grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/crypto/{x509/pkcs7.c → pkcs7/pkcs7_x509.c}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2014, Google Inc.
+/* Copyright (c) 2017, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
 
 #include <assert.h>
 #include <limits.h>
@@ -20,113 +20,28 @@
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/obj.h>
 #include <openssl/pem.h>
+#include <openssl/pool.h>
 #include <openssl/stack.h>
+#include <openssl/x509.h>
 
-#include "../bytestring/internal.h"
-
-
-/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
- * SignedData blob from |cbs| and sets |*out| to point to the rest of the
- * input. If the input is in BER format, then |*der_bytes| will be set to a
- * pointer that needs to be freed by the caller once they have finished
- * processing |*out| (which will be pointing into |*der_bytes|).
- *
- * It returns one on success or zero on error. On error, |*der_bytes| is
- * NULL. */
-static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
-  size_t der_len;
-  CBS in, content_info, content_type, wrapped_signed_data, signed_data;
-  uint64_t version;
-
-  /* The input may be in BER format. */
-  *der_bytes = NULL;
-  if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) {
-    return 0;
-  }
-  if (*der_bytes != NULL) {
-    CBS_init(&in, *der_bytes, der_len);
-  } else {
-    CBS_init(&in, CBS_data(cbs), CBS_len(cbs));
-  }
-
-  /* See https://tools.ietf.org/html/rfc2315#section-7 */
-  if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||
-      !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {
-    goto err;
-  }
-
-  if (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NOT_PKCS7_SIGNED_DATA);
-    goto err;
-  }
-
-  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
-  if (!CBS_get_asn1(&content_info, &wrapped_signed_data,
-                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
-      !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||
-      !CBS_get_asn1_uint64(&signed_data, &version) ||
-      !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||
-      !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {
-    goto err;
-  }
-
-  if (version < 1) {
-    OPENSSL_PUT_ERROR(X509, X509_R_BAD_PKCS7_VERSION);
-    goto err;
-  }
-
-  CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));
-  return 1;
-
-err:
-  if (*der_bytes) {
-    OPENSSL_free(*der_bytes);
-    *der_bytes = NULL;
-  }
+#include "internal.h"
 
-  return 0;
-}
 
 int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
-  CBS signed_data, certificates;
-  uint8_t *der_bytes = NULL;
   int ret = 0;
   const size_t initial_certs_len = sk_X509_num(out_certs);
-
-  if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
-    return 0;
-  }
-
-  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
-  if (!CBS_get_asn1(&signed_data, &certificates,
-                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATES_INCLUDED);
+  STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();
+  if (raw == NULL ||
+      !PKCS7_get_raw_certificates(raw, cbs, NULL)) {
     goto err;
   }
 
-  while (CBS_len(&certificates) > 0) {
-    CBS cert;
-    X509 *x509;
-    const uint8_t *inp;
-
-    if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {
-      goto err;
-    }
-
-    if (CBS_len(&cert) > LONG_MAX) {
-      goto err;
-    }
-    inp = CBS_data(&cert);
-    x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
-    if (!x509) {
-      goto err;
-    }
-
-    assert(inp == CBS_data(&cert) + CBS_len(&cert));
-
-    if (sk_X509_push(out_certs, x509) == 0) {
+  for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {
+    CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);
+    X509 *x509 = X509_parse_from_buffer(buf);
+    if (x509 == NULL ||
+        !sk_X509_push(out_certs, x509)) {
       X509_free(x509);
       goto err;
     }
@@ -135,10 +50,7 @@ int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
   ret = 1;
 
 err:
-  if (der_bytes) {
-    OPENSSL_free(der_bytes);
-  }
-
+  sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);
   if (!ret) {
     while (sk_X509_num(out_certs) != initial_certs_len) {
       X509 *x509 = sk_X509_pop(out_certs);
@@ -159,10 +71,10 @@ int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
     return 0;
   }
 
-  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
 
-  /* Even if only CRLs are included, there may be an empty certificates block.
-   * OpenSSL does this, for example. */
+  // Even if only CRLs are included, there may be an empty certificates block.
+  // OpenSSL does this, for example.
   if (CBS_peek_asn1_tag(&signed_data,
                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) &&
       !CBS_get_asn1(&signed_data, NULL /* certificates */,
@@ -172,7 +84,7 @@ int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
 
   if (!CBS_get_asn1(&signed_data, &crls,
                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NO_CRLS_INCLUDED);
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);
     goto err;
   }
 
@@ -205,9 +117,7 @@ int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
   ret = 1;
 
 err:
-  if (der_bytes) {
-    OPENSSL_free(der_bytes);
-  }
+  OPENSSL_free(der_bytes);
 
   if (!ret) {
     while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
@@ -223,9 +133,9 @@ int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
   long len;
   int ret;
 
-  /* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
-   * internally will actually allow several other values too, including
-   * "CERTIFICATE". */
+  // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
+  // internally will actually allow several other values too, including
+  // "CERTIFICATE".
   if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
                           PEM_STRING_PKCS7, pem_bio,
                           NULL /* password callback */,
@@ -245,9 +155,9 @@ int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
   long len;
   int ret;
 
-  /* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
-   * internally will actually allow several other values too, including
-   * "CERTIFICATE". */
+  // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
+  // internally will actually allow several other values too, including
+  // "CERTIFICATE".
   if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
                           PEM_STRING_PKCS7, pem_bio,
                           NULL /* password callback */,
@@ -262,42 +172,12 @@ int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
   return ret;
 }
 
-/* pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
- * |cb| with a CBB to which certificate or CRL data can be written, and the
- * opaque context pointer, |arg|. The callback can return zero to indicate an
- * error.
- *
- * pkcs7_bundle returns one on success or zero on error. */
-static int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
-                        const void *arg) {
-  CBB outer_seq, wrapped_seq, seq, version_bytes, digest_algos_set,
-      content_info;
-
-  /* See https://tools.ietf.org/html/rfc2315#section-7 */
-  if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) ||
-      !OBJ_nid2cbb(&outer_seq, NID_pkcs7_signed) ||
-      !CBB_add_asn1(&outer_seq, &wrapped_seq,
-                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
-      /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
-      !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||
-      !CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||
-      !CBB_add_u8(&version_bytes, 1) ||
-      !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||
-      !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||
-      !OBJ_nid2cbb(&content_info, NID_pkcs7_data) ||
-      !cb(&seq, arg)) {
-    return 0;
-  }
-
-  return CBB_flush(out);
-}
-
 static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
   const STACK_OF(X509) *certs = arg;
   size_t i;
   CBB certificates;
 
-  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
   if (!CBB_add_asn1(out, &certificates,
                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
     return 0;
@@ -327,7 +207,7 @@ static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
   size_t i;
   CBB crl_data;
 
-  /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
   if (!CBB_add_asn1(out, &crl_data,
                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
     return 0;

data/third_party/boringssl/crypto/pkcs8/internal.h

@@ -63,40 +63,58 @@ extern "C" {
 #endif
 
 
-#define PBE_UCS2_CONVERT_PASSWORD 0x1
+// pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by
+// |algorithm|, which should be a serialized AlgorithmIdentifier structure. On
+// success, it sets |*out| to a newly-allocated buffer containing the decrypted
+// result and returns one. Otherwise, it returns zero.
+int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,
+                      const char *pass, size_t pass_len, const uint8_t *in,
+                      size_t in_len);
+
+#define PKCS12_KEY_ID 1
+#define PKCS12_IV_ID 2
+#define PKCS12_MAC_ID 3
+
+// pkcs12_key_gen runs the PKCS#12 key derivation function as specified in
+// RFC 7292, appendix B. On success, it writes the resulting |out_len| bytes of
+// key material to |out| and returns one. Otherwise, it returns zero. |id|
+// should be one of the |PKCS12_*_ID| values.
+int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
+                   size_t salt_len, uint8_t id, unsigned iterations,
+                   size_t out_len, uint8_t *out, const EVP_MD *md);
 
 struct pbe_suite {
   int pbe_nid;
+  uint8_t oid[10];
+  uint8_t oid_len;
   const EVP_CIPHER *(*cipher_func)(void);
   const EVP_MD *(*md_func)(void);
-  /* decrypt_init initialize |ctx| for decrypting. The password is specified by
-   * |pass_raw| and |pass_raw_len|. |param| contains the serialized parameters
-   * field of the AlgorithmIdentifier.
-   *
-   * It returns one on success and zero on error. */
+  // decrypt_init initialize |ctx| for decrypting. The password is specified by
+  // |pass| and |pass_len|. |param| contains the serialized parameters field of
+  // the AlgorithmIdentifier.
+  //
+  // It returns one on success and zero on error.
   int (*decrypt_init)(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
-                      const uint8_t *pass_raw, size_t pass_raw_len, CBS *param);
-  int flags;
+                      const char *pass, size_t pass_len, CBS *param);
 };
 
 #define PKCS5_DEFAULT_ITERATIONS 2048
 #define PKCS5_SALT_LEN 8
 
 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
-                            const uint8_t *pass_raw, size_t pass_raw_len,
-                            CBS *param);
+                            const char *pass, size_t pass_len, CBS *param);
 
-/* PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2,
- * as defined in RFC 2998, with the specified parameters. It writes the
- * corresponding AlgorithmIdentifier to |out|. */
+// PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2,
+// as defined in RFC 2998, with the specified parameters. It writes the
+// corresponding AlgorithmIdentifier to |out|.
 int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
                             const EVP_CIPHER *cipher, unsigned iterations,
-                            const uint8_t *pass_raw, size_t pass_raw_len,
+                            const char *pass, size_t pass_len,
                             const uint8_t *salt, size_t salt_len);
 
 
 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif
 
-#endif  /* OPENSSL_HEADER_PKCS8_INTERNAL_H */
+#endif  // OPENSSL_HEADER_PKCS8_INTERNAL_H

data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c

@@ -62,16 +62,86 @@
 #include <openssl/cipher.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/obj.h>
+#include <openssl/nid.h>
 #include <openssl/rand.h>
 
 #include "internal.h"
 #include "../internal.h"
 
 
+// 1.2.840.113549.1.5.12
+static const uint8_t kPBKDF2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
+                                  0x0d, 0x01, 0x05, 0x0c};
+
+// 1.2.840.113549.1.5.13
+static const uint8_t kPBES2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
+                                 0x0d, 0x01, 0x05, 0x0d};
+
+// 1.2.840.113549.2.7
+static const uint8_t kHMACWithSHA1[] = {0x2a, 0x86, 0x48, 0x86,
+                                        0xf7, 0x0d, 0x02, 0x07};
+
+static const struct {
+  uint8_t oid[9];
+  uint8_t oid_len;
+  int nid;
+  const EVP_CIPHER *(*cipher_func)(void);
+} kCipherOIDs[] = {
+    // 1.2.840.113549.3.2
+    {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02},
+     8,
+     NID_rc2_cbc,
+     &EVP_rc2_cbc},
+    // 1.2.840.113549.3.7
+    {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07},
+     8,
+     NID_des_ede3_cbc,
+     &EVP_des_ede3_cbc},
+    // 2.16.840.1.101.3.4.1.2
+    {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02},
+     9,
+     NID_aes_128_cbc,
+     &EVP_aes_128_cbc},
+    // 2.16.840.1.101.3.4.1.22
+    {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16},
+     9,
+     NID_aes_192_cbc,
+     &EVP_aes_192_cbc},
+    // 2.16.840.1.101.3.4.1.42
+    {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a},
+     9,
+     NID_aes_256_cbc,
+     &EVP_aes_256_cbc},
+};
+
+static const EVP_CIPHER *cbs_to_cipher(const CBS *cbs) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) {
+    if (CBS_mem_equal(cbs, kCipherOIDs[i].oid, kCipherOIDs[i].oid_len)) {
+      return kCipherOIDs[i].cipher_func();
+    }
+  }
+
+  return NULL;
+}
+
+static int add_cipher_oid(CBB *out, int nid) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) {
+    if (kCipherOIDs[i].nid == nid) {
+      CBB child;
+      return CBB_add_asn1(out, &child, CBS_ASN1_OBJECT) &&
+             CBB_add_bytes(&child, kCipherOIDs[i].oid,
+                           kCipherOIDs[i].oid_len) &&
+             CBB_flush(out);
+    }
+  }
+
+  OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER);
+  return 0;
+}
+
 static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-                                  unsigned iterations, const uint8_t *pass_raw,
-                                  size_t pass_raw_len, const uint8_t *salt,
+                                  unsigned iterations, const char *pass,
+                                  size_t pass_len, const uint8_t *salt,
                                   size_t salt_len, const uint8_t *iv,
                                   size_t iv_len, int enc) {
   if (iv_len != EVP_CIPHER_iv_length(cipher)) {
@@ -80,8 +150,7 @@ static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
   }
 
   uint8_t key[EVP_MAX_KEY_LENGTH];
-  int ret = PKCS5_PBKDF2_HMAC_SHA1((const char *)pass_raw, pass_raw_len, salt,
-                                   salt_len, iterations,
+  int ret = PKCS5_PBKDF2_HMAC_SHA1(pass, pass_len, salt, salt_len, iterations,
                                    EVP_CIPHER_key_length(cipher), key) &&
             EVP_CipherInit_ex(ctx, cipher, NULL /* engine */, key, iv, enc);
   OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
@@ -90,7 +159,7 @@ static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 
 int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
                             const EVP_CIPHER *cipher, unsigned iterations,
-                            const uint8_t *pass_raw, size_t pass_raw_len,
+                            const char *pass, size_t pass_len,
                             const uint8_t *salt, size_t salt_len) {
   int cipher_nid = EVP_CIPHER_nid(cipher);
   if (cipher_nid == NID_undef) {
@@ -98,45 +167,47 @@ int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
     return 0;
   }
 
-  /* Generate a random IV. */
+  // Generate a random IV.
   uint8_t iv[EVP_MAX_IV_LENGTH];
   if (!RAND_bytes(iv, EVP_CIPHER_iv_length(cipher))) {
     return 0;
   }
 
-  /* See RFC 2898, appendix A. */
-  CBB algorithm, param, kdf, kdf_param, salt_cbb, cipher_cbb, iv_cbb;
+  // See RFC 2898, appendix A.
+  CBB algorithm, oid, param, kdf, kdf_oid, kdf_param, salt_cbb, cipher_cbb,
+      iv_cbb;
   if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||
-      !OBJ_nid2cbb(&algorithm, NID_pbes2) ||
+      !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&oid, kPBES2, sizeof(kPBES2)) ||
       !CBB_add_asn1(&algorithm, &param, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1(&param, &kdf, CBS_ASN1_SEQUENCE) ||
-      !OBJ_nid2cbb(&kdf, NID_id_pbkdf2) ||
+      !CBB_add_asn1(&kdf, &kdf_oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&kdf_oid, kPBKDF2, sizeof(kPBKDF2)) ||
       !CBB_add_asn1(&kdf, &kdf_param, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1(&kdf_param, &salt_cbb, CBS_ASN1_OCTETSTRING) ||
       !CBB_add_bytes(&salt_cbb, salt, salt_len) ||
       !CBB_add_asn1_uint64(&kdf_param, iterations) ||
-      /* Specify a key length for RC2. */
+      // Specify a key length for RC2.
       (cipher_nid == NID_rc2_cbc &&
        !CBB_add_asn1_uint64(&kdf_param, EVP_CIPHER_key_length(cipher))) ||
-      /* Omit the PRF. We use the default hmacWithSHA1. */
+      // Omit the PRF. We use the default hmacWithSHA1.
       !CBB_add_asn1(&param, &cipher_cbb, CBS_ASN1_SEQUENCE) ||
-      !OBJ_nid2cbb(&cipher_cbb, cipher_nid) ||
-      /* RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and
-       * IV, but OpenSSL always uses an OCTET STRING IV, so we do the same. */
+      !add_cipher_oid(&cipher_cbb, cipher_nid) ||
+      // RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and
+      // IV, but OpenSSL always uses an OCTET STRING IV, so we do the same.
       !CBB_add_asn1(&cipher_cbb, &iv_cbb, CBS_ASN1_OCTETSTRING) ||
       !CBB_add_bytes(&iv_cbb, iv, EVP_CIPHER_iv_length(cipher)) ||
       !CBB_flush(out)) {
     return 0;
   }
 
-  return pkcs5_pbe2_cipher_init(ctx, cipher, iterations, pass_raw, pass_raw_len,
-                                salt, salt_len, iv,
-                                EVP_CIPHER_iv_length(cipher), 1 /* encrypt */);
+  return pkcs5_pbe2_cipher_init(ctx, cipher, iterations, pass, pass_len, salt,
+                                salt_len, iv, EVP_CIPHER_iv_length(cipher),
+                                1 /* encrypt */);
 }
 
 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
-                            const uint8_t *pass_raw, size_t pass_raw_len,
-                            CBS *param) {
+                            const char *pass, size_t pass_len, CBS *param) {
   CBS pbe_param, kdf, kdf_obj, enc_scheme, enc_obj;
   if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) ||
       CBS_len(param) != 0 ||
@@ -149,20 +220,20 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
     return 0;
   }
 
-  /* Check that the key derivation function is PBKDF2. */
-  if (OBJ_cbs2nid(&kdf_obj) != NID_id_pbkdf2) {
+  // Only PBKDF2 is supported.
+  if (!CBS_mem_equal(&kdf_obj, kPBKDF2, sizeof(kPBKDF2))) {
     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
     return 0;
   }
 
-  /* See if we recognise the encryption algorithm. */
-  const EVP_CIPHER *cipher = EVP_get_cipherbynid(OBJ_cbs2nid(&enc_obj));
+  // See if we recognise the encryption algorithm.
+  const EVP_CIPHER *cipher = cbs_to_cipher(&enc_obj);
   if (cipher == NULL) {
     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER);
     return 0;
   }
 
-  /* Parse the KDF parameters. */
+  // Parse the KDF parameters. See RFC 8018, appendix A.2.
   CBS pbkdf2_params, salt;
   uint64_t iterations;
   if (!CBS_get_asn1(&kdf, &pbkdf2_params, CBS_ASN1_SEQUENCE) ||
@@ -178,8 +249,8 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
     return 0;
   }
 
-  /* The optional keyLength parameter, if present, must match the key length of
-   * the cipher. */
+  // The optional keyLength parameter, if present, must match the key length of
+  // the cipher.
   if (CBS_peek_asn1_tag(&pbkdf2_params, CBS_ASN1_INTEGER)) {
     uint64_t key_len;
     if (!CBS_get_asn1_uint64(&pbkdf2_params, &key_len)) {
@@ -194,25 +265,35 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
   }
 
   if (CBS_len(&pbkdf2_params) != 0) {
-    CBS prf;
-    if (!CBS_get_asn1(&pbkdf2_params, &prf, CBS_ASN1_OBJECT) ||
+    CBS alg_id, prf;
+    if (!CBS_get_asn1(&pbkdf2_params, &alg_id, CBS_ASN1_SEQUENCE) ||
+        !CBS_get_asn1(&alg_id, &prf, CBS_ASN1_OBJECT) ||
         CBS_len(&pbkdf2_params) != 0) {
       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
       return 0;
     }
 
-    /* We only support hmacWithSHA1. It is the DEFAULT, so DER requires it be
-     * omitted, but we match OpenSSL in tolerating it being present. */
-    if (OBJ_cbs2nid(&prf) != NID_hmacWithSHA1) {
+    // We only support hmacWithSHA1. It is the DEFAULT, so DER requires it be
+    // omitted, but we match OpenSSL in tolerating it being present.
+    if (!CBS_mem_equal(&prf, kHMACWithSHA1, sizeof(kHMACWithSHA1))) {
       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF);
       return 0;
     }
+
+    // hmacWithSHA1 has a NULL parameter.
+    CBS null;
+    if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) ||
+        CBS_len(&null) != 0 ||
+        CBS_len(&alg_id) != 0) {
+      OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
+      return 0;
+    }
   }
 
-  /* Parse the encryption scheme parameters. Note OpenSSL does not match the
-   * specification. Per RFC 2898, this should depend on the encryption scheme.
-   * In particular, RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and IV.
-   * We align with OpenSSL. */
+  // Parse the encryption scheme parameters. Note OpenSSL does not match the
+  // specification. Per RFC 2898, this should depend on the encryption scheme.
+  // In particular, RC2-CBC uses a SEQUENCE with version and IV. We align with
+  // OpenSSL.
   CBS iv;
   if (!CBS_get_asn1(&enc_scheme, &iv, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&enc_scheme) != 0) {
@@ -220,7 +301,7 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
     return 0;
   }
 
-  return pkcs5_pbe2_cipher_init(ctx, cipher, (unsigned)iterations, pass_raw,
-                                pass_raw_len, CBS_data(&salt), CBS_len(&salt),
+  return pkcs5_pbe2_cipher_init(ctx, cipher, (unsigned)iterations, pass,
+                                pass_len, CBS_data(&salt), CBS_len(&salt),
                                 CBS_data(&iv), CBS_len(&iv), 0 /* decrypt */);
 }