lib/pkcs12/p12exp.c
author EKR <ekr@rtfm.com>
Fri, 02 Dec 2016 16:32:09 +0100
changeset 12940 433172d35f525c82db3eb0b583f40e93a7d3a7c8
parent 12774 48fe9657a2034bc52638ec793ff36cdc44b53891
permissions -rw-r--r--
Bug 1321809 - Only increment the advertised extensions when appending rather than on both passes. r=mt Differential Revision: https://nss-review.dev.mozaws.net/D111

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "plarena.h"
#include "secitem.h"
#include "secoid.h"
#include "seccomon.h"
#include "secport.h"
#include "cert.h"
#include "pkcs12.h"
#include "p12local.h"
#include "secpkcs7.h"
#include "secasn1.h"
#include "secerr.h"
#include "p12plcy.h"

/* release the memory taken up by the list of nicknames */
static void
sec_pkcs12_destroy_nickname_list(SECItem **nicknames)
{
    int i = 0;

    if (nicknames == NULL) {
        return;
    }

    while (nicknames[i] != NULL) {
        SECITEM_FreeItem(nicknames[i], PR_FALSE);
        i++;
    }

    PORT_Free(nicknames);
}

/* release the memory taken up by the list of certificates */
static void
sec_pkcs12_destroy_certificate_list(CERTCertificate **ref_certs)
{
    int i = 0;

    if (ref_certs == NULL) {
        return;
    }

    while (ref_certs[i] != NULL) {
        CERT_DestroyCertificate(ref_certs[i]);
        i++;
    }
}

static void
sec_pkcs12_destroy_cinfos_for_cert_bags(SEC_PKCS12CertAndCRLBag *certBag)
{
    int j = 0;
    j = 0;
    while (certBag->certAndCRLs[j] != NULL) {
        SECOidTag certType = SECOID_FindOIDTag(&certBag->certAndCRLs[j]->BagID);
        if (certType == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
            SEC_PKCS12X509CertCRL *x509;
            x509 = certBag->certAndCRLs[j]->value.x509;
            SEC_PKCS7DestroyContentInfo(&x509->certOrCRL);
        }
        j++;
    }
}

/* destroy all content infos since they were not allocated in common
 * pool
 */
static void
sec_pkcs12_destroy_cert_content_infos(SEC_PKCS12SafeContents *safe,
                                      SEC_PKCS12Baggage *baggage)
{
    int i, j;

    if ((safe != NULL) && (safe->contents != NULL)) {
        i = 0;
        while (safe->contents[i] != NULL) {
            SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
            if (bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
                SEC_PKCS12CertAndCRLBag *certBag;
                certBag = safe->contents[i]->safeContent.certAndCRLBag;
                sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
            }
            i++;
        }
    }

    if ((baggage != NULL) && (baggage->bags != NULL)) {
        i = 0;
        while (baggage->bags[i] != NULL) {
            if (baggage->bags[i]->unencSecrets != NULL) {
                j = 0;
                while (baggage->bags[i]->unencSecrets[j] != NULL) {
                    SECOidTag bagType;
                    bagType = SECOID_FindOIDTag(&baggage->bags[i]->unencSecrets[j]->safeBagType);
                    if (bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
                        SEC_PKCS12CertAndCRLBag *certBag;
                        certBag = baggage->bags[i]->unencSecrets[j]->safeContent.certAndCRLBag;
                        sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
                    }
                    j++;
                }
            }
            i++;
        }
    }
}

/* convert the nickname list from a NULL termincated Char list
 * to a NULL terminated SECItem list
 */
static SECItem **
sec_pkcs12_convert_nickname_list(char **nicknames)
{
    SECItem **nicks;
    int i, j;
    PRBool error = PR_FALSE;

    if (nicknames == NULL) {
        return NULL;
    }

    i = j = 0;
    while (nicknames[i] != NULL) {
        i++;
    }

    /* allocate the space and copy the data */
    nicks = (SECItem **)PORT_ZAlloc(sizeof(SECItem *) * (i + 1));
    if (nicks != NULL) {
        for (j = 0; ((j < i) && (error == PR_FALSE)); j++) {
            nicks[j] = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
            if (nicks[j] != NULL) {
                nicks[j]->data =
                    (unsigned char *)PORT_ZAlloc(PORT_Strlen(nicknames[j]) + 1);
                if (nicks[j]->data != NULL) {
                    nicks[j]->len = PORT_Strlen(nicknames[j]);
                    PORT_Memcpy(nicks[j]->data, nicknames[j], nicks[j]->len);
                    nicks[j]->data[nicks[j]->len] = 0;
                } else {
                    error = PR_TRUE;
                }
            } else {
                error = PR_TRUE;
            }
        }
    }

    if (error == PR_TRUE) {
        for (i = 0; i < j; i++) {
            SECITEM_FreeItem(nicks[i], PR_TRUE);
        }
        PORT_Free(nicks);
        nicks = NULL;
    }

    return nicks;
}

/* package the certificate add_cert into PKCS12 structures,
 * retrieve the certificate chain for the cert and return
 * the packaged contents.
 * poolp -- common memory pool;
 * add_cert -- certificate to package up
 * nickname for the certificate
 * a return of NULL indicates an error
 */
static SEC_PKCS12CertAndCRL *
sec_pkcs12_get_cert(PLArenaPool *poolp,
                    CERTCertificate *add_cert,
                    SECItem *nickname)
{
    SEC_PKCS12CertAndCRL *cert;
    SEC_PKCS7ContentInfo *cinfo;
    SGNDigestInfo *t_di;
    void *mark;
    SECStatus rv;

    if ((poolp == NULL) || (add_cert == NULL) || (nickname == NULL)) {
        return NULL;
    }
    mark = PORT_ArenaMark(poolp);

    cert = sec_pkcs12_new_cert_crl(poolp, SEC_OID_PKCS12_X509_CERT_CRL_BAG);
    if (cert != NULL) {

        /* copy the nickname */
        rv = SECITEM_CopyItem(poolp, &cert->nickname, nickname);
        if (rv != SECSuccess) {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
            cert = NULL;
        } else {

            /* package the certificate and cert chain into a NULL signer
             * PKCS 7 SignedData content Info and prepare it for encoding
             * since we cannot use DER_ANY_TEMPLATE
             */
            cinfo = SEC_PKCS7CreateCertsOnly(add_cert, PR_TRUE, NULL);
            rv = SEC_PKCS7PrepareForEncode(cinfo, NULL, NULL, NULL);

            /* thumbprint the certificate */
            if ((cinfo != NULL) && (rv == SECSuccess)) {
                PORT_Memcpy(&cert->value.x509->certOrCRL, cinfo, sizeof(*cinfo));
                t_di = sec_pkcs12_compute_thumbprint(&add_cert->derCert);
                if (t_di != NULL) {
                    /* test */
                    rv = SGN_CopyDigestInfo(poolp, &cert->value.x509->thumbprint,
                                            t_di);
                    if (rv != SECSuccess) {
                        cert = NULL;
                        PORT_SetError(SEC_ERROR_NO_MEMORY);
                    }
                    SGN_DestroyDigestInfo(t_di);
                } else
                    cert = NULL;
            }
        }
    }

    if (cert == NULL) {
        PORT_ArenaRelease(poolp, mark);
    } else {
        PORT_ArenaUnmark(poolp, mark);
    }

    return cert;
}

/* package the private key associated with the certificate and
 * return the appropriate PKCS 12 structure
 * poolp common memory pool
 * nickname key nickname
 * cert -- cert to look up
 * wincx -- window handle
 * an error is indicated by a return of NULL
 */
static SEC_PKCS12PrivateKey *
sec_pkcs12_get_private_key(PLArenaPool *poolp,
                           SECItem *nickname,
                           CERTCertificate *cert,
                           void *wincx)
{
    SECKEYPrivateKeyInfo *pki;
    SEC_PKCS12PrivateKey *pk;
    SECStatus rv;
    void *mark;

    if ((poolp == NULL) || (nickname == NULL)) {
        return NULL;
    }

    mark = PORT_ArenaMark(poolp);

    /* retrieve key from the data base */
    pki = PK11_ExportPrivateKeyInfo(nickname, cert, wincx);
    if (pki == NULL) {
        PORT_ArenaRelease(poolp, mark);
        PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
        return NULL;
    }

    pk = (SEC_PKCS12PrivateKey *)PORT_ArenaZAlloc(poolp,
                                                  sizeof(SEC_PKCS12PrivateKey));
    if (pk != NULL) {
        rv = sec_pkcs12_init_pvk_data(poolp, &pk->pvkData);

        if (rv == SECSuccess) {
            /* copy the key into poolp memory space */
            rv = SECKEY_CopyPrivateKeyInfo(poolp, &pk->pkcs8data, pki);
            if (rv == SECSuccess) {
                rv = SECITEM_CopyItem(poolp, &pk->pvkData.nickname, nickname);
            }
        }

        if (rv != SECSuccess) {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
            pk = NULL;
        }
    } else {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
    }

    /* destroy private key, zeroing out data */
    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
    if (pk == NULL) {
        PORT_ArenaRelease(poolp, mark);
    } else {
        PORT_ArenaUnmark(poolp, mark);
    }

    return pk;
}

/* get a shrouded key item associated with a certificate
 * return the appropriate PKCS 12 structure
 * poolp common memory pool
 * nickname key nickname
 * cert -- cert to look up
 * wincx -- window handle
 * an error is indicated by a return of NULL
 */
static SEC_PKCS12ESPVKItem *
sec_pkcs12_get_shrouded_key(PLArenaPool *poolp,
                            SECItem *nickname,
                            CERTCertificate *cert,
                            SECOidTag algorithm,
                            SECItem *pwitem,
                            PKCS12UnicodeConvertFunction unicodeFn,
                            void *wincx)
{
    SECKEYEncryptedPrivateKeyInfo *epki;
    SEC_PKCS12ESPVKItem *pk;
    void *mark;
    SECStatus rv;
    PK11SlotInfo *slot = NULL;
    PRBool swapUnicodeBytes = PR_FALSE;

#ifdef IS_LITTLE_ENDIAN
    swapUnicodeBytes = PR_TRUE;
#endif

    if ((poolp == NULL) || (nickname == NULL))
        return NULL;

    mark = PORT_ArenaMark(poolp);

    /* use internal key slot */
    slot = PK11_GetInternalKeySlot();

    /* retrieve encrypted prviate key */
    epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, pwitem,
                                              nickname, cert, 1, 0, NULL);
    PK11_FreeSlot(slot);
    if (epki == NULL) {
        PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
        PORT_ArenaRelease(poolp, mark);
        return NULL;
    }

    /* create a private key and store the data into the poolp memory space */
    pk = sec_pkcs12_create_espvk(poolp, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING);
    if (pk != NULL) {
        rv = sec_pkcs12_init_pvk_data(poolp, &pk->espvkData);
        rv = SECITEM_CopyItem(poolp, &pk->espvkData.nickname, nickname);
        pk->espvkCipherText.pkcs8KeyShroud =
            (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp,
                                                              sizeof(SECKEYEncryptedPrivateKeyInfo));
        if ((pk->espvkCipherText.pkcs8KeyShroud != NULL) && (rv == SECSuccess)) {
            rv = SECKEY_CopyEncryptedPrivateKeyInfo(poolp,
                                                    pk->espvkCipherText.pkcs8KeyShroud, epki);
            if (rv == SECSuccess) {
                rv = (*unicodeFn)(poolp, &pk->espvkData.uniNickName, nickname,
                                  PR_TRUE, swapUnicodeBytes);
            }
        }

        if (rv != SECSuccess) {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
            pk = NULL;
        }
    }

    SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
    if (pk == NULL) {
        PORT_ArenaRelease(poolp, mark);
    } else {
        PORT_ArenaUnmark(poolp, mark);
    }

    return pk;
}

/* add a thumbprint to a private key associated certs list
 * pvk is the area where the list is stored
 * thumb is the thumbprint to copy
 * a return of SECFailure indicates an error
 */
static SECStatus
sec_pkcs12_add_thumbprint(SEC_PKCS12PVKSupportingData *pvk,
                          SGNDigestInfo *thumb)
{
    SGNDigestInfo **thumb_list = NULL;
    int nthumbs, size;
    void *mark, *dummy;
    SECStatus rv = SECFailure;

    if ((pvk == NULL) || (thumb == NULL)) {
        return SECFailure;
    }

    mark = PORT_ArenaMark(pvk->poolp);

    thumb_list = pvk->assocCerts;
    nthumbs = pvk->nThumbs;

    /* allocate list space needed -- either growing or allocating
     * list must be NULL terminated
     */
    size = sizeof(SGNDigestInfo *);
    dummy = PORT_ArenaGrow(pvk->poolp, thumb_list, (size * (nthumbs + 1)),
                           (size * (nthumbs + 2)));
    thumb_list = dummy;
    if (dummy != NULL) {
        thumb_list[nthumbs] = (SGNDigestInfo *)PORT_ArenaZAlloc(pvk->poolp,
                                                                sizeof(SGNDigestInfo));
        if (thumb_list[nthumbs] != NULL) {
            SGN_CopyDigestInfo(pvk->poolp, thumb_list[nthumbs], thumb);
            nthumbs += 1;
            thumb_list[nthumbs] = 0;
        } else {
            dummy = NULL;
        }
    }

    if (dummy == NULL) {
        PORT_ArenaRelease(pvk->poolp, mark);
        return SECFailure;
    }

    pvk->assocCerts = thumb_list;
    pvk->nThumbs = nthumbs;

    PORT_ArenaUnmark(pvk->poolp, mark);
    return SECSuccess;
}

/* search the list of shrouded keys in the baggage for the desired
 * name.  return a pointer to the item.  a return of NULL indicates
 * that no match was present or that an error occurred.
 */
static SEC_PKCS12ESPVKItem *
sec_pkcs12_get_espvk_by_name(SEC_PKCS12Baggage *luggage,
                             SECItem *name)
{
    PRBool found = PR_FALSE;
    SEC_PKCS12ESPVKItem *espvk = NULL;
    int i, j;
    SECComparison rv = SECEqual;
    SECItem *t_name;
    SEC_PKCS12BaggageItem *bag;

    if ((luggage == NULL) || (name == NULL)) {
        return NULL;
    }

    i = 0;
    while ((found == PR_FALSE) && (i < luggage->luggage_size)) {
        j = 0;
        bag = luggage->bags[i];
        while ((found == PR_FALSE) && (j < bag->nEspvks)) {
            espvk = bag->espvks[j];
            if (espvk->poolp == NULL) {
                espvk->poolp = luggage->poolp;
            }
            t_name = SECITEM_DupItem(&espvk->espvkData.nickname);
            if (t_name != NULL) {
                rv = SECITEM_CompareItem(name, t_name);
                if (rv == SECEqual) {
                    found = PR_TRUE;
                }
                SECITEM_FreeItem(t_name, PR_TRUE);
            } else {
                PORT_SetError(SEC_ERROR_NO_MEMORY);
                return NULL;
            }
            j++;
        }
        i++;
    }

    if (found != PR_TRUE) {
        PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
        return NULL;
    }

    return espvk;
}

/* locates a certificate and copies the thumbprint to the
 * appropriate private key
 */
static SECStatus
sec_pkcs12_propagate_thumbprints(SECItem **nicknames,
                                 CERTCertificate **ref_certs,
                                 SEC_PKCS12SafeContents *safe,
                                 SEC_PKCS12Baggage *baggage)
{
    SEC_PKCS12CertAndCRL *cert;
    SEC_PKCS12PrivateKey *key;
    SEC_PKCS12ESPVKItem *espvk;
    int i;
    PRBool error = PR_FALSE;
    SECStatus rv = SECFailure;

    if ((nicknames == NULL) || (safe == NULL)) {
        return SECFailure;
    }

    i = 0;
    while ((nicknames[i] != NULL) && (error == PR_FALSE)) {
        /* process all certs */
        cert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
                                                              SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
                                                              nicknames[i], NULL);
        if (cert != NULL) {
            /* locate key and copy thumbprint */
            key = (SEC_PKCS12PrivateKey *)sec_pkcs12_find_object(safe, baggage,
                                                                 SEC_OID_PKCS12_KEY_BAG_ID,
                                                                 nicknames[i], NULL);
            if (key != NULL) {
                key->pvkData.poolp = key->poolp;
                rv = sec_pkcs12_add_thumbprint(&key->pvkData,
                                               &cert->value.x509->thumbprint);
                if (rv == SECFailure)
                    error = PR_TRUE; /* XXX Set error? */
            }

            /* look in the baggage as well...*/
            if ((baggage != NULL) && (error == PR_FALSE)) {
                espvk = sec_pkcs12_get_espvk_by_name(baggage, nicknames[i]);
                if (espvk != NULL) {
                    espvk->espvkData.poolp = espvk->poolp;
                    rv = sec_pkcs12_add_thumbprint(&espvk->espvkData,
                                                   &cert->value.x509->thumbprint);
                    if (rv == SECFailure)
                        error = PR_TRUE; /* XXX Set error? */
                }
            }
        }
        i++;
    }

    if (error == PR_TRUE) {
        return SECFailure;
    }

    return SECSuccess;
}

/* append a safe bag to the end of the safe contents list */
SECStatus
sec_pkcs12_append_safe_bag(SEC_PKCS12SafeContents *safe,
                           SEC_PKCS12SafeBag *bag)
{
    int size;
    void *mark = NULL, *dummy = NULL;

    if ((bag == NULL) || (safe == NULL))
        return SECFailure;

    mark = PORT_ArenaMark(safe->poolp);

    size = (safe->safe_size * sizeof(SEC_PKCS12SafeBag *));

    if (safe->safe_size > 0) {
        dummy = (SEC_PKCS12SafeBag **)PORT_ArenaGrow(safe->poolp,
                                                     safe->contents,
                                                     size,
                                                     (size + sizeof(SEC_PKCS12SafeBag *)));
        safe->contents = dummy;
    } else {
        safe->contents = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(safe->poolp,
                                                                (2 * sizeof(SEC_PKCS12SafeBag *)));
        dummy = safe->contents;
    }

    if (dummy == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        goto loser;
    }

    safe->contents[safe->safe_size] = bag;
    safe->safe_size++;
    safe->contents[safe->safe_size] = NULL;

    PORT_ArenaUnmark(safe->poolp, mark);
    return SECSuccess;

loser:
    PORT_ArenaRelease(safe->poolp, mark);
    return SECFailure;
}

/* append a certificate onto the end of a cert bag */
static SECStatus
sec_pkcs12_append_cert_to_bag(PLArenaPool *arena,
                              SEC_PKCS12SafeBag *safebag,
                              CERTCertificate *cert,
                              SECItem *nickname)
{
    int size;
    void *dummy = NULL, *mark = NULL;
    SEC_PKCS12CertAndCRL *p12cert;
    SEC_PKCS12CertAndCRLBag *bag;

    if ((arena == NULL) || (safebag == NULL) ||
        (cert == NULL) || (nickname == NULL)) {
        return SECFailure;
    }

    bag = safebag->safeContent.certAndCRLBag;
    if (bag == NULL) {
        return SECFailure;
    }

    mark = PORT_ArenaMark(arena);

    p12cert = sec_pkcs12_get_cert(arena, cert, nickname);
    if (p12cert == NULL) {
        PORT_ArenaRelease(bag->poolp, mark);
        return SECFailure;
    }

    size = bag->bag_size * sizeof(SEC_PKCS12CertAndCRL *);
    if (bag->bag_size > 0) {
        dummy = (SEC_PKCS12CertAndCRL **)PORT_ArenaGrow(bag->poolp,
                                                        bag->certAndCRLs,
                                                        size,
                                                        size + sizeof(SEC_PKCS12CertAndCRL *));
        bag->certAndCRLs = dummy;
    } else {
        bag->certAndCRLs = (SEC_PKCS12CertAndCRL **)PORT_ArenaZAlloc(bag->poolp,
                                                                     (2 * sizeof(SEC_PKCS12CertAndCRL *)));
        dummy = bag->certAndCRLs;
    }

    if (dummy == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        goto loser;
    }

    bag->certAndCRLs[bag->bag_size] = p12cert;
    bag->bag_size++;
    bag->certAndCRLs[bag->bag_size] = NULL;

    PORT_ArenaUnmark(bag->poolp, mark);
    return SECSuccess;

loser:
    PORT_ArenaRelease(bag->poolp, mark);
    return SECFailure;
}

/* append a key onto the end of a list of keys in a key bag */
SECStatus
sec_pkcs12_append_key_to_bag(SEC_PKCS12SafeBag *safebag,
                             SEC_PKCS12PrivateKey *pk)
{
    void *mark, *dummy;
    SEC_PKCS12PrivateKeyBag *bag;
    int size;

    if ((safebag == NULL) || (pk == NULL))
        return SECFailure;

    bag = safebag->safeContent.keyBag;
    if (bag == NULL) {
        return SECFailure;
    }

    mark = PORT_ArenaMark(bag->poolp);

    size = (bag->bag_size * sizeof(SEC_PKCS12PrivateKey *));

    if (bag->bag_size > 0) {
        dummy = (SEC_PKCS12PrivateKey **)PORT_ArenaGrow(bag->poolp,
                                                        bag->privateKeys,
                                                        size,
                                                        size + sizeof(SEC_PKCS12PrivateKey *));
        bag->privateKeys = dummy;
    } else {
        bag->privateKeys = (SEC_PKCS12PrivateKey **)PORT_ArenaZAlloc(bag->poolp,
                                                                     (2 * sizeof(SEC_PKCS12PrivateKey *)));
        dummy = bag->privateKeys;
    }

    if (dummy == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        goto loser;
    }

    bag->privateKeys[bag->bag_size] = pk;
    bag->bag_size++;
    bag->privateKeys[bag->bag_size] = NULL;

    PORT_ArenaUnmark(bag->poolp, mark);
    return SECSuccess;

loser:
    /* XXX Free memory? */
    PORT_ArenaRelease(bag->poolp, mark);
    return SECFailure;
}

/* append a safe bag to the baggage area */
static SECStatus
sec_pkcs12_append_unshrouded_bag(SEC_PKCS12BaggageItem *bag,
                                 SEC_PKCS12SafeBag *u_bag)
{
    int size;
    void *mark = NULL, *dummy = NULL;

    if ((bag == NULL) || (u_bag == NULL))
        return SECFailure;

    mark = PORT_ArenaMark(bag->poolp);

    /* dump things into the first bag */
    size = (bag->nSecrets + 1) * sizeof(SEC_PKCS12SafeBag *);
    dummy = PORT_ArenaGrow(bag->poolp,
                           bag->unencSecrets, size,
                           size + sizeof(SEC_PKCS12SafeBag *));
    bag->unencSecrets = dummy;
    if (dummy == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        goto loser;
    }

    bag->unencSecrets[bag->nSecrets] = u_bag;
    bag->nSecrets++;
    bag->unencSecrets[bag->nSecrets] = NULL;

    PORT_ArenaUnmark(bag->poolp, mark);
    return SECSuccess;

loser:
    PORT_ArenaRelease(bag->poolp, mark);
    return SECFailure;
}

/* gather up all certificates and keys and package them up
 * in the safe, baggage, or both.
 * nicknames is the list of nicknames and corresponding certs in ref_certs
 * ref_certs a null terminated list of certificates
 * rSafe, rBaggage -- return areas for safe and baggage
 * shroud_keys -- store keys externally
 * pwitem -- password for computing integrity mac and encrypting contents
 * wincx -- window handle
 *
 * if a failure occurs, an error is set and SECFailure returned.
 */
static SECStatus
sec_pkcs12_package_certs_and_keys(SECItem **nicknames,
                                  CERTCertificate **ref_certs,
                                  PRBool unencryptedCerts,
                                  SEC_PKCS12SafeContents **rSafe,
                                  SEC_PKCS12Baggage **rBaggage,
                                  PRBool shroud_keys,
                                  SECOidTag shroud_alg,
                                  SECItem *pwitem,
                                  PKCS12UnicodeConvertFunction unicodeFn,
                                  void *wincx)
{
    PLArenaPool *permArena;
    SEC_PKCS12SafeContents *safe = NULL;
    SEC_PKCS12Baggage *baggage = NULL;

    SECStatus rv = SECFailure;
    PRBool problem = PR_FALSE;

    SEC_PKCS12ESPVKItem *espvk = NULL;
    SEC_PKCS12PrivateKey *pk = NULL;
    CERTCertificate *add_cert = NULL;
    SEC_PKCS12SafeBag *certbag = NULL, *keybag = NULL;
    SEC_PKCS12BaggageItem *external_bag = NULL;
    int ncerts = 0, nkeys = 0;
    int i;

    if ((nicknames == NULL) || (rSafe == NULL) || (rBaggage == NULL)) {
        return SECFailure;
    }

    *rBaggage = baggage;
    *rSafe = safe;

    permArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (permArena == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return SECFailure;
    }

    /* allocate structures */
    safe = sec_pkcs12_create_safe_contents(permArena);
    if (safe == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        rv = SECFailure;
        goto loser;
    }

    certbag = sec_pkcs12_create_safe_bag(permArena,
                                         SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID);
    if (certbag == NULL) {
        rv = SECFailure;
        goto loser;
    }

    if (shroud_keys != PR_TRUE) {
        keybag = sec_pkcs12_create_safe_bag(permArena,
                                            SEC_OID_PKCS12_KEY_BAG_ID);
        if (keybag == NULL) {
            rv = SECFailure;
            goto loser;
        }
    }

    if ((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
        baggage = sec_pkcs12_create_baggage(permArena);
        if (baggage == NULL) {
            rv = SECFailure;
            goto loser;
        }
        external_bag = sec_pkcs12_create_external_bag(baggage);
    }

    /* package keys and certs */
    i = 0;
    while ((nicknames[i] != NULL) && (problem == PR_FALSE)) {
        if (ref_certs[i] != NULL) {
            /* append cert to bag o certs */
            rv = sec_pkcs12_append_cert_to_bag(permArena, certbag,
                                               ref_certs[i],
                                               nicknames[i]);
            if (rv == SECFailure) {
                problem = PR_FALSE;
            } else {
                ncerts++;
            }

            if (rv == SECSuccess) {
                /* package up them keys */
                if (shroud_keys == PR_TRUE) {
                    espvk = sec_pkcs12_get_shrouded_key(permArena,
                                                        nicknames[i],
                                                        ref_certs[i],
                                                        shroud_alg,
                                                        pwitem, unicodeFn,
                                                        wincx);
                    if (espvk != NULL) {
                        rv = sec_pkcs12_append_shrouded_key(external_bag, espvk);
                        SECITEM_CopyItem(permArena, &espvk->derCert,
                                         &ref_certs[i]->derCert);
                    } else {
                        rv = SECFailure;
                    }
                } else {
                    pk = sec_pkcs12_get_private_key(permArena, nicknames[i],
                                                    ref_certs[i], wincx);
                    if (pk != NULL) {
                        rv = sec_pkcs12_append_key_to_bag(keybag, pk);
                        SECITEM_CopyItem(permArena, &espvk->derCert,
                                         &ref_certs[i]->derCert);
                    } else {
                        rv = SECFailure;
                    }
                }

                if (rv == SECFailure) {
                    problem = PR_TRUE;
                } else {
                    nkeys++;
                }
            }
        } else {
            /* handle only keys here ? */
            problem = PR_TRUE;
        }
        i++;
    }

/* let success fall through */
loser:
    if (problem == PR_FALSE) {
        /* if we have certs, we want to append the cert bag to the
         * appropriate area
         */
        if (ncerts > 0) {
            if (unencryptedCerts != PR_TRUE) {
                rv = sec_pkcs12_append_safe_bag(safe, certbag);
            } else {
                rv = sec_pkcs12_append_unshrouded_bag(external_bag, certbag);
            }
        } else {
            rv = SECSuccess;
        }

        /* append key bag, if they are stored in safe contents */
        if ((rv == SECSuccess) && (shroud_keys == PR_FALSE) && (nkeys > 0)) {
            rv = sec_pkcs12_append_safe_bag(safe, keybag);
        }
    } else {
        rv = SECFailure;
    }

    /* if baggage not used, NULLify it */
    if ((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
        if (((unencryptedCerts == PR_TRUE) && (ncerts == 0)) &&
            ((shroud_keys == PR_TRUE) && (nkeys == 0)))
            baggage = NULL;
    } else {
        baggage = NULL;
    }

    if ((problem == PR_TRUE) || (rv == SECFailure)) {
        PORT_FreeArena(permArena, PR_TRUE);
        rv = SECFailure;
        baggage = NULL;
        safe = NULL;
    }

    *rBaggage = baggage;
    *rSafe = safe;

    return rv;
}

/* DER encode the safe contents and return a SECItem.  if an error
 * occurs, NULL is returned.
 */
static SECItem *
sec_pkcs12_encode_safe_contents(SEC_PKCS12SafeContents *safe)
{
    SECItem *dsafe = NULL, *tsafe;
    void *dummy = NULL;
    PLArenaPool *arena;

    if (safe == NULL) {
        return NULL;
    }

    /*    rv = sec_pkcs12_prepare_for_der_code_safe(safe, PR_TRUE);
    if(rv != SECSuccess) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }*/

    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (arena == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }

    tsafe = (SECItem *)PORT_ArenaZAlloc(arena, sizeof(SECItem));
    if (tsafe != NULL) {
        dummy = SEC_ASN1EncodeItem(arena, tsafe, safe,
                                   SEC_PKCS12SafeContentsTemplate);
        if (dummy != NULL) {
            dsafe = SECITEM_DupItem(tsafe);
        } else {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
        }
    } else {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
    }

    PORT_FreeArena(arena, PR_TRUE);

    return dsafe;
}

/* prepare the authenicated safe for encoding and encode it.
 *   baggage is copied to the appropriate area, safe is encoded and
 *   encrypted.  the version and transport mode are set on the asafe.
 *   the whole ball of wax is then der encoded and packaged up into
 *   data content info
 * safe -- container of certs and keys, is encrypted.
 * baggage -- container of certs and keys, keys assumed to be encrypted by
 *    another method, certs are in the clear
 * algorithm -- algorithm by which to encrypt safe
 * pwitem -- password for encryption
 * wincx - window handle
 *
 * return of NULL is an error condition.
 */
static SEC_PKCS7ContentInfo *
sec_pkcs12_get_auth_safe(SEC_PKCS12SafeContents *safe,
                         SEC_PKCS12Baggage *baggage,
                         SECOidTag algorithm,
                         SECItem *pwitem,
                         PKCS12UnicodeConvertFunction unicodeFn,
                         void *wincx)
{
    SECItem *src = NULL, *dest = NULL, *psalt = NULL;
    PLArenaPool *poolp;
    SEC_PKCS12AuthenticatedSafe *asafe;
    SEC_PKCS7ContentInfo *safe_cinfo = NULL;
    SEC_PKCS7ContentInfo *asafe_cinfo = NULL;
    void *dummy;
    SECStatus rv = SECSuccess;
    PRBool swapUnicodeBytes = PR_FALSE;

#ifdef IS_LITTLE_ENDIAN
    swapUnicodeBytes = PR_TRUE;
#endif

    if (((safe != NULL) && (pwitem == NULL)) && (baggage == NULL))
        return NULL;

    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (poolp == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }

    /* prepare authenticated safe for encode */
    asafe = sec_pkcs12_new_asafe(poolp);
    if (asafe != NULL) {

        /* set version */
        dummy = SEC_ASN1EncodeInteger(asafe->poolp, &asafe->version,
                                      SEC_PKCS12_PFX_VERSION);
        if (dummy == NULL) {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
            rv = SECFailure;
            goto loser;
        }

        /* generate the privacy salt used to create virtual pwd */
        psalt = sec_pkcs12_generate_salt();
        if (psalt != NULL) {
            rv = SECITEM_CopyItem(asafe->poolp, &asafe->privacySalt,
                                  psalt);
            if (rv == SECSuccess) {
                asafe->privacySalt.len *= 8;
            } else {
                SECITEM_ZfreeItem(psalt, PR_TRUE);
                PORT_SetError(SEC_ERROR_NO_MEMORY);
                goto loser;
            }
        }

        if ((psalt == NULL) || (rv == SECFailure)) {
            PORT_SetError(SEC_ERROR_NO_MEMORY);
            rv = SECFailure;
            goto loser;
        }

        /* package up safe contents */
        if (safe != NULL) {
            safe_cinfo = SEC_PKCS7CreateEncryptedData(algorithm, NULL, wincx);
            if ((safe_cinfo != NULL) && (safe->safe_size > 0)) {
                /* encode the safe and encrypt the contents of the
                 * content info
                 */
                src = sec_pkcs12_encode_safe_contents(safe);

                if (src != NULL) {
                    rv = SEC_PKCS7SetContent(safe_cinfo, (char *)src->data, src->len);
                    SECITEM_ZfreeItem(src, PR_TRUE);
                    if (rv == SECSuccess) {
                        SECItem *vpwd;
                        vpwd = sec_pkcs12_create_virtual_password(pwitem, psalt,
                                                                  unicodeFn, swapUnicodeBytes);
                        if (vpwd != NULL) {
                            rv = SEC_PKCS7EncryptContents(NULL, safe_cinfo,
                                                          vpwd, wincx);
                            SECITEM_ZfreeItem(vpwd, PR_TRUE);
                        } else {
                            rv = SECFailure;
                            PORT_SetError(SEC_ERROR_NO_MEMORY);
                        }
                    } else {
                        PORT_SetError(SEC_ERROR_NO_MEMORY);
                    }
                } else {
                    rv = SECFailure;
                }
            } else if (safe->safe_size > 0) {
                PORT_SetError(SEC_ERROR_NO_MEMORY);
                goto loser;
            } else {
                /* case where there is NULL content in the safe contents */
                rv = SEC_PKCS7SetContent(safe_cinfo, NULL, 0);
                if (rv != SECFailure) {
                    PORT_SetError(SEC_ERROR_NO_MEMORY);
                }
            }

            if (rv != SECSuccess) {
                SEC_PKCS7DestroyContentInfo(safe_cinfo);
                safe_cinfo = NULL;
                goto loser;
            }

            asafe->safe = safe_cinfo;
            /*
            PORT_Memcpy(&asafe->safe, safe_cinfo, sizeof(*safe_cinfo));
            */
        }

        /* copy the baggage to the authenticated safe baggage if present */
        if (baggage != NULL) {
            PORT_Memcpy(&asafe->baggage, baggage, sizeof(*baggage));
        }

        /* encode authenticated safe and store it in a Data content info */
        dest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem));
        if (dest != NULL) {
            dummy = SEC_ASN1EncodeItem(poolp, dest, asafe,
                                       SEC_PKCS12AuthenticatedSafeTemplate);
            if (dummy != NULL) {
                asafe_cinfo = SEC_PKCS7CreateData();
                if (asafe_cinfo != NULL) {
                    rv = SEC_PKCS7SetContent(asafe_cinfo,
                                             (char *)dest->data,
                                             dest->len);
                    if (rv != SECSuccess) {
                        PORT_SetError(SEC_ERROR_NO_MEMORY);
                        SEC_PKCS7DestroyContentInfo(asafe_cinfo);
                        asafe_cinfo = NULL;
                    }
                }
            } else {
                PORT_SetError(SEC_ERROR_NO_MEMORY);
                rv = SECFailure;
            }
        }
    }

loser:
    PORT_FreeArena(poolp, PR_TRUE);
    if (safe_cinfo != NULL) {
        SEC_PKCS7DestroyContentInfo(safe_cinfo);
    }
    if (psalt != NULL) {
        SECITEM_ZfreeItem(psalt, PR_TRUE);
    }

    if (rv == SECFailure) {
        return NULL;
    }

    return asafe_cinfo;
}

/* generates the PFX and computes the mac on the authenticated safe
 * NULL implies an error
 */
static SEC_PKCS12PFXItem *
sec_pkcs12_get_pfx(SEC_PKCS7ContentInfo *cinfo,
                   PRBool do_mac,
                   SECItem *pwitem, PKCS12UnicodeConvertFunction unicodeFn)
{
    SECItem *dest = NULL, *mac = NULL, *salt = NULL, *key = NULL;
    SEC_PKCS12PFXItem *pfx;
    SECStatus rv = SECFailure;
    SGNDigestInfo *di;
    SECItem *vpwd;
    PRBool swapUnicodeBytes = PR_FALSE;

#ifdef IS_LITTLE_ENDIAN
    swapUnicodeBytes = PR_TRUE;
#endif

    if ((cinfo == NULL) || ((do_mac == PR_TRUE) && (pwitem == NULL))) {
        return NULL;
    }

    /* allocate new pfx structure */
    pfx = sec_pkcs12_new_pfx();
    if (pfx == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }

    PORT_Memcpy(&pfx->authSafe, cinfo, sizeof(*cinfo));
    if (do_mac == PR_TRUE) {

        /* salt for computing mac */
        salt = sec_pkcs12_generate_salt();
        if (salt != NULL) {
            rv = SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, salt);
            pfx->macData.macSalt.len *= 8;

            vpwd = sec_pkcs12_create_virtual_password(pwitem, salt,
                                                      unicodeFn, swapUnicodeBytes);
            if (vpwd == NULL) {
                rv = SECFailure;
                key = NULL;
            } else {
                key = sec_pkcs12_generate_key_from_password(SEC_OID_SHA1,
                                                            salt, vpwd);
                SECITEM_ZfreeItem(vpwd, PR_TRUE);
            }

            if ((key != NULL) && (rv == SECSuccess)) {
                dest = SEC_PKCS7GetContent(cinfo);
                if (dest != NULL) {

                    /* compute mac on data -- for password integrity mode */
                    mac = sec_pkcs12_generate_mac(key, dest, PR_FALSE);
                    if (mac != NULL) {
                        di = SGN_CreateDigestInfo(SEC_OID_SHA1,
                                                  mac->data, mac->len);
                        if (di != NULL) {
                            rv = SGN_CopyDigestInfo(pfx->poolp,
                                                    &pfx->macData.safeMac, di);
                            SGN_DestroyDigestInfo(di);
                        } else {
                            PORT_SetError(SEC_ERROR_NO_MEMORY);
                        }
                        SECITEM_ZfreeItem(mac, PR_TRUE);
                    }
                } else {
                    rv = SECFailure;
                }
            } else {
                PORT_SetError(SEC_ERROR_NO_MEMORY);
                rv = SECFailure;
            }

            if (key != NULL) {
                SECITEM_ZfreeItem(key, PR_TRUE);
            }
            SECITEM_ZfreeItem(salt, PR_TRUE);
        }
    }

    if (rv == SECFailure) {
        SEC_PKCS12DestroyPFX(pfx);
        pfx = NULL;
    }

    return pfx;
}

/* der encode the pfx */
static SECItem *
sec_pkcs12_encode_pfx(SEC_PKCS12PFXItem *pfx)
{
    SECItem *dest;
    void *dummy;

    if (pfx == NULL) {
        return NULL;
    }

    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
    if (dest == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }

    dummy = SEC_ASN1EncodeItem(NULL, dest, pfx, SEC_PKCS12PFXItemTemplate);
    if (dummy == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        SECITEM_ZfreeItem(dest, PR_TRUE);
        dest = NULL;
    }

    return dest;
}

SECItem *
SEC_PKCS12GetPFX(char **nicknames,
                 CERTCertificate **ref_certs,
                 PRBool shroud_keys,
                 SEC_PKCS5GetPBEPassword pbef,
                 void *pbearg,
                 PKCS12UnicodeConvertFunction unicodeFn,
                 void *wincx)
{
    SECItem **nicks = NULL;
    SEC_PKCS12PFXItem *pfx = NULL;
    SEC_PKCS12Baggage *baggage = NULL;
    SEC_PKCS12SafeContents *safe = NULL;
    SEC_PKCS7ContentInfo *cinfo = NULL;
    SECStatus rv = SECFailure;
    SECItem *dest = NULL, *pwitem = NULL;
    PRBool problem = PR_FALSE;
    PRBool unencryptedCerts;
    SECOidTag shroud_alg, safe_alg;

    /* how should we encrypt certs ? */
    unencryptedCerts = !SEC_PKCS12IsEncryptionAllowed();
    if (!unencryptedCerts) {
        safe_alg = SEC_PKCS12GetPreferredEncryptionAlgorithm();
        if (safe_alg == SEC_OID_UNKNOWN) {
            safe_alg = SEC_PKCS12GetStrongestAllowedAlgorithm();
        }
        if (safe_alg == SEC_OID_UNKNOWN) {
            unencryptedCerts = PR_TRUE;
            /* for export where no encryption is allowed, we still need
             * to encrypt the NULL contents per the spec.  encrypted info
             * is known plaintext, so it shouldn't be a problem.
             */
            safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
        }
    } else {
        /* for export where no encryption is allowed, we still need
         * to encrypt the NULL contents per the spec.  encrypted info
         * is known plaintext, so it shouldn't be a problem.
         */
        safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
    }

    /* keys are always stored with triple DES */
    shroud_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;

    /* check for FIPS, if so, do not encrypt certs */
    if (PK11_IsFIPS() && !unencryptedCerts) {
        unencryptedCerts = PR_TRUE;
    }

    if ((nicknames == NULL) || (pbef == NULL) || (ref_certs == NULL)) {
        problem = PR_TRUE;
        goto loser;
    }

    /* get password */
    pwitem = (*pbef)(pbearg);
    if (pwitem == NULL) {
        problem = PR_TRUE;
        goto loser;
    }
    nicks = sec_pkcs12_convert_nickname_list(nicknames);

    /* get safe and baggage */
    rv = sec_pkcs12_package_certs_and_keys(nicks, ref_certs, unencryptedCerts,
                                           &safe, &baggage, shroud_keys,
                                           shroud_alg, pwitem, unicodeFn, wincx);
    if (rv == SECFailure) {
        problem = PR_TRUE;
    }

    if ((safe != NULL) && (problem == PR_FALSE)) {
        /* copy thumbprints */
        rv = sec_pkcs12_propagate_thumbprints(nicks, ref_certs, safe, baggage);

        /* package everything up into AuthenticatedSafe */
        cinfo = sec_pkcs12_get_auth_safe(safe, baggage,
                                         safe_alg, pwitem, unicodeFn, wincx);

        sec_pkcs12_destroy_cert_content_infos(safe, baggage);

        /* get the pfx and mac it */
        if (cinfo != NULL) {
            pfx = sec_pkcs12_get_pfx(cinfo, PR_TRUE, pwitem, unicodeFn);
            if (pfx != NULL) {
                dest = sec_pkcs12_encode_pfx(pfx);
                SEC_PKCS12DestroyPFX(pfx);
            }
            SEC_PKCS7DestroyContentInfo(cinfo);
        }

        if (safe != NULL) {
            PORT_FreeArena(safe->poolp, PR_TRUE);
        }
    } else {
        if (safe != NULL) {
            PORT_FreeArena(safe->poolp, PR_TRUE);
        }
    }

loser:
    if (nicks != NULL) {
        sec_pkcs12_destroy_nickname_list(nicks);
    }

    if (ref_certs != NULL) {
        sec_pkcs12_destroy_certificate_list(ref_certs);
    }

    if (pwitem != NULL) {
        SECITEM_ZfreeItem(pwitem, PR_TRUE);
    }

    if (problem == PR_TRUE) {
        dest = NULL;
    }

    return dest;
}