bluez5_utils-5.62/ell/cert.c

/*
 *  Embedded Linux library
 *
 *  Copyright (C) 2018  Intel Corporation. All rights reserved.
 *
 *  This library is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU Lesser General Public
 *  License as published by the Free Software Foundation; either
 *  version 2.1 of the License, or (at your option) any later version.
 *
 *  This library is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public
 *  License along with this library; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <string.h>
#include <stdio.h>
#include <errno.h>

#include "private.h"
#include "useful.h"
#include "key.h"
#include "queue.h"
#include "asn1-private.h"
#include "cipher.h"
#include "pem-private.h"
#include "cert.h"
#include "cert-private.h"
#include "tls.h"
#include "tls-private.h"
#include "missing.h"

#define X509_CERTIFICATE_POS			0
#define   X509_TBSCERTIFICATE_POS		  0
#define     X509_TBSCERT_VERSION_POS		    ASN1_CONTEXT_EXPLICIT(0)
#define     X509_TBSCERT_SERIAL_POS		    0
#define     X509_TBSCERT_SIGNATURE_POS		    1
#define       X509_ALGORITHM_ID_ALGORITHM_POS	      0
#define       X509_ALGORITHM_ID_PARAMS_POS	      1
#define     X509_TBSCERT_ISSUER_DN_POS		    2
#define     X509_TBSCERT_VALIDITY_POS		    3
#define     X509_TBSCERT_SUBJECT_DN_POS		    4
#define     X509_TBSCERT_SUBJECT_KEY_POS	    5
#define       X509_SUBJECT_KEY_ALGORITHM_POS	      0
#define       X509_SUBJECT_KEY_VALUE_POS	      1
#define     X509_TBSCERT_ISSUER_UID_POS		    ASN1_CONTEXT_IMPLICIT(1)
#define     X509_TBSCERT_SUBJECT_UID_POS	    ASN1_CONTEXT_IMPLICIT(2)
#define     X509_TBSCERT_EXTENSIONS_POS		    ASN1_CONTEXT_EXPLICIT(3)
#define   X509_SIGNATURE_ALGORITHM_POS		  1
#define   X509_SIGNATURE_VALUE_POS		  2

struct l_cert {
	enum l_cert_key_type pubkey_type;
	struct l_cert *issuer;
	struct l_cert *issued;
	size_t asn1_len;
	uint8_t asn1[0];
};

struct l_certchain {
	struct l_cert *leaf;	/* Bottom of the doubly-linked list */
	struct l_cert *ca;	/* Top of the doubly-linked list */
};

static const struct pkcs1_encryption_oid {
	enum l_cert_key_type key_type;
	struct asn1_oid oid;
} pkcs1_encryption_oids[] = {
	{ /* rsaEncryption */
		L_CERT_KEY_RSA,
		{ 9, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01 } },
	},
};

static bool cert_set_pubkey_type(struct l_cert *cert)
{
	const uint8_t *key_type;
	size_t key_type_len;
	int i;

	key_type = asn1_der_find_elem_by_path(cert->asn1, cert->asn1_len,
						ASN1_ID_OID, &key_type_len,
						X509_CERTIFICATE_POS,
						X509_TBSCERTIFICATE_POS,
						X509_TBSCERT_SUBJECT_KEY_POS,
						X509_SUBJECT_KEY_ALGORITHM_POS,
						X509_ALGORITHM_ID_ALGORITHM_POS,
						-1);
	if (!key_type)
		return false;

	for (i = 0; i < (int) L_ARRAY_SIZE(pkcs1_encryption_oids); i++)
		if (asn1_oid_eq(&pkcs1_encryption_oids[i].oid,
					key_type_len, key_type))
			break;

	if (i == L_ARRAY_SIZE(pkcs1_encryption_oids))
		cert->pubkey_type = L_CERT_KEY_UNKNOWN;
	else
		cert->pubkey_type = pkcs1_encryption_oids[i].key_type;

	return true;
}

LIB_EXPORT struct l_cert *l_cert_new_from_der(const uint8_t *buf,
						size_t buf_len)
{
	const uint8_t *seq = buf;
	size_t seq_len = buf_len;
	size_t content_len;
	struct l_cert *cert;

	/* Sanity check: outer element is a SEQUENCE */
	if (seq_len-- < 1 || *seq++ != ASN1_ID_SEQUENCE)
		return NULL;

	/* Sanity check: the SEQUENCE spans the whole buffer */
	content_len = asn1_parse_definite_length(&seq, &seq_len);
	if (content_len < 64 || content_len != seq_len)
		return NULL;

	/*
	 * We could require the signature algorithm and the key algorithm
	 * to be one of our supported types here but instead we only
	 * require that when the user wants to verify this certificate or
	 * get the public key respectively.
	 */

	cert = l_malloc(sizeof(struct l_cert) + buf_len);
	cert->issuer = NULL;
	cert->issued = NULL;
	cert->asn1_len = buf_len;
	memcpy(cert->asn1, buf, buf_len);

	/* Sanity check: structure is correct up to the Public Key Algorithm */
	if (!cert_set_pubkey_type(cert)) {
		l_free(cert);
		return NULL;
	}

	return cert;
}

LIB_EXPORT void l_cert_free(struct l_cert *cert)
{
	l_free(cert);
}

LIB_EXPORT const uint8_t *l_cert_get_der_data(struct l_cert *cert,
						size_t *out_len)
{
	if (unlikely(!cert))
		return NULL;

	*out_len = cert->asn1_len;
	return cert->asn1;
}

LIB_EXPORT const uint8_t *l_cert_get_dn(struct l_cert *cert, size_t *out_len)
{
	if (unlikely(!cert))
		return NULL;

	return asn1_der_find_elem_by_path(cert->asn1, cert->asn1_len,
						ASN1_ID_SEQUENCE, out_len,
						X509_CERTIFICATE_POS,
						X509_TBSCERTIFICATE_POS,
						X509_TBSCERT_SUBJECT_DN_POS,
						-1);
}

const uint8_t *cert_get_extension(struct l_cert *cert,
					const struct asn1_oid *ext_id,
					bool *out_critical, size_t *out_len)
{
	const uint8_t *ext, *end;
	size_t ext_len;

	if (unlikely(!cert))
		return NULL;

	ext = asn1_der_find_elem_by_path(cert->asn1, cert->asn1_len,
						ASN1_ID_SEQUENCE, &ext_len,
						X509_CERTIFICATE_POS,
						X509_TBSCERTIFICATE_POS,
						X509_TBSCERT_EXTENSIONS_POS,
						-1);
	if (unlikely(!ext))
		return NULL;

	end = ext + ext_len;
	while (ext < end) {
		const uint8_t *seq, *oid, *data;
		uint8_t tag;
		size_t len, oid_len, data_len;
		bool critical;

		seq = asn1_der_find_elem(ext, end - ext, 0, &tag, &len);
		if (unlikely(!seq || tag != ASN1_ID_SEQUENCE))
			return false;

		ext = seq + len;

		oid = asn1_der_find_elem(seq, len, 0, &tag, &oid_len);
		if (unlikely(!oid || tag != ASN1_ID_OID))
			return false;

		if (!asn1_oid_eq(ext_id, oid_len, oid))
			continue;

		data = asn1_der_find_elem(seq, len, 1, &tag, &data_len);
		critical = false;

		if (data && tag == ASN1_ID_BOOLEAN) {
			if (data_len != 1)
				return false;

			critical = *data != 0;	/* Tolerate BER booleans */

			data = asn1_der_find_elem(seq, len, 2, &tag, &data_len);
		}

		if (unlikely(!data || tag != ASN1_ID_OCTET_STRING))
			return false;

		if (out_critical)
			*out_critical = critical;

		if (out_len)
			*out_len = data_len;

		return data;
	}

	return NULL;
}

LIB_EXPORT enum l_cert_key_type l_cert_get_pubkey_type(struct l_cert *cert)
{
	if (unlikely(!cert))
		return L_CERT_KEY_UNKNOWN;

	return cert->pubkey_type;
}

/*
 * Note: Returns a new l_key object to be freed by the caller.
 */
LIB_EXPORT struct l_key *l_cert_get_pubkey(struct l_cert *cert)
{
	if (unlikely(!cert))
		return NULL;

	/* Use kernel's ASN.1 certificate parser to find the key data for us */
	if (cert->pubkey_type == L_CERT_KEY_RSA)
		return l_key_new(L_KEY_RSA, cert->asn1, cert->asn1_len);

	return NULL;
}

/*
 * Note: takes ownership of the certificate.  The certificate is
 * assumed to be new and not linked into any certchain object.
 */
struct l_certchain *certchain_new_from_leaf(struct l_cert *leaf)
{
	struct l_certchain *chain;

	chain = l_new(struct l_certchain, 1);
	chain->leaf = leaf;
	chain->ca = leaf;
	return chain;
}

/*
 * Note: takes ownership of the certificate.  The certificate is
 * assumed to be new and not linked into any certchain object.
 */
void certchain_link_issuer(struct l_certchain *chain, struct l_cert *ca)
{
	ca->issued = chain->ca;
	chain->ca->issuer = ca;
	chain->ca = ca;
}

static struct l_cert *certchain_pop_ca(struct l_certchain *chain)
{
	struct l_cert *ca = chain->ca;

	if (!ca)
		return NULL;

	if (ca->issued) {
		chain->ca = ca->issued;
		ca->issued->issuer = NULL;
		ca->issued = NULL;
	} else {
		chain->ca = NULL;
		chain->leaf = NULL;
	}

	return ca;
}

LIB_EXPORT void l_certchain_free(struct l_certchain *chain)
{
	while (chain && chain->ca)
		l_cert_free(certchain_pop_ca(chain));

	l_free(chain);
}

LIB_EXPORT struct l_cert *l_certchain_get_leaf(struct l_certchain *chain)
{
	if (unlikely(!chain))
		return NULL;

	return chain->leaf;
}

/*
 * Call @cb for each certificate in the chain starting from the leaf
 * certificate.  Stop if a call returns @true.
 */
LIB_EXPORT void l_certchain_walk_from_leaf(struct l_certchain *chain,
						l_cert_walk_cb_t cb,
						void *user_data)
{
	struct l_cert *cert;

	if (unlikely(!chain))
		return;

	for (cert = chain->leaf; cert; cert = cert->issuer)
		if (cb(cert, user_data))
			break;
}

/*
 * Call @cb for each certificate in the chain starting from the root
 * certificate.  Stop if a call returns @true.
 */
LIB_EXPORT void l_certchain_walk_from_ca(struct l_certchain *chain,
						l_cert_walk_cb_t cb,
						void *user_data)
{
	struct l_cert *cert;

	if (unlikely(!chain))
		return;

	for (cert = chain->ca; cert; cert = cert->issued)
		if (cb(cert, user_data))
			break;
}

static struct l_keyring *cert_set_to_keyring(struct l_queue *certs, char *error)
{
	struct l_keyring *ring;
	const struct l_queue_entry *entry;
	int i = 1;

	ring = l_keyring_new();
	if (!ring)
		return NULL;

	for (entry = l_queue_get_entries(certs); entry; entry = entry->next) {
		struct l_cert *cert = entry->data;
		struct l_key *key = l_cert_get_pubkey(cert);

		if (!key) {
			sprintf(error, "Can't get public key from certificate "
				"%i / %i in certificate set", i,
				l_queue_length(certs));
			goto cleanup;
		}

		if (!l_keyring_link(ring, key)) {
			l_key_free(key);
			sprintf(error, "Can't link the public key from "
				"certificate %i / %i to target keyring",
				i, l_queue_length(certs));
			goto cleanup;
		}

		l_key_free_norevoke(key);
		i++;
	}

	return ring;

cleanup:
	l_keyring_free(ring);
	return NULL;
}

static bool cert_is_in_set(struct l_cert *cert, struct l_queue *set)
{
	const struct l_queue_entry *entry;

	for (entry = l_queue_get_entries(set); entry; entry = entry->next) {
		struct l_cert *cert2 = entry->data;

		if (cert == cert2)
			return true;

		if (cert->asn1_len == cert2->asn1_len &&
				!memcmp(cert->asn1, cert2->asn1,
					cert->asn1_len))
			return true;
	}

	return false;
}

static struct l_key *cert_try_link(struct l_cert *cert, struct l_keyring *ring)
{
	struct l_key *key;

	key = l_key_new(L_KEY_RSA, cert->asn1, cert->asn1_len);
	if (!key)
		return NULL;

	if (l_keyring_link(ring, key))
		return key;

	l_key_free(key);
	return NULL;
}

#define RETURN_ERROR(msg, args...)	\
	do {	\
		if (error) {	\
			*error = error_buf;	\
			snprintf(error_buf, sizeof(error_buf), msg, ## args); \
		}	\
		return false;	\
	} while (0)

LIB_EXPORT bool l_certchain_verify(struct l_certchain *chain,
					struct l_queue *ca_certs,
					const char **error)
{
	struct l_keyring *ca_ring = NULL;
	_auto_(l_keyring_free) struct l_keyring *verify_ring = NULL;
	struct l_cert *cert;
	struct l_key *prev_key = NULL;
	int verified = 0;
	int ca_match = 0;
	int i = 0;
	static char error_buf[200];

	if (unlikely(!chain || !chain->leaf))
		RETURN_ERROR("Chain empty");

	verify_ring = l_keyring_new();
	if (!verify_ring)
		RETURN_ERROR("Can't create verify keyring");

	for (cert = chain->ca; cert; cert = cert->issued, i++)
		if (cert_is_in_set(cert, ca_certs)) {
			ca_match = i + 1;
			break;
		}

	cert = chain->ca;

	/*
	 * For TLS compatibility the trusted root CA certificate is
	 * optionally present in the chain.
	 *
	 * RFC5246 7.4.2:
	 * "Because certificate validation requires that root keys be
	 * distributed independently, the self-signed certificate that
	 * specifies the root certificate authority MAY be omitted from
	 * the chain, under the assumption that the remote end must
	 * already possess it in order to validate it in any case."
	 *
	 * The following is an optimization to skip verifying the root
	 * cert in the chain if it is bitwise-identical to one of the
	 * trusted CA certificates.  In that case we don't have to load
	 * all of the trusted certificates into the kernel, link them
	 * to @ca_ring or link @ca_ring to @verify_ring, instead we
	 * load the first certificate into @verify_ring before we set
	 * the restric mode on it, same as when no trusted CAs are
	 * provided.
	 *
	 * Note this happens to work around a kernel issue preventing
	 * self-signed certificates missing the optional AKID extension
	 * from being linked to a restricted keyring.  That issue would
	 * have affected us if the trusted CA set included such
	 * certificate and the same certificate was at the root of
	 * the chain.
	 */
	if (ca_certs && !ca_match) {
		ca_ring = cert_set_to_keyring(ca_certs, error_buf);
		if (!ca_ring) {
			if (error)
				*error = error_buf;
			return false;
		}

		if (!l_keyring_link_nested(verify_ring, ca_ring)) {
			l_keyring_free(ca_ring);
			RETURN_ERROR("Can't link CA ring to verify ring");
		}
	} else
		prev_key = cert_try_link(cert, verify_ring);

	/*
	 * The top, unverified certificate(s) are linked to the keyring and
	 * we can now force verification of any new certificates linked.
	 */
	if (!l_keyring_restrict(verify_ring, L_KEYRING_RESTRICT_ASYM_CHAIN,
				NULL)) {
		l_key_free(prev_key);
		l_keyring_free(ca_ring);
		RETURN_ERROR("Can't restrict verify keyring");
	}

	if (ca_ring) {
		/*
		 * Verify the first certificate outside of the loop, then
		 * revoke the trusted CAs' keys so that only the newly
		 * verified cert's public key remains in the ring.
		 */
		prev_key = cert_try_link(cert, verify_ring);
		l_keyring_free(ca_ring);
	}

	cert = cert->issued;

	/* Verify the rest of the chain */
	while (prev_key && cert) {
		struct l_key *new_key = cert_try_link(cert, verify_ring);

		/*
		 * Free and revoke the issuer's public key again leaving only
		 * new_key in verify_ring to ensure the next certificate linked
		 * is signed by the owner of this key.
		 */
		l_key_free(prev_key);
		prev_key = new_key;
		cert = cert->issued;
		verified++;
	}

	if (!prev_key) {
		int total = 0;
		char str[100];

		for (cert = chain->ca; cert; cert = cert->issued, total++);

		if (ca_match)
			snprintf(str, sizeof(str), "%i / %i matched a trusted "
					"certificate, root not verified",
					ca_match, total);
		else
			snprintf(str, sizeof(str), "root %sverified against "
					"trusted CA(s)",
					ca_certs && !ca_match && verified ? "" :
					"not ");

		RETURN_ERROR("Linking certificate %i / %i failed, %s",
				verified + 1, total, str);
	}

	l_key_free(prev_key);
	return true;
}

struct l_key *cert_key_from_pkcs8_private_key_info(const uint8_t *der,
							size_t der_len)
{
	return l_key_new(L_KEY_RSA, der, der_len);
}

/*
 * The passphrase, if given, must have been validated as UTF-8 unless the
 * caller knows that PKCS#12 encryption algorithms are not used.
 * Use l_utf8_validate.
 */
struct l_key *cert_key_from_pkcs8_encrypted_private_key_info(const uint8_t *der,
							size_t der_len,
							const char *passphrase)
{
	const uint8_t *key_info, *alg_id, *data;
	uint8_t tag;
	size_t key_info_len, alg_id_len, data_len, tmp_len;
	struct l_cipher *alg;
	uint8_t *decrypted;
	struct l_key *pkey;
	bool r;
	bool is_block;
	size_t decrypted_len;

	/* Technically this is BER, not limited to DER */
	key_info = asn1_der_find_elem(der, der_len, 0, &tag, &key_info_len);
	if (!key_info || tag != ASN1_ID_SEQUENCE)
		return NULL;

	alg_id = asn1_der_find_elem(key_info, key_info_len, 0, &tag,
					&alg_id_len);
	if (!alg_id || tag != ASN1_ID_SEQUENCE)
		return NULL;

	data = asn1_der_find_elem(key_info, key_info_len, 1, &tag, &data_len);
	if (!data || tag != ASN1_ID_OCTET_STRING || data_len < 8 ||
			(data_len & 7) != 0)
		return NULL;

	if (asn1_der_find_elem(der, der_len, 2, &tag, &tmp_len))
		return NULL;

	alg = cert_cipher_from_pkcs_alg_id(alg_id, alg_id_len, passphrase,
						&is_block);
	if (!alg)
		return NULL;

	decrypted = l_malloc(data_len);

	r = l_cipher_decrypt(alg, data, decrypted, data_len);
	l_cipher_free(alg);

	if (!r) {
		l_free(decrypted);
		return NULL;
	}

	decrypted_len = data_len;

	/*
	 * For block ciphers strip padding as defined in RFC8018
	 * (for PKCS#5 v1) or RFC1423 / RFC5652 (for v2).
	 */
	if (is_block) {
		uint8_t pad = decrypted[data_len - 1];

		pkey = NULL;

		if (pad > data_len || pad > 16 || pad == 0)
			goto cleanup;

		if (!l_secure_memeq(decrypted + data_len - pad, pad - 1U, pad))
			goto cleanup;

		decrypted_len -= pad;
	}

	pkey = cert_key_from_pkcs8_private_key_info(decrypted, decrypted_len);

cleanup:
	explicit_bzero(decrypted, data_len);
	l_free(decrypted);
	return pkey;
}

struct l_key *cert_key_from_pkcs1_rsa_private_key(const uint8_t *der,
							size_t der_len)
{
	const uint8_t *data;
	uint8_t tag;
	size_t data_len;
	const uint8_t *key_data;
	size_t key_data_len;
	int i;
	uint8_t *private_key;
	size_t private_key_len;
	uint8_t *one_asymmetric_key;
	uint8_t *ptr;
	struct l_key *pkey;

	static const uint8_t version0[] = {
		ASN1_ID_INTEGER, 0x01, 0x00
	};
	static const uint8_t pkcs1_rsa_encryption[] = {
		ASN1_ID_SEQUENCE, 0x0d,
		ASN1_ID_OID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
		0x01, 0x01, 0x01,
		ASN1_ID_NULL, 0x00,
	};

	/*
	 * Sanity check that it's a version 0 or 1 RSAPrivateKey structure
	 * with the 8 integers.
	 */
	key_data = asn1_der_find_elem(der, der_len, 0, &tag, &key_data_len);
	if (!key_data || tag != ASN1_ID_SEQUENCE)
		return NULL;

	data = asn1_der_find_elem(key_data, key_data_len, 0, &tag,
					&data_len);
	if (!data || tag != ASN1_ID_INTEGER || data_len != 1 ||
			(data[0] != 0x00 && data[0] != 0x01))
		return NULL;

	for (i = 1; i < 9; i++) {
		data = asn1_der_find_elem(key_data, key_data_len, i, &tag,
						&data_len);
		if (!data || tag != ASN1_ID_INTEGER || data_len < 1)
			return NULL;
	}

	private_key = l_malloc(10 + der_len);
	ptr = private_key;
	*ptr++ = ASN1_ID_OCTET_STRING;
	asn1_write_definite_length(&ptr, der_len);
	memcpy(ptr, der, der_len);
	ptr += der_len;
	private_key_len = ptr - private_key;

	one_asymmetric_key = l_malloc(32 + private_key_len);
	ptr = one_asymmetric_key;
	*ptr++ = ASN1_ID_SEQUENCE;
	asn1_write_definite_length(&ptr, sizeof(version0) +
					sizeof(pkcs1_rsa_encryption) +
					private_key_len);
	memcpy(ptr, version0, sizeof(version0));
	ptr += sizeof(version0);
	memcpy(ptr, pkcs1_rsa_encryption, sizeof(pkcs1_rsa_encryption));
	ptr += sizeof(pkcs1_rsa_encryption);
	memcpy(ptr, private_key, private_key_len);
	ptr += private_key_len;
	explicit_bzero(private_key, private_key_len);
	l_free(private_key);

	pkey = cert_key_from_pkcs8_private_key_info(one_asymmetric_key,
						ptr - one_asymmetric_key);
	explicit_bzero(one_asymmetric_key, ptr - one_asymmetric_key);
	l_free(one_asymmetric_key);

	return pkey;
}

static const uint8_t *cert_unpack_pkcs7_content_info(const uint8_t *container,
					size_t container_len, int pos,
					const struct asn1_oid *expected_oid,
					struct asn1_oid *out_oid,
					uint8_t *out_tag, size_t *out_len)
{
	const uint8_t *content_info;
	size_t content_info_len;
	const uint8_t *type;
	size_t type_len;
	const uint8_t *ret;
	uint8_t tag;

	if (!(content_info = asn1_der_find_elem(container, container_len, pos,
						&tag, &content_info_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return NULL;

	if (!(type = asn1_der_find_elem(content_info, content_info_len, 0,
					&tag, &type_len)) ||
			tag != ASN1_ID_OID ||
			type_len > sizeof(out_oid->asn1))
		return NULL;

	if (expected_oid && !asn1_oid_eq(expected_oid, type_len, type))
		return NULL;

	if (!(ret = asn1_der_find_elem(content_info, content_info_len,
					ASN1_CONTEXT_EXPLICIT(0),
					out_tag, out_len)) ||
			ret + *out_len != content_info + content_info_len)
		return NULL;

	if (out_oid) {
		out_oid->asn1_len = type_len;
		memcpy(out_oid->asn1, type, type_len);
	}

	return ret;
}

/* RFC5652 Section 8 */
static uint8_t *cert_decrypt_pkcs7_encrypted_data(const uint8_t *data,
						size_t data_len,
						const char *password,
						struct asn1_oid *out_oid,
						size_t *out_len)
{
	const uint8_t *version;
	size_t version_len;
	const uint8_t *encrypted_info;
	size_t encrypted_info_len;
	const uint8_t *type;
	size_t type_len;
	const uint8_t *alg_id;
	size_t alg_id_len;
	const uint8_t *encrypted;
	size_t encrypted_len;
	uint8_t tag;
	struct l_cipher *alg;
	uint8_t *plaintext;
	int i;
	bool ok;
	bool is_block;

	if (!(version = asn1_der_find_elem(data, data_len, 0, &tag,
						&version_len)) ||
			tag != ASN1_ID_INTEGER || version_len != 1 ||
			!L_IN_SET(version[0], 0, 2))
		return NULL;

	if (!(encrypted_info = asn1_der_find_elem(data, data_len, 1, &tag,
							&encrypted_info_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return NULL;

	if (!(type = asn1_der_find_elem(encrypted_info, encrypted_info_len, 0,
					&tag, &type_len)) ||
			tag != ASN1_ID_OID ||
			type_len > sizeof(out_oid->asn1))
		return NULL;

	if (!(alg_id = asn1_der_find_elem(encrypted_info, encrypted_info_len, 1,
					&tag, &alg_id_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return NULL;

	/* Not optional in our case, defined [0] IMPLICIT OCTET STRING */
	if (!(encrypted = asn1_der_find_elem(encrypted_info, encrypted_info_len,
						ASN1_CONTEXT_IMPLICIT(0),
						&tag, &encrypted_len)) ||
			tag != ASN1_ID(ASN1_CLASS_CONTEXT, 0, 0) ||
			encrypted_len < 8)
		return NULL;

	if (!(alg = cert_cipher_from_pkcs_alg_id(alg_id, alg_id_len, password,
							&is_block)))
		return NULL;

	plaintext = l_malloc(encrypted_len);
	ok = l_cipher_decrypt(alg, encrypted, plaintext, encrypted_len);
	l_cipher_free(alg);

	if (!ok) {
		l_free(plaintext);
		return NULL;
	}

	if (is_block) {
		bool ok = true;

		/* Also validate the padding */
		if (encrypted_len < plaintext[encrypted_len - 1] ||
				plaintext[encrypted_len - 1] > 16) {
			plaintext[encrypted_len - 1] = 1;
			ok = false;
		}

		for (i = 1; i < plaintext[encrypted_len - 1]; i++)
			if (plaintext[encrypted_len - 1 - i] !=
					plaintext[encrypted_len - 1])
				ok = false;

		if (!ok) {
			explicit_bzero(plaintext, encrypted_len);
			l_free(plaintext);
			return NULL;
		}

		encrypted_len -= plaintext[encrypted_len - 1];
	}

	if (out_oid) {
		out_oid->asn1_len = type_len;
		memcpy(out_oid->asn1, type, type_len);
	}

	*out_len = encrypted_len;
	return plaintext;
}

/* RFC7292 Appendix A. */
static const struct cert_pkcs12_hash pkcs12_mac_algs[] = {
	{
		L_CHECKSUM_MD5,    16, 16, 64,
		{ 8, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0f, 0x02, 0x05 } }
	},
	{
		L_CHECKSUM_SHA1,   20, 20, 64,
		{ 5, { 0x2b, 0x0e, 0x03, 0x02, 0x1a } }
	},
	{
		L_CHECKSUM_SHA224, 28, 28, 64,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04 } }
	},
	{
		L_CHECKSUM_SHA256, 32, 32, 64,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 } }
	},
	{
		L_CHECKSUM_SHA384, 48, 48, 128,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 } }
	},
	{
		L_CHECKSUM_SHA512, 64, 64, 128,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 } }
	},
	{
		L_CHECKSUM_SHA512, 64, 28, 128,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05 } }
	},
	{
		L_CHECKSUM_SHA512, 64, 32, 128,
		{ 9, { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06 } }
	},
};

static const struct asn1_oid pkcs12_key_bag_oid = {
	11, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x01 }
};

static const struct asn1_oid pkcs12_pkcs8_shrouded_key_bag_oid = {
	11, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02 }
};

static const struct asn1_oid pkcs12_cert_bag_oid = {
	11, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x03 }
};

static const struct asn1_oid pkcs12_safe_contents_bag_oid = {
	11, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x06 }
};

static const struct asn1_oid pkcs9_x509_certificate_oid = {
	10, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x16, 0x01 }
};

/* RFC7292 Section 4.2.3 */
static bool cert_parse_pkcs12_cert_bag(const uint8_t *data, size_t data_len,
					struct l_certchain **out_certchain)
{
	const uint8_t *cert_bag;
	size_t cert_bag_len;
	const uint8_t *cert_id;
	size_t cert_id_len;
	const uint8_t *cert_value;
	size_t cert_value_len;
	uint8_t tag;
	struct l_cert *cert;

	if (!(cert_bag = asn1_der_find_elem(data, data_len, 0,
						&tag, &cert_bag_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return false;

	if (!(cert_id = asn1_der_find_elem(cert_bag, cert_bag_len, 0,
						&tag, &cert_id_len)) ||
			tag != ASN1_ID_OID)
		return false;

	if (!(cert_value = asn1_der_find_elem(cert_bag, cert_bag_len,
						ASN1_CONTEXT_EXPLICIT(0),
						&tag, &cert_value_len)) ||
			tag != ASN1_ID_OCTET_STRING ||
			cert_value + cert_value_len != data + data_len)
		return false;

	/* Skip unsupported certificate types */
	if (!asn1_oid_eq(&pkcs9_x509_certificate_oid, cert_id_len, cert_id))
		return true;

	if (!(cert = l_cert_new_from_der(cert_value, cert_value_len)))
		return false;

	if (!*out_certchain)
		*out_certchain = certchain_new_from_leaf(cert);
	else
		certchain_link_issuer(*out_certchain, cert);

	return true;
}

static bool cert_parse_pkcs12_safe_contents(const uint8_t *data,
					size_t data_len, const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey)
{
	const uint8_t *safe_contents;
	size_t safe_contents_len;
	uint8_t tag;

	if (!(safe_contents = asn1_der_find_elem(data, data_len, 0, &tag,
							&safe_contents_len)) ||
			tag != ASN1_ID_SEQUENCE ||
			data + data_len != safe_contents + safe_contents_len)
		return false;

	/* RFC7292 Section 4.2 */
	while (safe_contents_len) {
		const uint8_t *safe_bag;
		size_t safe_bag_len;
		const uint8_t *bag_id;
		size_t bag_id_len;
		const uint8_t *bag_value;
		int bag_value_len;

		/* RFC7292 Section 4.2 */
		if (!(safe_bag = asn1_der_find_elem(safe_contents,
							safe_contents_len, 0,
							&tag, &safe_bag_len)) ||
				tag != ASN1_ID_SEQUENCE)
			return false;

		if (!(bag_id = asn1_der_find_elem(safe_bag, safe_bag_len, 0,
							&tag, &bag_id_len)) ||
				tag != ASN1_ID_OID)
			return false;

		/*
		 * The bagValue is EXPLICITly tagged but we don't want to
		 * unpack the inner TLV yet so don't use asn1_der_find_elem.
		 */
		safe_bag_len -= bag_id + bag_id_len - safe_bag;
		safe_bag = bag_id + bag_id_len;

		if (safe_bag_len < 4)
			return false;

		tag = *safe_bag++;
		safe_bag_len--;
		bag_value_len = asn1_parse_definite_length(&safe_bag,
								&safe_bag_len);
		bag_value = safe_bag;

		if (bag_value_len < 0 || bag_value_len > (int) safe_bag_len ||
				tag != ASN1_ID(ASN1_CLASS_CONTEXT, 1, 0))
			return false;

		/* PKCS#9 attributes ignored */

		safe_contents_len -= (safe_bag + safe_bag_len - safe_contents);
		safe_contents = safe_bag + safe_bag_len;

		if (asn1_oid_eq(&pkcs12_key_bag_oid, bag_id_len, bag_id)) {
			if (!out_privkey || *out_privkey)
				continue;

			*out_privkey =
				cert_key_from_pkcs8_private_key_info(bag_value,
								bag_value_len);
			if (!*out_privkey)
				return false;
		} else if (asn1_oid_eq(&pkcs12_pkcs8_shrouded_key_bag_oid,
					bag_id_len, bag_id)) {
			if (!out_privkey || *out_privkey)
				continue;

			*out_privkey =
				cert_key_from_pkcs8_encrypted_private_key_info(
								bag_value,
								bag_value_len,
								password);
			if (!*out_privkey)
				return false;
		} else if (asn1_oid_eq(&pkcs12_cert_bag_oid,
					bag_id_len, bag_id)) {
			if (!out_certchain)
				continue;

			if (!cert_parse_pkcs12_cert_bag(bag_value, bag_value_len,
							out_certchain))
				return false;
		} else if (asn1_oid_eq(&pkcs12_safe_contents_bag_oid,
					bag_id_len, bag_id)) {
			/* TODO: depth check */
			if (!(cert_parse_pkcs12_safe_contents(bag_value,
								bag_value_len,
								password,
								out_certchain,
								out_privkey)))
				return false;
		}
	}

	return true;
}

static bool cert_check_pkcs12_integrity(const uint8_t *mac_data,
					size_t mac_data_len,
					const uint8_t *auth_safe,
					size_t auth_safe_len,
					const char *password)
{
	const uint8_t *mac;
	size_t mac_len;
	const uint8_t *mac_salt;
	size_t mac_salt_len;
	const uint8_t *iterations_data;
	size_t iterations_len;
	unsigned int iterations;
	const uint8_t *digest_alg;
	size_t digest_alg_len;
	const uint8_t *digest;
	size_t digest_len;
	const uint8_t *alg_id;
	size_t alg_id_len;
	const struct cert_pkcs12_hash *mac_hash;
	L_AUTO_FREE_VAR(uint8_t *, key) = NULL;
	struct l_checksum *hmac;
	uint8_t hmac_val[64];
	uint8_t tag;
	bool ok;
	unsigned int i;

	if (!(mac = asn1_der_find_elem(mac_data, mac_data_len, 0, &tag,
					&mac_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return false;

	if (!(mac_salt = asn1_der_find_elem(mac_data, mac_data_len, 1, &tag,
						&mac_salt_len)) ||
			tag != ASN1_ID_OCTET_STRING || mac_salt_len > 1024)
		return false;

	if (!(iterations_data = asn1_der_find_elem(mac_data, mac_data_len, 2,
							&tag,
							&iterations_len)) ||
			tag != ASN1_ID_INTEGER || iterations_len > 4)
		return false;

	for (iterations = 0; iterations_len; iterations_len--)
		iterations = (iterations << 8) | *iterations_data++;

	if (iterations < 1 || iterations > 8192)
		return false;

	/* RFC2315 Section 9.4 */
	if (!(digest_alg = asn1_der_find_elem(mac, mac_len, 0, &tag,
						&digest_alg_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return false;

	if (!(digest = asn1_der_find_elem(mac, mac_len, 1, &tag,
						&digest_len)) ||
			tag != ASN1_ID_OCTET_STRING)
		return false;

	if (!(alg_id = asn1_der_find_elem(digest_alg, digest_alg_len,
						0, &tag, &alg_id_len)) ||
			tag != ASN1_ID_OID)
		return false;

	/* This is going to be used for both the MAC and its key derivation */
	for (i = 0; i < L_ARRAY_SIZE(pkcs12_mac_algs); i++)
		if (asn1_oid_eq(&pkcs12_mac_algs[i].oid, alg_id_len, alg_id)) {
			mac_hash = &pkcs12_mac_algs[i];
			break;
		}

	if (i == L_ARRAY_SIZE(pkcs12_mac_algs) || digest_len != mac_hash->u)
		return false;

	if (!(key = cert_pkcs12_pbkdf(password, mac_hash,
					mac_salt, mac_salt_len,
					iterations, 3, mac_hash->u)))
		return false;

	hmac = l_checksum_new_hmac(mac_hash->alg, key, mac_hash->u);
	explicit_bzero(key, mac_hash->u);

	if (!hmac)
		return false;

	ok = l_checksum_update(hmac, auth_safe, auth_safe_len) &&
		l_checksum_get_digest(hmac, hmac_val, mac_hash->len) > 0;
	l_checksum_free(hmac);

	if (!ok)
		return false;

	/*
	 * SHA-512/224 and SHA-512/256 are not supported.  We can truncate the
	 * output for key derivation but we can't do this inside the HMAC
	 * algorithms based on these hashes.  We skip the MAC verification
	 * if one of these hashes is used (identified by .u != .len)
	 */
	if (mac_hash->u != mac_hash->len)
		return true;

	return l_secure_memcmp(hmac_val, digest, digest_len) == 0;
}

/* RFC5652 Section 4 */
static const struct asn1_oid pkcs7_data_oid = {
	9, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 }
};

/* RFC5652 Section 8 */
static const struct asn1_oid pkcs7_encrypted_data_oid = {
	9, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06 }
};

static bool cert_parse_auth_safe_content(const uint8_t *data, size_t data_len,
					uint8_t tag,
					const struct asn1_oid *data_oid,
					const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey)
{
	if (asn1_oid_eq(&pkcs7_encrypted_data_oid,
			data_oid->asn1_len, data_oid->asn1)) {
		uint8_t *plaintext;
		size_t plaintext_len;
		struct asn1_oid oid;
		bool ok;

		if (tag != ASN1_ID_SEQUENCE)
			return false;

		/*
		 * This is same as PKCS#7 encryptedData but the ciphers
		 * used are from PKCS#12 (broken but still the default
		 * everywhere) and PKCS#5 (recommended).
		 */
		plaintext = cert_decrypt_pkcs7_encrypted_data(data,
								data_len,
								password, &oid,
								&plaintext_len);
		if (!plaintext)
			return false;

		/*
		 * Since we only support PKCS#7 data and encryptedData
		 * types, and there's no point re-encrypting
		 * encryptedData, the plaintext must be a PKCS#7
		 * "data".
		 */
		ok = asn1_oid_eq(&pkcs7_data_oid,
					oid.asn1_len, oid.asn1) &&
			cert_parse_pkcs12_safe_contents(plaintext,
							plaintext_len,
							password,
							out_certchain,
							out_privkey);
		explicit_bzero(plaintext, plaintext_len);
		l_free(plaintext);

		if (!ok)
			return false;
	} else if (asn1_oid_eq(&pkcs7_data_oid,
				data_oid->asn1_len, data_oid->asn1)) {
		if (tag != ASN1_ID_OCTET_STRING)
			return false;

		if (!cert_parse_pkcs12_safe_contents(data, data_len,
							password,
							out_certchain,
							out_privkey))
			return false;
	}
	/* envelopedData support not needed */

	return true;
}

static bool cert_parse_pkcs12_pfx(const uint8_t *ptr, size_t len,
					const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey)
{
	const uint8_t *version;
	size_t version_len;
	const uint8_t *auth_safe;
	size_t auth_safe_len;
	const uint8_t *mac_data;
	size_t mac_data_len;
	const uint8_t *auth_safe_seq;
	size_t auth_safe_seq_len;
	uint8_t tag;
	unsigned int i;
	struct l_certchain *certchain = NULL;
	struct l_key *privkey = NULL;

	/* RFC7292 Section 4 */
	if (!(version = asn1_der_find_elem(ptr, len, 0, &tag, &version_len)) ||
			tag != ASN1_ID_INTEGER)
		return false;

	if (version_len != 1 || version[0] != 3)
		return false;

	/*
	 * Since we only support the password-based integrity mode,  the
	 * authSafe must be of PKCS#7 type "data" and not "signedData".
	 */
	if (!(auth_safe = cert_unpack_pkcs7_content_info(ptr, len, 1,
							&pkcs7_data_oid, NULL,
							&tag,
							&auth_safe_len)) ||
			tag != ASN1_ID_OCTET_STRING)
		return false;

	/*
	 * openssl can generate PFX structures without macData not signed
	 * with a public key so handle this case, otherwise the macData
	 * would not be optional.
	 */
	if (auth_safe + auth_safe_len == ptr + len)
		goto integrity_check_done;

	if (!(mac_data = asn1_der_find_elem(ptr, len, 2, &tag,
						&mac_data_len)) ||
			tag != ASN1_ID_SEQUENCE)
		return false;

	if (!cert_check_pkcs12_integrity(mac_data, mac_data_len,
						auth_safe, auth_safe_len,
						password))
		return false;

integrity_check_done:
	if (!(auth_safe_seq = asn1_der_find_elem(auth_safe, auth_safe_len, 0,
						&tag, &auth_safe_seq_len)) ||
			tag != ASN1_ID_SEQUENCE ||
			auth_safe + auth_safe_len !=
			auth_safe_seq + auth_safe_seq_len)
		return false;

	i = 0;
	while (1) {
		struct asn1_oid data_oid;
		const uint8_t *data;
		size_t data_len;

		if (!(data = cert_unpack_pkcs7_content_info(auth_safe_seq,
							auth_safe_seq_len, i++,
							NULL, &data_oid, &tag,
							&data_len)))
			goto error;

		if (!cert_parse_auth_safe_content(data, data_len, tag,
							&data_oid, password,
							out_certchain ?
							&certchain : NULL,
							out_privkey ?
							&privkey : NULL))
			goto error;

		if (data + data_len == auth_safe_seq + auth_safe_seq_len)
			break;
	}

	if (out_certchain)
		*out_certchain = certchain;

	if (out_privkey)
		*out_privkey = privkey;

	return true;

error:
	if (certchain)
		l_certchain_free(certchain);

	if (privkey)
		l_key_free(privkey);

	return false;
}

static int cert_try_load_der_format(const uint8_t *content, size_t content_len,
					const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey,
					bool *out_encrypted)
{
	const uint8_t *seq;
	size_t seq_len;
	const uint8_t *elem_data;
	size_t elem_len;
	uint8_t tag;

	if (!(seq = asn1_der_find_elem(content, content_len,
					0, &tag, &seq_len)))
		/* May not have been a DER file after all */
		return -ENOMSG;

	/*
	 * See if the first sub-element is another sequence, then, out of
	 * the formats that we currently support this can only be a raw
	 * certificate.  If integer, it's going to be PKCS#12.  If we wish
	 * to add any more formats we'll probably need to start guessing
	 * from the filename suffix.
	 */
	if (!(elem_data = asn1_der_find_elem(seq, seq_len,
						0, &tag, &elem_len)))
		return -ENOMSG;

	if (tag == ASN1_ID_SEQUENCE) {
		if (out_certchain) {
			struct l_cert *cert;

			if (!(cert = l_cert_new_from_der(content, content_len)))
				return -EINVAL;

			*out_certchain = certchain_new_from_leaf(cert);

			if (out_privkey)
				*out_privkey = NULL;

			if (out_encrypted)
				*out_encrypted = false;

			return 0;
		}

		return -EINVAL;
	}

	if (tag == ASN1_ID_INTEGER) {
		/*
		 * Since we don't support public key-protected PKCS#12
		 * modes, we always require the password at least for the
		 * integrity check.  Strictly speaking encryption may not
		 * actually be in use.  We also don't support files with
		 * different integrity and privacy passwords, they must
		 * be identical if privacy is enabled.
		 */
		if (out_encrypted)
			*out_encrypted = true;

		if (!password) {
			if (!out_encrypted)
				return -EINVAL;

			if (out_certchain)
				*out_certchain = NULL;

			if (out_privkey)
				*out_privkey = NULL;

			return 0;
		}

		if (cert_parse_pkcs12_pfx(seq, seq_len, password,
						out_certchain, out_privkey))
			return 0;
		else
			return -EINVAL;
	}

	return -ENOMSG;
}

static bool cert_try_load_pem_format(const char *content, size_t content_len,
					const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey,
					bool *out_encrypted)
{
	bool error = false;
	bool done = false;
	struct l_certchain *certchain = NULL;
	struct l_key *privkey = NULL;
	bool encrypted = false;

	while (!done && !error && content_len) {
		uint8_t *der;
		size_t der_len;
		char *type_label;
		char *headers;
		const char *endp;

		if (!(der = pem_load_buffer(content, content_len, &type_label,
						&der_len, &headers, &endp)))
			break;

		content_len -= endp - content;
		content = endp;

		if (out_certchain && L_IN_STRSET(type_label, "CERTIFICATE")) {
			struct l_cert *cert;

			if (!(cert = l_cert_new_from_der(der, der_len))) {
				error = true;
				goto next;
			}

			if (!certchain)
				certchain = certchain_new_from_leaf(cert);
			else
				certchain_link_issuer(certchain, cert);

			goto next;
		}

		/* Only use the first private key found */
		if (out_privkey && !privkey && L_IN_STRSET(type_label,
							"PRIVATE KEY",
							"ENCRYPTED PRIVATE KEY",
							"RSA PRIVATE KEY")) {
			privkey = pem_load_private_key(der, der_len, type_label,
							password, headers,
							&encrypted);
			if (!privkey) {
				if (certchain) {
					l_certchain_free(certchain);
					certchain = NULL;
				}

				if (password)
					error = true;
				else
					error = !encrypted || !out_encrypted;

				done = true;
			}

			continue;
		}

		/* Cisco/gnutls-type PEM-encoded PKCS#12, probably rare */
		if (L_IN_STRSET(type_label, "PKCS12")) {
			encrypted = true;

			if (!password) {
				if (certchain && out_privkey) {
					l_certchain_free(certchain);
					certchain = NULL;
				}

				error = !out_encrypted;
				done = true;
				goto next;
			}

			error = !cert_parse_pkcs12_pfx(der, der_len, password,
							out_certchain ?
							&certchain : NULL,
							out_privkey ?
							&privkey : NULL);
			goto next;
		}

next:
		explicit_bzero(der, der_len);
		l_free(der);
		l_free(type_label);
		l_free(headers);
	}

	if (error) {
		if (certchain)
			l_certchain_free(certchain);

		if (privkey)
			l_key_free(privkey);

		return false;
	}

	if (out_certchain)
		*out_certchain = certchain;

	if (out_privkey)
		*out_privkey = privkey;

	if (out_encrypted)
		*out_encrypted = encrypted;

	return true;
}

/*
 * Look at a file, try to detect which of the few X.509 certificate and/or
 * private key container formats it uses and load any certificates in it as
 * a certificate chain object, and load the first private key as an l_key
 * object.
 *
 * Currently supported are:
 *  PEM X.509 certificates
 *  PEM PKCS#8 encrypted and unencrypted private keys
 *  PEM legacy PKCS#1 encrypted and unencrypted private keys
 *  Raw X.509 certificates (.cer, .der, .crt)
 *  PKCS#12 certificates
 *  PKCS#12 encrypted private keys
 *
 * The raw format contains exactly one certificate, PEM and PKCS#12 files
 * can contain any combination of certificates and private keys.
 *
 * The password must have been validated as UTF-8 (use l_utf8_validate)
 * unless the caller knows that no PKCS#12-defined encryption algorithm
 * or MAC is used.
 *
 * Returns false on "unrecoverable" errors, and *out_certchain,
 * *out_privkey and *out_encrypted (if provided) are not modified.  However
 * when true is returned, *out_certchain and *out_privkey (if provided) may
 * be set to NULL when nothing could be loaded only due to missing password,
 * and *out_encrypted (if provided) will be set accordingly.  It will also
 * be set on success to indicate whether the password was used.
 * *out_certchain and/or *out_privkey will also be NULL if the container
 * was loaded but there were no certificates or private keys in it.
 */
LIB_EXPORT bool l_cert_load_container_file(const char *filename,
					const char *password,
					struct l_certchain **out_certchain,
					struct l_key **out_privkey,
					bool *out_encrypted)
{
	struct pem_file_info file;
	bool error = true;

	if (unlikely(!filename))
		return false;

	if (pem_file_open(&file, filename) < 0)
		return false;

	if (file.st.st_size < 1)
		goto close;

	/* See if we have a DER sequence tag at the start */
	if (file.data[0] == ASN1_ID_SEQUENCE) {
		int err;

		err = cert_try_load_der_format(file.data, file.st.st_size,
						password, out_certchain,
						out_privkey, out_encrypted);
		if (!err) {
			error = false;
			goto close;
		}

		if (err != -ENOMSG)
			goto close;

		/* Try other formats */
	}

	/*
	 * For backwards compatibility try the TLS internal struct Certificate
	 * format as may be captured by PCAP (no future support guaranteed).
	 */
	if (out_certchain && !password && file.st.st_size &&
			tls_parse_certificate_list(file.data, file.st.st_size,
							out_certchain) == 0) {
		error = false;

		if (out_privkey)
			*out_privkey = NULL;

		if (out_encrypted)
			*out_encrypted = false;

		goto close;
	}

	/*
	 * RFC 7486 allows whitespace and possibly other data before the
	 * PEM "encapsulation boundary" so rather than check if the start
	 * of the data looks like PEM, we fall back to this format if the
	 * data didn't look like anything else we knew about.  Note this
	 * succeeds for empty files and files without any PEM markers,
	 * returning NULL chain and privkey.
	 */
	if (cert_try_load_pem_format((const char *) file.data, file.st.st_size,
					password, out_certchain, out_privkey,
					out_encrypted))
		error = false;

close:
	pem_file_close(&file);
	return !error;
}