

    ret = DSA_verify(-1, data->data, data->length,
                 (unsigned char*)sig->data, sig->length,
                 dsa);
    if (ret == 1)
      ret = 0;
    else if (ret == 0 || ret == -1) {
      ret = HX509_CRYPTO_BAD_SIGNATURE;
      hx509_set_error_string(context, 0, ret, "BAD DSA sigature");
    } else {
      ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
      hx509_set_error_string(context, 0, ret, "Invalid format of DSA sigature");
    }

 out:
    DSA_free(dsa);

    return ret;
}

#if 0
static int
dsa_parse_private_key(hx509_context context,
                  const void *data,
                  size_t len,
                  hx509_private_key private_key)
{
    const unsigned char *p = data;

    private_key->private_key.dsa =
      d2i_DSAPrivateKey(NULL, &p, len);
    if (private_key->private_key.dsa == NULL)
      return EINVAL;
    private_key->signature_alg = &asn1_oid_id_dsa_with_sha1;

    return 0;
/* else */
    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
                     "No support to parse DSA keys");
    return HX509_PARSING_KEY_FAILED;
}
#endif

static int
evp_md_create_signature(hx509_context context,
                  const struct signature_alg *sig_alg,
                  const hx509_private_key signer,
                  const AlgorithmIdentifier *alg,
                  const heim_octet_string *data,
                  AlgorithmIdentifier *signatureAlgorithm,
                  heim_octet_string *sig)
{
    size_t sigsize = EVP_MD_size(sig_alg->evp_md());
    EVP_MD_CTX *ctx;

    memset(sig, 0, sizeof(*sig));

    if (signatureAlgorithm) {
      int ret;
      ret = set_digest_alg(signatureAlgorithm, sig_alg->sig_oid,
                       "\x05\x00", 2);
      if (ret)
          return ret;
    }
      

    sig->data = malloc(sigsize);
    if (sig->data == NULL) {
      sig->length = 0;
      return ENOMEM;
    }
    sig->length = sigsize;

    ctx = EVP_MD_CTX_create();
    EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL);
    EVP_DigestUpdate(ctx, data->data, data->length);
    EVP_DigestFinal_ex(ctx, sig->data, NULL);
    EVP_MD_CTX_destroy(ctx);


    return 0;
}

static int
evp_md_verify_signature(hx509_context context,
                  const struct signature_alg *sig_alg,
                  const Certificate *signer,
                  const AlgorithmIdentifier *alg,
                  const heim_octet_string *data,
                  const heim_octet_string *sig)
{
    unsigned char digest[EVP_MAX_MD_SIZE];
    EVP_MD_CTX *ctx;
    size_t sigsize = EVP_MD_size(sig_alg->evp_md());

    if (sig->length != sigsize || sigsize > sizeof(digest)) {
      hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
                         "SHA256 sigature have wrong length");
      return HX509_CRYPTO_SIG_INVALID_FORMAT;
    }

    ctx = EVP_MD_CTX_create();
    EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL);
    EVP_DigestUpdate(ctx, data->data, data->length);
    EVP_DigestFinal_ex(ctx, digest, NULL);
    EVP_MD_CTX_destroy(ctx);

    if (ct_memcmp(digest, sig->data, sigsize) != 0) {
      hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
                         "Bad %s sigature", sig_alg->name);
      return HX509_CRYPTO_BAD_SIGNATURE;
    }

    return 0;
}

#ifdef HAVE_OPENSSL

static const struct signature_alg ecdsa_with_sha256_alg = {
    "ecdsa-with-sha256",
    &asn1_oid_id_ecdsa_with_SHA256,
    &_hx509_signature_ecdsa_with_sha256_data,
    &asn1_oid_id_ecPublicKey,
    &_hx509_signature_sha256_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
    0,
    NULL,
    ecdsa_verify_signature,
    ecdsa_create_signature,
    32
};

static const struct signature_alg ecdsa_with_sha1_alg = {
    "ecdsa-with-sha1",
    &asn1_oid_id_ecdsa_with_SHA1,
    &_hx509_signature_ecdsa_with_sha1_data,
    &asn1_oid_id_ecPublicKey,
    &_hx509_signature_sha1_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
    0,
    NULL,
    ecdsa_verify_signature,
    ecdsa_create_signature,
    20
};

#endif

static const struct signature_alg heim_rsa_pkcs1_x509 = {
    "rsa-pkcs1-x509",
    &asn1_oid_id_heim_rsa_pkcs1_x509,
    &_hx509_signature_rsa_pkcs1_x509_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    NULL,
    PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
    0,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg pkcs1_rsa_sha1_alg = {
    "rsa",
    &asn1_oid_id_pkcs1_rsaEncryption,
    &_hx509_signature_rsa_with_sha1_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    NULL,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
    0,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg rsa_with_sha256_alg = {
    "rsa-with-sha256",
    &asn1_oid_id_pkcs1_sha256WithRSAEncryption,
    &_hx509_signature_rsa_with_sha256_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    &_hx509_signature_sha256_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
    0,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg rsa_with_sha1_alg = {
    "rsa-with-sha1",
    &asn1_oid_id_pkcs1_sha1WithRSAEncryption,
    &_hx509_signature_rsa_with_sha1_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    &_hx509_signature_sha1_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
    0,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg rsa_with_md5_alg = {
    "rsa-with-md5",
    &asn1_oid_id_pkcs1_md5WithRSAEncryption,
    &_hx509_signature_rsa_with_md5_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    &_hx509_signature_md5_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
    1230739889,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg rsa_with_md2_alg = {
    "rsa-with-md2",
    &asn1_oid_id_pkcs1_md2WithRSAEncryption,
    &_hx509_signature_rsa_with_md2_data,
    &asn1_oid_id_pkcs1_rsaEncryption,
    &_hx509_signature_md2_data,
    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
    1230739889,
    NULL,
    rsa_verify_signature,
    rsa_create_signature
};

static const struct signature_alg dsa_sha1_alg = {
    "dsa-with-sha1",
    &asn1_oid_id_dsa_with_sha1,
    NULL,
    &asn1_oid_id_dsa,
    &_hx509_signature_sha1_data,
    PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
    0,
    NULL,
    dsa_verify_signature,
    /* create_signature */ NULL,
};

static const struct signature_alg sha256_alg = {
    "sha-256",
    &asn1_oid_id_sha256,
    &_hx509_signature_sha256_data,
    NULL,
    NULL,
    SIG_DIGEST,
    0,
    EVP_sha256,
    evp_md_verify_signature,
    evp_md_create_signature
};

static const struct signature_alg sha1_alg = {
    "sha1",
    &asn1_oid_id_secsig_sha_1,
    &_hx509_signature_sha1_data,
    NULL,
    NULL,
    SIG_DIGEST,
    0,
    EVP_sha1,
    evp_md_verify_signature,
    evp_md_create_signature
};

static const struct signature_alg md5_alg = {
    "rsa-md5",
    &asn1_oid_id_rsa_digest_md5,
    &_hx509_signature_md5_data,
    NULL,
    NULL,
    SIG_DIGEST,
    0,
    EVP_md5,
    evp_md_verify_signature,
    NULL
};

static const struct signature_alg md2_alg = {
    "rsa-md2",
    &asn1_oid_id_rsa_digest_md2,
    &_hx509_signature_md2_data,
    NULL,
    NULL,
    SIG_DIGEST,
    0,
    EVP_md2,
    evp_md_verify_signature,
    NULL
};

/*
 * Order matter in this structure, "best" first for each "key
 * compatible" type (type is ECDSA, RSA, DSA, none, etc)
 */

static const struct signature_alg *sig_algs[] = {
#ifdef HAVE_OPENSSL
    &ecdsa_with_sha256_alg,
    &ecdsa_with_sha1_alg,
#endif
    &rsa_with_sha256_alg,
    &rsa_with_sha1_alg,
    &pkcs1_rsa_sha1_alg,
    &rsa_with_md5_alg,
    &rsa_with_md2_alg,
    &heim_rsa_pkcs1_x509,
    &dsa_sha1_alg,
    &sha256_alg,
    &sha1_alg,
    &md5_alg,
    &md2_alg,
    NULL
};

static const struct signature_alg *
find_sig_alg(const heim_oid *oid)
{
    unsigned int i;
    for (i = 0; sig_algs[i]; i++)
      if (der_heim_oid_cmp(sig_algs[i]->sig_oid, oid) == 0)
          return sig_algs[i];
    return NULL;
}

static const AlgorithmIdentifier *
alg_for_privatekey(const hx509_private_key pk, int type)
{
    const heim_oid *keytype;
    unsigned int i;

    if (pk->ops == NULL)
      return NULL;

    keytype = pk->ops->key_oid;

    for (i = 0; sig_algs[i]; i++) {
      if (sig_algs[i]->key_oid == NULL)
          continue;
      if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0)
          continue;
      if (pk->ops->available && 
          pk->ops->available(pk, sig_algs[i]->sig_alg) == 0)
          continue;
      if (type == HX509_SELECT_PUBLIC_SIG)
          return sig_algs[i]->sig_alg;
      if (type == HX509_SELECT_DIGEST)
          return sig_algs[i]->digest_alg;

      return NULL;
    }
    return NULL;
}

/*
 *
 */

static struct hx509_private_key_ops *private_algs[] = {
    &rsa_private_key_ops,
#ifdef HAVE_OPENSSL
    &ecdsa_private_key_ops,
#endif
    NULL
};

static hx509_private_key_ops *
find_private_alg(const heim_oid *oid)
{
    int i;
    for (i = 0; private_algs[i]; i++) {
      if (private_algs[i]->key_oid == NULL)
          continue;
      if (der_heim_oid_cmp(private_algs[i]->key_oid, oid) == 0)
          return private_algs[i];
    }
    return NULL;
}

/*
 * Check if the algorithm `alg' have a best before date, and if it
 * des, make sure the its before the time `t'.
 */

int
_hx509_signature_best_before(hx509_context context,
                       const AlgorithmIdentifier *alg,
                       time_t t)
{
    const struct signature_alg *md;

    md = find_sig_alg(&alg->algorithm);
    if (md == NULL) {
      hx509_clear_error_string(context);
      return HX509_SIG_ALG_NO_SUPPORTED;
    }
    if (md->best_before && md->best_before < t) {
      hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
                         "Algorithm %s has passed it best before date",
                         md->name);
      return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
    }
    return 0;
}

int
_hx509_self_signed_valid(hx509_context context,
                   const AlgorithmIdentifier *alg)
{
    const struct signature_alg *md;

    md = find_sig_alg(&alg->algorithm);
    if (md == NULL) {
      hx509_clear_error_string(context);
      return HX509_SIG_ALG_NO_SUPPORTED;
    }
    if ((md->flags & SELF_SIGNED_OK) == 0) {
      hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
                         "Algorithm %s not trusted for self signatures",
                         md->name);
      return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
    }
    return 0;
}


int
_hx509_verify_signature(hx509_context context,
                  const hx509_cert cert,
                  const AlgorithmIdentifier *alg,
                  const heim_octet_string *data,
                  const heim_octet_string *sig)
{
    const struct signature_alg *md;
    const Certificate *signer = NULL;

    if (cert)
      signer = _hx509_get_cert(cert);

    md = find_sig_alg(&alg->algorithm);
    if (md == NULL) {
      hx509_clear_error_string(context);
      return HX509_SIG_ALG_NO_SUPPORTED;
    }
    if (signer && (md->flags & PROVIDE_CONF) == 0) {
      hx509_clear_error_string(context);
      return HX509_CRYPTO_SIG_NO_CONF;
    }
    if (signer == NULL && (md->flags & REQUIRE_SIGNER)) {
          hx509_clear_error_string(context);
      return HX509_CRYPTO_SIGNATURE_WITHOUT_SIGNER;
    }
    if (md->key_oid && signer) {
      const SubjectPublicKeyInfo *spi;
      spi = &signer->tbsCertificate.subjectPublicKeyInfo;

      if (der_heim_oid_cmp(&spi->algorithm.algorithm, md->key_oid) != 0) {
          hx509_clear_error_string(context);
          return HX509_SIG_ALG_DONT_MATCH_KEY_ALG;
      }
    }
    return (*md->verify_signature)(context, md, signer, alg, data, sig);
}

int
_hx509_create_signature(hx509_context context,
                  const hx509_private_key signer,
                  const AlgorithmIdentifier *alg,
                  const heim_octet_string *data,
                  AlgorithmIdentifier *signatureAlgorithm,
                  heim_octet_string *sig)
{
    const struct signature_alg *md;

    md = find_sig_alg(&alg->algorithm);
    if (md == NULL) {
      hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
          "algorithm no supported");
      return HX509_SIG_ALG_NO_SUPPORTED;
    }

    if (signer && (md->flags & PROVIDE_CONF) == 0) {
      hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
          "algorithm provides no conf");
      return HX509_CRYPTO_SIG_NO_CONF;
    }

    return (*md->create_signature)(context, md, signer, alg, data,
                           signatureAlgorithm, sig);
}

int
_hx509_create_signature_bitstring(hx509_context context,
                          const hx509_private_key signer,
                          const AlgorithmIdentifier *alg,
                          const heim_octet_string *data,
                          AlgorithmIdentifier *signatureAlgorithm,
                          heim_bit_string *sig)
{
    heim_octet_string os;
    int ret;

    ret = _hx509_create_signature(context, signer, alg,
                          data, signatureAlgorithm, &os);
    if (ret)
      return ret;
    sig->data = os.data;
    sig->length = os.length * 8;
    return 0;
}

int
_hx509_public_encrypt(hx509_context context,
                  const heim_octet_string *cleartext,
                  const Certificate *cert,
                  heim_oid *encryption_oid,
                  heim_octet_string *ciphertext)
{
    const SubjectPublicKeyInfo *spi;
    unsigned char *to;
    int tosize;
    int ret;
    RSA *rsa;
    size_t size;
    const unsigned char *p;

    ciphertext->data = NULL;
    ciphertext->length = 0;

    spi = &cert->tbsCertificate.subjectPublicKeyInfo;

    p = spi->subjectPublicKey.data;
    size = spi->subjectPublicKey.length / 8;
    
    rsa = d2i_RSAPublicKey(NULL, &p, size);
    if (rsa == NULL) {
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }

    tosize = RSA_size(rsa);
    to = malloc(tosize);
    if (to == NULL) {
      RSA_free(rsa);
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }

    ret = RSA_public_encrypt(cleartext->length,
                       (unsigned char *)cleartext->data,
                       to, rsa, RSA_PKCS1_PADDING);
    RSA_free(rsa);
    if (ret <= 0) {
      free(to);
      hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PUBLIC_ENCRYPT,
                         "RSA public encrypt failed with %d", ret);
      return HX509_CRYPTO_RSA_PUBLIC_ENCRYPT;
    }
    if (ret > tosize)
      _hx509_abort("internal rsa decryption failure: ret > tosize");

    ciphertext->length = ret;
    ciphertext->data = to;

    ret = der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption, encryption_oid);
    if (ret) {
      der_free_octet_string(ciphertext);
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }

    return 0;
}

int
_hx509_private_key_private_decrypt(hx509_context context,
                           const heim_octet_string *ciphertext,
                           const heim_oid *encryption_oid,
                           hx509_private_key p,
                           heim_octet_string *cleartext)
{
    int ret;

    cleartext->data = NULL;
    cleartext->length = 0;

    if (p->private_key.rsa == NULL) {
      hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
                         "Private RSA key missing");
      return HX509_PRIVATE_KEY_MISSING;
    }

    cleartext->length = RSA_size(p->private_key.rsa);
    cleartext->data = malloc(cleartext->length);
    if (cleartext->data == NULL) {
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }
    ret = RSA_private_decrypt(ciphertext->length, ciphertext->data,
                        cleartext->data,
                        p->private_key.rsa,
                        RSA_PKCS1_PADDING);
    if (ret <= 0) {
      der_free_octet_string(cleartext);
      hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PRIVATE_DECRYPT,
                         "Failed to decrypt using private key: %d", ret);
      return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
    }
    if (cleartext->length < ret)
      _hx509_abort("internal rsa decryption failure: ret > tosize");

    cleartext->length = ret;

    return 0;
}


int
_hx509_parse_private_key(hx509_context context,
                   const AlgorithmIdentifier *keyai,
                   const void *data,
                   size_t len,
                   hx509_private_key *private_key)
{
    struct hx509_private_key_ops *ops;
    int ret;

    *private_key = NULL;

    ops = find_private_alg(&keyai->algorithm);
    if (ops == NULL) {
      hx509_clear_error_string(context);
      return HX509_SIG_ALG_NO_SUPPORTED;
    }

    ret = _hx509_private_key_init(private_key, ops, NULL);
    if (ret) {
      hx509_set_error_string(context, 0, ret, "out of memory");
      return ret;
    }

    ret = (*ops->import)(context, keyai, data, len, *private_key);
    if (ret)
      _hx509_private_key_free(private_key);

    return ret;
}

/*
 *
 */

int
_hx509_private_key2SPKI(hx509_context context,
                  hx509_private_key private_key,
                  SubjectPublicKeyInfo *spki)
{
    const struct hx509_private_key_ops *ops = private_key->ops;
    if (ops == NULL || ops->get_spki == NULL) {
      hx509_set_error_string(context, 0, HX509_UNIMPLEMENTED_OPERATION,
                         "Private key have no key2SPKI function");
      return HX509_UNIMPLEMENTED_OPERATION;
    }
    return (*ops->get_spki)(context, private_key, spki);
}

int
_hx509_generate_private_key_init(hx509_context context,
                         const heim_oid *oid,
                         struct hx509_generate_private_context **ctx)
{
    *ctx = NULL;

    if (der_heim_oid_cmp(oid, &asn1_oid_id_pkcs1_rsaEncryption) != 0) {
      hx509_set_error_string(context, 0, EINVAL,
                         "private key not an RSA key");
      return EINVAL;
    }

    *ctx = calloc(1, sizeof(**ctx));
    if (*ctx == NULL) {
      hx509_set_error_string(context, 0, ENOMEM, "out of memory");
      return ENOMEM;
    }
    (*ctx)->key_oid = oid;

    return 0;
}

int
_hx509_generate_private_key_is_ca(hx509_context context,
                          struct hx509_generate_private_context *ctx)
{
    ctx->isCA = 1;
    return 0;
}

int
_hx509_generate_private_key_bits(hx509_context context,
                         struct hx509_generate_private_context *ctx,
                         unsigned long bits)
{
    ctx->num_bits = bits;
    return 0;
}


void
_hx509_generate_private_key_free(struct hx509_generate_private_context **ctx)
{
    free(*ctx);
    *ctx = NULL;
}

int
_hx509_generate_private_key(hx509_context context,
                      struct hx509_generate_private_context *ctx,
                      hx509_private_key *private_key)
{
    struct hx509_private_key_ops *ops;
    int ret;

    *private_key = NULL;

    ops = find_private_alg(ctx->key_oid);
    if (ops == NULL) {
      hx509_clear_error_string(context);
      return HX509_SIG_ALG_NO_SUPPORTED;
    }

    ret = _hx509_private_key_init(private_key, ops, NULL);
    if (ret) {
      hx509_set_error_string(context, 0, ret, "out of memory");
      return ret;
    }

    ret = (*ops->generate_private_key)(context, ctx, *private_key);
    if (ret)
      _hx509_private_key_free(private_key);

    return ret;
}

/*
 *
 */

const AlgorithmIdentifier *
hx509_signature_sha512(void)
{ return &_hx509_signature_sha512_data; }

const AlgorithmIdentifier *
hx509_signature_sha384(void)
{ return &_hx509_signature_sha384_data; }

const AlgorithmIdentifier *
hx509_signature_sha256(void)
{ return &_hx509_signature_sha256_data; }

const AlgorithmIdentifier *
hx509_signature_sha1(void)
{ return &_hx509_signature_sha1_data; }

const AlgorithmIdentifier *
hx509_signature_md5(void)
{ return &_hx509_signature_md5_data; }

const AlgorithmIdentifier *
hx509_signature_md2(void)
{ return &_hx509_signature_md2_data; }

const AlgorithmIdentifier *
hx509_signature_ecPublicKey(void)
{ return &_hx509_signature_ecPublicKey; }

const AlgorithmIdentifier *
hx509_signature_ecdsa_with_sha256(void)
{ return &_hx509_signature_ecdsa_with_sha256_data; }

const AlgorithmIdentifier *
hx509_signature_ecdsa_with_sha1(void)
{ return &_hx509_signature_ecdsa_with_sha1_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_sha512(void)
{ return &_hx509_signature_rsa_with_sha512_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_sha384(void)
{ return &_hx509_signature_rsa_with_sha384_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_sha256(void)
{ return &_hx509_signature_rsa_with_sha256_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_sha1(void)
{ return &_hx509_signature_rsa_with_sha1_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_md5(void)
{ return &_hx509_signature_rsa_with_md5_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_with_md2(void)
{ return &_hx509_signature_rsa_with_md2_data; }

const AlgorithmIdentifier *
hx509_signature_rsa(void)
{ return &_hx509_signature_rsa_data; }

const AlgorithmIdentifier *
hx509_signature_rsa_pkcs1_x509(void)
{ return &_hx509_signature_rsa_pkcs1_x509_data; }

const AlgorithmIdentifier *
hx509_crypto_des_rsdi_ede3_cbc(void)
{ return &_hx509_des_rsdi_ede3_cbc_oid; }

const AlgorithmIdentifier *
hx509_crypto_aes128_cbc(void)
{ return &_hx509_crypto_aes128_cbc_data; }

const AlgorithmIdentifier *
hx509_crypto_aes256_cbc(void)
{ return &_hx509_crypto_aes256_cbc_data; }

/*
 *
 */

const AlgorithmIdentifier * _hx509_crypto_default_sig_alg =
    &_hx509_signature_rsa_with_sha256_data;
const AlgorithmIdentifier * _hx509_crypto_default_digest_alg =
    &_hx509_signature_sha256_data;
const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
    &_hx509_crypto_aes128_cbc_data;

/*
 *
 */

int
_hx509_private_key_init(hx509_private_key *key,
                  hx509_private_key_ops *ops,
                  void *keydata)
{
    *key = calloc(1, sizeof(**key));
    if (*key == NULL)
      return ENOMEM;
    (*key)->ref = 1;
    (*key)->ops = ops;
    (*key)->private_key.keydata = keydata;
    return 0;
}

hx509_private_key
_hx509_private_key_ref(hx509_private_key key)
{
    if (key->ref == 0)
      _hx509_abort("key refcount <= 0 on ref");
    key->ref++;
    if (key->ref == UINT_MAX)
      _hx509_abort("key refcount == UINT_MAX on ref");
    return key;
}

const char *
_hx509_private_pem_name(hx509_private_key key)
{
    return key->ops->pemtype;
}

int
_hx509_private_key_free(hx509_private_key *key)
{
    if (key == NULL || *key == NULL)
      return 0;

    if ((*key)->ref == 0)
      _hx509_abort("key refcount == 0 on free");
    if (--(*key)->ref > 0)
      return 0;

    if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0) {
      if ((*key)->private_key.rsa)
          RSA_free((*key)->private_key.rsa);
#ifdef HAVE_OPENSSL
    } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, &asn1_oid_id_ecPublicKey) == 0) {
      if ((*key)->private_key.ecdsa)
          EC_KEY_free((*key)->private_key.ecdsa);
#endif
    }
    (*key)->private_key.rsa = NULL;
    free(*key);
    *key = NULL;
    return 0;
}

void
_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
{
    if (key->private_key.rsa)
      RSA_free(key->private_key.rsa);
    key->private_key.rsa = ptr;
    key->signature_alg = &asn1_oid_id_pkcs1_sha1WithRSAEncryption;
    key->md = &pkcs1_rsa_sha1_alg;
}

int
_hx509_private_key_oid(hx509_context context,
                   const hx509_private_key key,
                   heim_oid *data)
{
    int ret;
    ret = der_copy_oid(key->ops->key_oid, data);
    if (ret)
      hx509_set_error_string(context, 0, ret, "malloc out of memory");
    return ret;
}

int
_hx509_private_key_exportable(hx509_private_key key)
{
    if (key->ops->export == NULL)
      return 0;
    return 1;
}

BIGNUM *
_hx509_private_key_get_internal(hx509_context context,
                        hx509_private_key key,
                        const char *type)
{
    if (key->ops->get_internal == NULL)
      return NULL;
    return (*key->ops->get_internal)(context, key, type);
}

int
_hx509_private_key_export(hx509_context context,
                    const hx509_private_key key,
                    heim_octet_string *data)
{
    if (key->ops->export == NULL) {
      hx509_clear_error_string(context);
      return HX509_UNIMPLEMENTED_OPERATION;
    }
    return (*key->ops->export)(context, key, data);
}

/*
 *
 */

struct hx509cipher {
    const char *name;
    int flags;
#define CIPHER_WEAK 1
    const heim_oid *oid;
    const AlgorithmIdentifier *(*ai_func)(void);
    const EVP_CIPHER *(*evp_func)(void);
    int (*get_params)(hx509_context, const hx509_crypto,
                  const heim_octet_string *, heim_octet_string *);
    int (*set_params)(hx509_context, const heim_octet_string *,
                  hx509_crypto, heim_octet_string *);
};

struct hx509_crypto_data {
    char *name;
    int flags;
#define ALLOW_WEAK 1
    const struct hx509cipher *cipher;
    const EVP_CIPHER *c;
    heim_octet_string key;
    heim_oid oid;
    void *param;
};

/*
 *
 */

static unsigned private_rc2_40_oid_data[] = { 127, 1 };

static heim_oid asn1_oid_private_rc2_40 =
    { 2, private_rc2_40_oid_data };

/*
 *
 */

static int
CMSCBCParam_get(hx509_context context, const hx509_crypto crypto,
             const heim_octet_string *ivec, heim_octet_string *param)
{
    size_t size;
    int ret;

    assert(crypto->param == NULL);
    if (ivec == NULL)
      return 0;

    ASN1_MALLOC_ENCODE(CMSCBCParameter, param->data, param->length,
                   ivec, &size, ret);
    if (ret == 0 && size != param->length)
      _hx509_abort("Internal asn1 encoder failure");
    if (ret)
      hx509_clear_error_string(context);
    return ret;
}

static int
CMSCBCParam_set(hx509_context context, const heim_octet_string *param,
            hx509_crypto crypto, heim_octet_string *ivec)
{
    int ret;
    if (ivec == NULL)
      return 0;

    ret = decode_CMSCBCParameter(param->data, param->length, ivec, NULL);
    if (ret)
      hx509_clear_error_string(context);

    return ret;
}

struct _RC2_params {
    int maximum_effective_key;
};

static int
CMSRC2CBCParam_get(hx509_context context, const hx509_crypto crypto,
               const heim_octet_string *ivec, heim_octet_string *param)
{
    CMSRC2CBCParameter rc2params;
    const struct _RC2_params *p = crypto->param;
    int maximum_effective_key = 128;
    size_t size;
    int ret;

    memset(&rc2params, 0, sizeof(rc2params));

    if (p)
      maximum_effective_key = p->maximum_effective_key;

    switch(maximum_effective_key) {
    case 40:
      rc2params.rc2ParameterVersion = 160;
      break;
    case 64:
      rc2params.rc2ParameterVersion = 120;
      break;
    case 128:
      rc2params.rc2ParameterVersion = 58;
      break;
    }
    rc2params.iv = *ivec;

    ASN1_MALLOC_ENCODE(CMSRC2CBCParameter, param->data, param->length,
                   &rc2params, &size, ret);
    if (ret == 0 && size != param->length)
      _hx509_abort("Internal asn1 encoder failure");

    return ret;
}

static int
CMSRC2CBCParam_set(hx509_context context, const heim_octet_string *param,
               hx509_crypto crypto, heim_octet_string *ivec)
{
    CMSRC2CBCParameter rc2param;
    struct _RC2_params *p;
    size_t size;
    int ret;

    ret = decode_CMSRC2CBCParameter(param->data, param->length,
                            &rc2param, &size);
    if (ret) {
      hx509_clear_error_string(context);
      return ret;
    }

    p = calloc(1, sizeof(*p));
    if (p == NULL) {
      free_CMSRC2CBCParameter(&rc2param);
      hx509_clear_error_string(context);
      return ENOMEM;
    }
    switch(rc2param.rc2ParameterVersion) {
    case 160:
      crypto->c = EVP_rc2_40_cbc();
      p->maximum_effective_key = 40;
      break;
    case 120:
      crypto->c = EVP_rc2_64_cbc();
      p->maximum_effective_key = 64;
      break;
    case 58:
      crypto->c = EVP_rc2_cbc();
      p->maximum_effective_key = 128;
      break;
    default:
      free(p);
      free_CMSRC2CBCParameter(&rc2param);
      return HX509_CRYPTO_SIG_INVALID_FORMAT;
    }
    if (ivec)
      ret = der_copy_octet_string(&rc2param.iv, ivec);
    free_CMSRC2CBCParameter(&rc2param);
    if (ret) {
      free(p);
      hx509_clear_error_string(context);
    } else
      crypto->param = p;

    return ret;
}

/*
 *
 */

static const struct hx509cipher ciphers[] = {
    {
      "rc2-cbc",
      CIPHER_WEAK,
      &asn1_oid_id_pkcs3_rc2_cbc,
      NULL,
      EVP_rc2_cbc,
      CMSRC2CBCParam_get,
      CMSRC2CBCParam_set
    },
    {
      "rc2-cbc",
      CIPHER_WEAK,
      &asn1_oid_id_rsadsi_rc2_cbc,
      NULL,
      EVP_rc2_cbc,
      CMSRC2CBCParam_get,
      CMSRC2CBCParam_set
    },
    {
      "rc2-40-cbc",
      CIPHER_WEAK,
      &asn1_oid_private_rc2_40,
      NULL,
      EVP_rc2_40_cbc,
      CMSRC2CBCParam_get,
      CMSRC2CBCParam_set
    },
    {
      "des-ede3-cbc",
      0,
      &asn1_oid_id_pkcs3_des_ede3_cbc,
      NULL,
      EVP_des_ede3_cbc,
      CMSCBCParam_get,
      CMSCBCParam_set
    },
    {
      "des-ede3-cbc",
      0,
      &asn1_oid_id_rsadsi_des_ede3_cbc,
      hx509_crypto_des_rsdi_ede3_cbc,
      EVP_des_ede3_cbc,
      CMSCBCParam_get,
      CMSCBCParam_set
    },
    {
      "aes-128-cbc",
      0,
      &asn1_oid_id_aes_128_cbc,
      hx509_crypto_aes128_cbc,
      EVP_aes_128_cbc,
      CMSCBCParam_get,
      CMSCBCParam_set
    },
    {
      "aes-192-cbc",
      0,
      &asn1_oid_id_aes_192_cbc,
      NULL,
      EVP_aes_192_cbc,
      CMSCBCParam_get,
      CMSCBCParam_set
    },
    {
      "aes-256-cbc",
      0,
      &asn1_oid_id_aes_256_cbc,
      hx509_crypto_aes256_cbc,
      EVP_aes_256_cbc,
      CMSCBCParam_get,
      CMSCBCParam_set
    }
};

static const struct hx509cipher *
find_cipher_by_oid(const heim_oid *oid)
{
    int i;

    for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
      if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0)
          return &ciphers[i];

    return NULL;
}

static const struct hx509cipher *
find_cipher_by_name(const char *name)
{
    int i;

    for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
      if (strcasecmp(name, ciphers[i].name) == 0)
          return &ciphers[i];

    return NULL;
}


const heim_oid *
hx509_crypto_enctype_by_name(const char *name)
{
    const struct hx509cipher *cipher;

    cipher = find_cipher_by_name(name);
    if (cipher == NULL)
      return NULL;
    return cipher->oid;
}

int
hx509_crypto_init(hx509_context context,
              const char *provider,
              const heim_oid *enctype,
              hx509_crypto *crypto)
{
    const struct hx509cipher *cipher;

    *crypto = NULL;

    cipher = find_cipher_by_oid(enctype);
    if (cipher == NULL) {
      hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
                         "Algorithm not supported");
      return HX509_ALG_NOT_SUPP;
    }

    *crypto = calloc(1, sizeof(**crypto));
    if (*crypto == NULL) {
      hx509_clear_error_string(context);
      return ENOMEM;
    }

    (*crypto)->cipher = cipher;
    (*crypto)->c = (*cipher->evp_func)();

    if (der_copy_oid(enctype, &(*crypto)->oid)) {
      hx509_crypto_destroy(*crypto);
      *crypto = NULL;
      hx509_clear_error_string(context);
      return ENOMEM;
    }

    return 0;
}

const char *
hx509_crypto_provider(hx509_crypto crypto)
{
    return "unknown";
}

void
hx509_crypto_destroy(hx509_crypto crypto)
{
    if (crypto->name)
      free(crypto->name);
    if (crypto->key.data)
      free(crypto->key.data);
    if (crypto->param)
      free(crypto->param);
    der_free_oid(&crypto->oid);
    memset(crypto, 0, sizeof(*crypto));
    free(crypto);
}

int
hx509_crypto_set_key_name(hx509_crypto crypto, const char *name)
{
    return 0;
}

void
hx509_crypto_allow_weak(hx509_crypto crypto)
{
    crypto->flags |= ALLOW_WEAK;
}

int
hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
{
    if (EVP_CIPHER_key_length(crypto->c) > length)
      return HX509_CRYPTO_INTERNAL_ERROR;

    if (crypto->key.data) {
      free(crypto->key.data);
      crypto->key.data = NULL;
      crypto->key.length = 0;
    }
    crypto->key.data = malloc(length);
    if (crypto->key.data == NULL)
      return ENOMEM;
    memcpy(crypto->key.data, data, length);
    crypto->key.length = length;

    return 0;
}

int
hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
{
    if (crypto->key.data) {
      free(crypto->key.data);
      crypto->key.length = 0;
    }

    crypto->key.length = EVP_CIPHER_key_length(crypto->c);
    crypto->key.data = malloc(crypto->key.length);
    if (crypto->key.data == NULL) {
      crypto->key.length = 0;
      return ENOMEM;
    }
    if (RAND_bytes(crypto->key.data, crypto->key.length) <= 0) {
      free(crypto->key.data);
      crypto->key.data = NULL;
      crypto->key.length = 0;
      return HX509_CRYPTO_INTERNAL_ERROR;
    }
    if (key)
      return der_copy_octet_string(&crypto->key, key);
    else
      return 0;
}

int
hx509_crypto_set_params(hx509_context context,
                  hx509_crypto crypto,
                  const heim_octet_string *param,
                  heim_octet_string *ivec)
{
    return (*crypto->cipher->set_params)(context, param, crypto, ivec);
}

int
hx509_crypto_get_params(hx509_context context,
                  hx509_crypto crypto,
                  const heim_octet_string *ivec,
                  heim_octet_string *param)
{
    return (*crypto->cipher->get_params)(context, crypto, ivec, param);
}

int
hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
{
    ivec->length = EVP_CIPHER_iv_length(crypto->c);
    ivec->data = malloc(ivec->length);
    if (ivec->data == NULL) {
      ivec->length = 0;
      return ENOMEM;
    }

    if (RAND_bytes(ivec->data, ivec->length) <= 0) {
      free(ivec->data);
      ivec->data = NULL;
      ivec->length = 0;
      return HX509_CRYPTO_INTERNAL_ERROR;
    }
    return 0;
}

int
hx509_crypto_encrypt(hx509_crypto crypto,
                 const void *data,
                 const size_t length,
                 const heim_octet_string *ivec,
                 heim_octet_string **ciphertext)
{
    EVP_CIPHER_CTX evp;
    size_t padsize;
    int ret;

    *ciphertext = NULL;

    if ((crypto->cipher->flags & CIPHER_WEAK) &&
      (crypto->flags & ALLOW_WEAK) == 0)
      return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;

    assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length);

    EVP_CIPHER_CTX_init(&evp);

    ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
                      crypto->key.data, ivec->data, 1);
    if (ret != 1) {
      EVP_CIPHER_CTX_cleanup(&evp);
      ret = HX509_CRYPTO_INTERNAL_ERROR;
      goto out;
    }

    *ciphertext = calloc(1, sizeof(**ciphertext));
    if (*ciphertext == NULL) {
      ret = ENOMEM;
      goto out;
    }

    if (EVP_CIPHER_block_size(crypto->c) == 1) {
      padsize = 0;
    } else {
      int bsize = EVP_CIPHER_block_size(crypto->c);
      padsize = bsize - (length % bsize);
    }
    (*ciphertext)->length = length + padsize;
    (*ciphertext)->data = malloc(length + padsize);
    if ((*ciphertext)->data == NULL) {
      ret = ENOMEM;
      goto out;
    }
      
    memcpy((*ciphertext)->data, data, length);
    if (padsize) {
      int i;
      unsigned char *p = (*ciphertext)->data;
      p += length;
      for (i = 0; i < padsize; i++)
          *p++ = padsize;
    }

    ret = EVP_Cipher(&evp, (*ciphertext)->data,
                 (*ciphertext)->data,
                 length + padsize);
    if (ret != 1) {
      ret = HX509_CRYPTO_INTERNAL_ERROR;
      goto out;
    }
    ret = 0;

 out:
    if (ret) {
      if (*ciphertext) {
          if ((*ciphertext)->data) {
            free((*ciphertext)->data);
          }
          free(*ciphertext);
          *ciphertext = NULL;
      }
    }
    EVP_CIPHER_CTX_cleanup(&evp);

    return ret;
}

int
hx509_crypto_decrypt(hx509_crypto crypto,
                 const void *data,
                 const size_t length,
                 heim_octet_string *ivec,
                 heim_octet_string *clear)
{
    EVP_CIPHER_CTX evp;
    void *idata = NULL;
    int ret;

    clear->data = NULL;
    clear->length = 0;

    if ((crypto->cipher->flags & CIPHER_WEAK) &&
      (crypto->flags & ALLOW_WEAK) == 0)
      return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;

    if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length)
      return HX509_CRYPTO_INTERNAL_ERROR;

    if (crypto->key.data == NULL)
      return HX509_CRYPTO_INTERNAL_ERROR;

    if (ivec)
      idata = ivec->data;

    EVP_CIPHER_CTX_init(&evp);

    ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
                      crypto->key.data, idata, 0);
    if (ret != 1) {
      EVP_CIPHER_CTX_cleanup(&evp);
      return HX509_CRYPTO_INTERNAL_ERROR;
    }

    clear->length = length;
    clear->data = malloc(length);
    if (clear->data == NULL) {
      EVP_CIPHER_CTX_cleanup(&evp);
      clear->length = 0;
      return ENOMEM;
    }

    if (EVP_Cipher(&evp, clear->data, data, length) != 1) {
      return HX509_CRYPTO_INTERNAL_ERROR;
    }
    EVP_CIPHER_CTX_cleanup(&evp);

    if (EVP_CIPHER_block_size(crypto->c) > 1) {
      int padsize;
      unsigned char *p;
      int j, bsize = EVP_CIPHER_block_size(crypto->c);

      if (clear->length < bsize) {
          ret = HX509_CMS_PADDING_ERROR;
          goto out;
      }

      p = clear->data;
      p += clear->length - 1;
      padsize = *p;
      if (padsize > bsize) {
          ret = HX509_CMS_PADDING_ERROR;
          goto out;
      }
      clear->length -= padsize;
      for (j = 0; j < padsize; j++) {
          if (*p-- != padsize) {
            ret = HX509_CMS_PADDING_ERROR;
            goto out;
          }
      }
    }

    return 0;

 out:
    if (clear->data)
      free(clear->data);
    clear->data = NULL;
    clear->length = 0;
    return ret;
}

typedef int (*PBE_string2key_func)(hx509_context,
                           const char *,
                           const heim_octet_string *,
                           hx509_crypto *, heim_octet_string *,
                           heim_octet_string *,
                           const heim_oid *, const EVP_MD *);

static int
PBE_string2key(hx509_context context,
             const char *password,
             const heim_octet_string *parameters,
             hx509_crypto *crypto,
             heim_octet_string *key, heim_octet_string *iv,
             const heim_oid *enc_oid,
             const EVP_MD *md)
{
    PKCS12_PBEParams p12params;
    int passwordlen;
    hx509_crypto c;
    int iter, saltlen, ret;
    unsigned char *salt;

    passwordlen = password ? strlen(password) : 0;

    if (parameters == NULL)
      return HX509_ALG_NOT_SUPP;

    ret = decode_PKCS12_PBEParams(parameters->data,
                          parameters->length,
                          &p12params, NULL);
    if (ret)
      goto out;

    if (p12params.iterations)
      iter = *p12params.iterations;
    else
      iter = 1;
    salt = p12params.salt.data;
    saltlen = p12params.salt.length;

    if (!PKCS12_key_gen (password, passwordlen, salt, saltlen,
                   PKCS12_KEY_ID, iter, key->length, key->data, md)) {
      ret = HX509_CRYPTO_INTERNAL_ERROR;
      goto out;
    }

    if (!PKCS12_key_gen (password, passwordlen, salt, saltlen,
                   PKCS12_IV_ID, iter, iv->length, iv->data, md)) {
      ret = HX509_CRYPTO_INTERNAL_ERROR;
      goto out;
    }

    ret = hx509_crypto_init(context, NULL, enc_oid, &c);
    if (ret)
      goto out;

    hx509_crypto_allow_weak(c);

    ret = hx509_crypto_set_key_data(c, key->data, key->length);
    if (ret) {
      hx509_crypto_destroy(c);
      goto out;
    }

    *crypto = c;
out:
    free_PKCS12_PBEParams(&p12params);
    return ret;
}

static const heim_oid *
find_string2key(const heim_oid *oid,
            const EVP_CIPHER **c,
            const EVP_MD **md,
            PBE_string2key_func *s2k)
{
    if (der_heim_oid_cmp(oid, &asn1_oid_id_pbewithSHAAnd40BitRC2_CBC) == 0) {
      *c = EVP_rc2_40_cbc();
      *md = EVP_sha1();
      *s2k = PBE_string2key;
      return &asn1_oid_private_rc2_40;
    } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd128BitRC2_CBC) == 0) {
      *c = EVP_rc2_cbc();
      *md = EVP_sha1();
      *s2k = PBE_string2key;
      return &asn1_oid_id_pkcs3_rc2_cbc;
#if 0
    } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd40BitRC4) == 0) {
      *c = EVP_rc4_40();
      *md = EVP_sha1();
      *s2k = PBE_string2key;
      return NULL;
    } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd128BitRC4) == 0) {
      *c = EVP_rc4();
      *md = EVP_sha1();
      *s2k = PBE_string2key;
      return &asn1_oid_id_pkcs3_rc4;
#endif
    } else if (der_heim_oid_cmp(oid, &asn1_oid_id_pbeWithSHAAnd3_KeyTripleDES_CBC) == 0) {
      *c = EVP_des_ede3_cbc();
      *md = EVP_sha1();
      *s2k = PBE_string2key;
      return &asn1_oid_id_pkcs3_des_ede3_cbc;
    }

    return NULL;
}

/*
 *
 */

int
_hx509_pbe_encrypt(hx509_context context,
               hx509_lock lock,
               const AlgorithmIdentifier *ai,
               const heim_octet_string *content,
               heim_octet_string *econtent)
{
    hx509_clear_error_string(context);
    return EINVAL;
}

/*
 *
 */

int
_hx509_pbe_decrypt(hx509_context context,
               hx509_lock lock,
               const AlgorithmIdentifier *ai,
               const heim_octet_string *econtent,
               heim_octet_string *content)
{
    const struct _hx509_password *pw;
    heim_octet_string key, iv;
    const heim_oid *enc_oid;
    const EVP_CIPHER *c;
    const EVP_MD *md;
    PBE_string2key_func s2k;
    int i, ret = 0;

    memset(&key, 0, sizeof(key));
    memset(&iv, 0, sizeof(iv));

    memset(content, 0, sizeof(*content));

    enc_oid = find_string2key(&ai->algorithm, &c, &md, &s2k);
    if (enc_oid == NULL) {
      hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
                         "String to key algorithm not supported");
      ret = HX509_ALG_NOT_SUPP;
      goto out;
    }

    key.length = EVP_CIPHER_key_length(c);
    key.data = malloc(key.length);
    if (key.data == NULL) {
      ret = ENOMEM;
      hx509_clear_error_string(context);
      goto out;
    }

    iv.length = EVP_CIPHER_iv_length(c);
    iv.data = malloc(iv.length);
    if (iv.data == NULL) {
      ret = ENOMEM;
      hx509_clear_error_string(context);
      goto out;
    }

    pw = _hx509_lock_get_passwords(lock);

    ret = HX509_CRYPTO_INTERNAL_ERROR;
    for (i = 0; i < pw->len + 1; i++) {
      hx509_crypto crypto;
      const char *password;

      if (i < pw->len)
          password = pw->val[i];
      else if (i < pw->len + 1)
          password = "";
      else
          password = NULL;

      ret = (*s2k)(context, password, ai->parameters, &crypto,
                 &key, &iv, enc_oid, md);
      if (ret)
          goto out;

      ret = hx509_crypto_decrypt(crypto,
                           econtent->data,
                           econtent->length,
                           &iv,
                           content);
      hx509_crypto_destroy(crypto);
      if (ret == 0)
          goto out;
                        
    }
out:
    if (key.data)
      der_free_octet_string(&key);
    if (iv.data)
      der_free_octet_string(&iv);
    return ret;
}

/*
 *
 */


static int
match_keys_rsa(hx509_cert c, hx509_private_key private_key)
{
    const Certificate *cert;
    const SubjectPublicKeyInfo *spi;
    RSAPublicKey pk;
    RSA *rsa;
    size_t size;
    int ret;

    if (private_key->private_key.rsa == NULL)
      return 0;

    rsa = private_key->private_key.rsa;
    if (rsa->d == NULL || rsa->p == NULL || rsa->q == NULL)
      return 0;

    cert = _hx509_get_cert(c);
    spi = &cert->tbsCertificate.subjectPublicKeyInfo;

    rsa = RSA_new();
    if (rsa == NULL)
      return 0;

    ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
                        spi->subjectPublicKey.length / 8,
                        &pk, &size);
    if (ret) {
      RSA_free(rsa);
      return 0;
    }
    rsa->n = heim_int2BN(&pk.modulus);
    rsa->e = heim_int2BN(&pk.publicExponent);

    free_RSAPublicKey(&pk);

    rsa->d = BN_dup(private_key->private_key.rsa->d);
    rsa->p = BN_dup(private_key->private_key.rsa->p);
    rsa->q = BN_dup(private_key->private_key.rsa->q);
    rsa->dmp1 = BN_dup(private_key->private_key.rsa->dmp1);
    rsa->dmq1 = BN_dup(private_key->private_key.rsa->dmq1);
    rsa->iqmp = BN_dup(private_key->private_key.rsa->iqmp);

    if (rsa->n == NULL || rsa->e == NULL ||
      rsa->d == NULL || rsa->p == NULL|| rsa->q == NULL ||
      rsa->dmp1 == NULL || rsa->dmq1 == NULL) {
      RSA_free(rsa);
      return 0;
    }

    ret = RSA_check_key(rsa);
    RSA_free(rsa);

    return ret == 1;
}

static int
match_keys_ec(hx509_cert c, hx509_private_key private_key)
{
    return 1; /* XXX use EC_KEY_check_key */
}


int
_hx509_match_keys(hx509_cert c, hx509_private_key key)
{
    if (der_heim_oid_cmp(key->ops->key_oid, &asn1_oid_id_pkcs1_rsaEncryption) == 0)
      return match_keys_rsa(c, key);
    if (der_heim_oid_cmp(key->ops->key_oid, &asn1_oid_id_ecPublicKey) == 0)
      return match_keys_ec(c, key);
    return 0;

}


static const heim_oid *
find_keytype(const hx509_private_key key)
{
    const struct signature_alg *md;

    if (key == NULL)
      return NULL;

    md = find_sig_alg(key->signature_alg);
    if (md == NULL)
      return NULL;
    return md->key_oid;
}

int
hx509_crypto_select(const hx509_context context,
                int type,
                const hx509_private_key source,
                hx509_peer_info peer,
                AlgorithmIdentifier *selected)
{
    const AlgorithmIdentifier *def = NULL;
    size_t i, j;
    int ret, bits;

    memset(selected, 0, sizeof(*selected));

    if (type == HX509_SELECT_DIGEST) {
      bits = SIG_DIGEST;
      if (source)
          def = alg_for_privatekey(source, type);
      if (def == NULL)
          def = _hx509_crypto_default_digest_alg;
    } else if (type == HX509_SELECT_PUBLIC_SIG) {
      bits = SIG_PUBLIC_SIG;
      /* XXX depend on `source´ and `peer´ */
      if (source)
          def = alg_for_privatekey(source, type);
      if (def == NULL)
          def = _hx509_crypto_default_sig_alg;
    } else if (type == HX509_SELECT_SECRET_ENC) {
      bits = SIG_SECRET;
      def = _hx509_crypto_default_secret_alg;
    } else {
      hx509_set_error_string(context, 0, EINVAL,
                         "Unknown type %d of selection", type);
      return EINVAL;
    }

    if (peer) {
      const heim_oid *keytype = NULL;

      keytype = find_keytype(source);

      for (i = 0; i < peer->len; i++) {
          for (j = 0; sig_algs[j]; j++) {
            if ((sig_algs[j]->flags & bits) != bits)
                continue;
            if (der_heim_oid_cmp(sig_algs[j]->sig_oid,
                             &peer->val[i].algorithm) != 0)
                continue;
            if (keytype && sig_algs[j]->key_oid &&
                der_heim_oid_cmp(keytype, sig_algs[j]->key_oid))
                continue;

            /* found one, use that */
            ret = copy_AlgorithmIdentifier(&peer->val[i], selected);
            if (ret)
                hx509_clear_error_string(context);
            return ret;
          }
          if (bits & SIG_SECRET) {
            const struct hx509cipher *cipher;

            cipher = find_cipher_by_oid(&peer->val[i].algorithm);
            if (cipher == NULL)
                continue;
            if (cipher->ai_func == NULL)
                continue;
            ret = copy_AlgorithmIdentifier(cipher->ai_func(), selected);
            if (ret)
                hx509_clear_error_string(context);
            return ret;
          }
      }
    }

    /* use default */
    ret = copy_AlgorithmIdentifier(def, selected);
    if (ret)
      hx509_clear_error_string(context);
    return ret;
}

int
hx509_crypto_available(hx509_context context,
                   int type,
                   hx509_cert source,
                   AlgorithmIdentifier **val,
                   unsigned int *plen)
{
    const heim_oid *keytype = NULL;
    unsigned int len, i;
    void *ptr;
    int bits, ret;

    *val = NULL;

    if (type == HX509_SELECT_ALL) {
      bits = SIG_DIGEST | SIG_PUBLIC_SIG | SIG_SECRET;
    } else if (type == HX509_SELECT_DIGEST) {
      bits = SIG_DIGEST;
    } else if (type == HX509_SELECT_PUBLIC_SIG) {
      bits = SIG_PUBLIC_SIG;
    } else {
      hx509_set_error_string(context, 0, EINVAL,
                         "Unknown type %d of available", type);
      return EINVAL;
    }

    if (source)
      keytype = find_keytype(_hx509_cert_private_key(source));

    len = 0;
    for (i = 0; sig_algs[i]; i++) {
      if ((sig_algs[i]->flags & bits) == 0)
          continue;
      if (sig_algs[i]->sig_alg == NULL)
          continue;
      if (keytype && sig_algs[i]->key_oid &&
          der_heim_oid_cmp(sig_algs[i]->key_oid, keytype))
          continue;

      /* found one, add that to the list */
      ptr = realloc(*val, sizeof(**val) * (len + 1));
      if (ptr == NULL)
          goto out;
      *val = ptr;

      ret = copy_AlgorithmIdentifier(sig_algs[i]->sig_alg, &(*val)[len]);
      if (ret)
          goto out;
      len++;
    }

    /* Add AES */
    if (bits & SIG_SECRET) {

      for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) {

          if (ciphers[i].flags & CIPHER_WEAK)
            continue;
          if (ciphers[i].ai_func == NULL)
            continue;

          ptr = realloc(*val, sizeof(**val) * (len + 1));
          if (ptr == NULL)
            goto out;
          *val = ptr;
      
          ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]);
          if (ret)
            goto out;
          len++;
      }
    }

    *plen = len;
    return 0;

out:
    for (i = 0; i < len; i++)
      free_AlgorithmIdentifier(&(*val)[i]);
    free(*val);
    *val = NULL;
    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
    return ENOMEM;
}

void
hx509_crypto_free_algs(AlgorithmIdentifier *val,
                   unsigned int len)
{
    unsigned int i;
    for (i = 0; i < len; i++)
      free_AlgorithmIdentifier(&val[i]);
    free(val);
}

Generated by  Doxygen 1.6.0   Back to index