Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 975 insertions, 0 deletions

diff --git a/epan/dissectors/asn1/pkcs12/CMakeLists.txt b/epan/dissectors/asn1/pkcs12/CMakeLists.txt
new file mode 100644
index 00000000..a1dee6cf
--- /dev/null
+++ b/epan/dissectors/asn1/pkcs12/CMakeLists.txt
@@ -0,0 +1,41 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME pkcs12 )
+
+set( PROTO_OPT )
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	${PROTOCOL_NAME}.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+set( EXTRA_CNF
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509if/x509if-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../cms/cms-exp.cnf"
+)
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.c b/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.c
new file mode 100644
index 00000000..faec6b15
--- /dev/null
+++ b/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.c
@@ -0,0 +1,487 @@
+/* packet-pkcs12.c
+ * Routines for PKCS#12: Personal Information Exchange packet dissection
+ * Graeme Lunt 2006
+ *
+ * See "PKCS #12 v1.1: Personal Information Exchange Syntax":
+ *
+ *    http://www.emc.com/emc-plus/rsa-labs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/expert.h>
+#include <epan/oids.h>
+#include <epan/asn1.h>
+#include <epan/prefs.h>
+
+#include "packet-ber.h"
+#include "packet-pkcs12.h"
+#include "packet-x509af.h"
+#include "packet-x509if.h"
+#include "packet-cms.h"
+
+#include <wsutil/wsgcrypt.h>
+
+#define PNAME  "PKCS#12: Personal Information Exchange"
+#define PSNAME "PKCS12"
+#define PFNAME "pkcs12"
+
+#define PKCS12_PBE_ARCFOUR_SHA1_OID     "1.2.840.113549.1.12.1.1"
+#define PKCS12_PBE_3DES_SHA1_OID	"1.2.840.113549.1.12.1.3"
+#define PKCS12_PBE_RC2_40_SHA1_OID	"1.2.840.113549.1.12.1.6"
+
+void proto_register_pkcs12(void);
+void proto_reg_handoff_pkcs12(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_pkcs12 = -1;
+
+static int hf_pkcs12_X509Certificate_PDU = -1;
+static int hf_pkcs12_AuthenticatedSafe_PDU = -1;  /* AuthenticatedSafe */
+static gint ett_decrypted_pbe = -1;
+
+static expert_field ei_pkcs12_octet_string_expected = EI_INIT;
+
+
+static const char *object_identifier_id = NULL;
+static int iteration_count = 0;
+static tvbuff_t *salt = NULL;
+static const char *password = NULL;
+static gboolean try_null_password = FALSE;
+
+static int dissect_AuthenticatedSafe_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data);
+static int dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data);
+static int dissect_PrivateKeyInfo_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data);
+
+#include "packet-pkcs12-hf.c"
+
+/* Initialize the subtree pointers */
+#include "packet-pkcs12-ett.c"
+
+static void append_oid(wmem_allocator_t *pool, proto_tree *tree, const char *oid)
+{
+  	const char *name = NULL;
+
+	name = oid_resolved_from_string(pool, oid);
+	proto_item_append_text(tree, " (%s)", name ? name : oid);
+}
+
+static int
+generate_key_or_iv(packet_info *pinfo, unsigned int id, tvbuff_t *salt_tvb, unsigned int iter,
+		       const char *pw, unsigned int req_keylen, char * keybuf)
+{
+  int rc;
+  unsigned int i, j;
+  gcry_md_hd_t md;
+  gcry_mpi_t num_b1 = NULL;
+  size_t pwlen;
+  char hash[20], buf_b[64], buf_i[128], *p;
+  char *salt_p;
+  int salt_size;
+  size_t cur_keylen;
+  size_t n;
+  gcry_error_t	err;
+
+  cur_keylen = 0;
+
+  salt_size = tvb_captured_length(salt_tvb);
+  salt_p = (char *)tvb_memdup(pinfo->pool, salt_tvb, 0, salt_size);
+
+  if (pw == NULL)
+    pwlen = 0;
+  else
+    pwlen = strlen(pw);
+
+  if (pwlen > 63 / 2)
+    {
+      return FALSE;
+    }
+
+  /* Store salt and password in BUF_I */
+  p = buf_i;
+  for (i = 0; i < 64; i++)
+    *p++ = salt_p[i % salt_size];
+  if (pw)
+    {
+      for (i = j = 0; i < 64; i += 2)
+	{
+	  *p++ = 0;
+	  *p++ = pw[j];
+	  if (++j > pwlen)	/* Note, that we include the trailing zero */
+	    j = 0;
+	}
+    }
+  else
+    memset (p, 0, 64);
+
+  for (;;) {
+      err = gcry_md_open(&md, GCRY_MD_SHA1, 0);
+      if (gcry_err_code(err))
+        {
+          return FALSE;
+        }
+      for (i = 0; i < 64; i++)
+        {
+          unsigned char lid = id & 0xFF;
+          gcry_md_write (md, &lid, 1);
+	}
+
+      gcry_md_write(md, buf_i, pw ? 128 : 64);
+
+      gcry_md_final (md);
+      memcpy (hash, gcry_md_read (md, 0), 20);
+
+      gcry_md_close (md);
+
+      for (i = 1; i < iter; i++)
+        gcry_md_hash_buffer (GCRY_MD_SHA1, hash, hash, 20);
+
+      for (i = 0; i < 20 && cur_keylen < req_keylen; i++)
+        keybuf[cur_keylen++] = hash[i];
+
+      if (cur_keylen == req_keylen)
+      {
+        gcry_mpi_release (num_b1);
+        return TRUE;		/* ready */
+      }
+
+      /* need more bytes. */
+      for (i = 0; i < 64; i++)
+        buf_b[i] = hash[i % 20];
+
+      n = 64;
+
+      rc = gcry_mpi_scan (&num_b1, GCRYMPI_FMT_USG, buf_b, n, &n);
+
+      if (rc != 0)
+        {
+          return FALSE;
+        }
+
+      gcry_mpi_add_ui (num_b1, num_b1, 1);
+
+      for (i = 0; i < 128; i += 64)
+        {
+          gcry_mpi_t num_ij;
+
+          n = 64;
+          rc = gcry_mpi_scan (&num_ij, GCRYMPI_FMT_USG, buf_i + i, n, &n);
+
+          if (rc != 0)
+            {
+              return FALSE;
+            }
+
+          gcry_mpi_add (num_ij, num_ij, num_b1);
+          gcry_mpi_clear_highbit (num_ij, 64 * 8);
+
+          n = 64;
+
+          rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf_i + i, n, &n, num_ij);
+          if (rc != 0)
+            {
+              return FALSE;
+            }
+
+          gcry_mpi_release (num_ij);
+        }
+  }
+}
+
+void PBE_reset_parameters(void)
+{
+	iteration_count = 0;
+	salt = NULL;
+}
+
+int PBE_decrypt_data(const char *object_identifier_id_param _U_, tvbuff_t *encrypted_tvb _U_, packet_info *pinfo _U_, asn1_ctx_t *actx _U_, proto_item *item _U_)
+{
+	const char	*encryption_algorithm;
+	gcry_cipher_hd_t cipher;
+	gcry_error_t	err;
+	int		algo;
+	int		mode;
+	int		ivlen = 0;
+	int		keylen = 0;
+	int		datalen = 0;
+	char		*key = NULL;
+	char		*iv = NULL;
+	char		*clear_data = NULL;
+	tvbuff_t	*clear_tvb = NULL;
+	const gchar     *oidname;
+	GString		*name;
+	proto_tree	*tree;
+	char		byte;
+	gboolean	decrypt_ok = TRUE;
+
+	if(((password == NULL) || (*password == '\0')) && (try_null_password == FALSE)) {
+		/* we are not configured to decrypt */
+		return FALSE;
+	}
+
+	encryption_algorithm = x509af_get_last_algorithm_id();
+
+	/* these are the only encryption schemes we understand for now */
+	if(!strcmp(encryption_algorithm, PKCS12_PBE_3DES_SHA1_OID)) {
+		ivlen = 8;
+		keylen = 24;
+		algo = GCRY_CIPHER_3DES;
+		mode = GCRY_CIPHER_MODE_CBC;
+	} else if(!strcmp(encryption_algorithm, PKCS12_PBE_ARCFOUR_SHA1_OID)) {
+		ivlen = 0;
+		keylen = 16;
+		algo = GCRY_CIPHER_ARCFOUR;
+		mode = GCRY_CIPHER_MODE_NONE;
+	} else if(!strcmp(encryption_algorithm, PKCS12_PBE_RC2_40_SHA1_OID)) {
+		ivlen = 8;
+		keylen = 5;
+		algo = GCRY_CIPHER_RFC2268_40;
+		mode = GCRY_CIPHER_MODE_CBC;
+	} else {
+		/* we don't know how to decrypt this */
+
+		proto_item_append_text(item, " [Unsupported encryption algorithm]");
+		return FALSE;
+	}
+
+	if((iteration_count == 0) || (salt == NULL)) {
+		proto_item_append_text(item, " [Insufficient parameters]");
+		return FALSE;
+	}
+
+	/* allocate buffers */
+	key = (char *)wmem_alloc(pinfo->pool, keylen);
+
+	if(!generate_key_or_iv(pinfo, 1 /*LEY */, salt, iteration_count, password, keylen, key))
+		return FALSE;
+
+	if(ivlen) {
+
+		iv = (char *)wmem_alloc(pinfo->pool, ivlen);
+
+		if(!generate_key_or_iv(pinfo, 2 /* IV */, salt, iteration_count, password, ivlen, iv))
+			return FALSE;
+	}
+
+	/* now try an internal function */
+	err = gcry_cipher_open(&cipher, algo, mode, 0);
+	if (gcry_err_code (err))
+			return FALSE;
+
+	err = gcry_cipher_setkey (cipher, key, keylen);
+	if (gcry_err_code (err)) {
+			gcry_cipher_close (cipher);
+			return FALSE;
+	}
+
+	if(ivlen) {
+		  err = gcry_cipher_setiv (cipher, iv, ivlen);
+		  if (gcry_err_code (err)) {
+			  gcry_cipher_close (cipher);
+			  return FALSE;
+		  }
+	}
+
+	datalen = tvb_captured_length(encrypted_tvb);
+	clear_data = (char *)wmem_alloc(pinfo->pool, datalen);
+
+	err = gcry_cipher_decrypt (cipher, clear_data, datalen, (char *)tvb_memdup(pinfo->pool, encrypted_tvb, 0, datalen), datalen);
+	if (gcry_err_code (err)) {
+
+		proto_item_append_text(item, " [Failed to decrypt with password preference]");
+
+		gcry_cipher_close (cipher);
+		return FALSE;
+	}
+
+	gcry_cipher_close (cipher);
+
+	/* We don't know if we have successfully decrypted the data or not so we:
+		a) check the trailing bytes
+		b) see if we start with a sequence or a set (is this too constraining?
+		*/
+
+	/* first the trailing bytes */
+	byte = clear_data[datalen-1];
+	if(byte <= 0x08) {
+		int i;
+
+		for(i = (int)byte; i > 0 ; i--) {
+			if(clear_data[datalen - i] != byte) {
+				decrypt_ok = FALSE;
+				break;
+			}
+		}
+	} else {
+		/* XXX: is this a failure? */
+	}
+
+	/* we assume the result is ASN.1 - check it is a SET or SEQUENCE */
+	byte = clear_data[0];
+	if((byte != 0x30) && (byte != 0x31)) { /* do we need more here? OCTET STRING? */
+		decrypt_ok = FALSE;
+	}
+
+	if(!decrypt_ok) {
+		proto_item_append_text(item, " [Failed to decrypt with supplied password]");
+
+		return FALSE;
+	}
+
+	proto_item_append_text(item, " [Decrypted successfully]");
+
+	tree = proto_item_add_subtree(item, ett_decrypted_pbe);
+
+	/* OK - so now clear_data contains the decrypted data */
+
+	clear_tvb = tvb_new_child_real_data(encrypted_tvb,(const guint8 *)clear_data, datalen, datalen);
+
+	name = g_string_new("");
+	oidname = oid_resolved_from_string(pinfo->pool, object_identifier_id_param);
+	g_string_printf(name, "Decrypted %s", oidname ? oidname : object_identifier_id_param);
+
+	/* add it as a new source */
+	add_new_data_source(actx->pinfo, clear_tvb, name->str);
+
+	g_string_free(name, TRUE);
+
+	/* now try and decode it */
+	call_ber_oid_callback(object_identifier_id_param, clear_tvb, 0, actx->pinfo, tree, NULL);
+
+	return TRUE;
+}
+
+#include "packet-pkcs12-fn.c"
+
+static int strip_octet_string(tvbuff_t *tvb)
+{
+  gint8 ber_class;
+  bool pc, ind;
+  gint32 tag;
+  guint32 len;
+  int offset = 0;
+
+  /* PKCS#7 encodes the content as OCTET STRING, whereas CMS is just any ANY */
+  /* if we use CMS (rather than PKCS#7) - which we are - we need to strip the OCTET STRING tag */
+  /* before proceeding */
+
+  offset = get_ber_identifier(tvb, 0, &ber_class, &pc, &tag);
+  offset = get_ber_length(tvb, offset, &len, &ind);
+
+  if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_OCTETSTRING))
+    return offset;
+
+  return 0;
+
+}
+
+static int dissect_AuthenticatedSafe_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
+  int offset = 0;
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+  if((offset = strip_octet_string(tvb)) > 0)
+    dissect_pkcs12_AuthenticatedSafe(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_AuthenticatedSafe_PDU);
+  else
+    proto_tree_add_expert(tree, pinfo, &ei_pkcs12_octet_string_expected, tvb, 0, 1);
+  return tvb_captured_length(tvb);
+}
+
+static int dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+  int offset = 0;
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+  offset = strip_octet_string(tvb);
+
+  dissect_pkcs12_SafeContents(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_SafeContents_PDU);
+  return tvb_captured_length(tvb);
+}
+
+static int dissect_X509Certificate_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+  int offset = 0;
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+  if((offset = strip_octet_string(tvb)) > 0)
+	dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs12_X509Certificate_PDU);
+  else
+	proto_tree_add_expert(tree, pinfo, &ei_pkcs12_octet_string_expected, tvb, 0, 1);
+
+  return tvb_captured_length(tvb);
+}
+
+/*--- proto_register_pkcs12 ----------------------------------------------*/
+void proto_register_pkcs12(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+    { &hf_pkcs12_X509Certificate_PDU,
+      { "X509Certificate", "pkcs12.X509Certificate",
+        FT_NONE, BASE_NONE, NULL, 0,
+        "pkcs12.X509Certificate", HFILL }},
+    { &hf_pkcs12_AuthenticatedSafe_PDU,
+      { "AuthenticatedSafe", "pkcs12.AuthenticatedSafe",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
+
+#include "packet-pkcs12-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+	  &ett_decrypted_pbe,
+#include "packet-pkcs12-ettarr.c"
+  };
+  static ei_register_info ei[] = {
+      { &ei_pkcs12_octet_string_expected, { "pkcs12.octet_string_expected", PI_PROTOCOL, PI_WARN, "BER Error: OCTET STRING expected", EXPFILL }},
+  };
+
+  module_t *pkcs12_module;
+  expert_module_t* expert_pkcs12;
+
+  /* Register protocol */
+  proto_pkcs12 = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_pkcs12, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+  expert_pkcs12 = expert_register_protocol(proto_pkcs12);
+  expert_register_field_array(expert_pkcs12, ei, array_length(ei));
+
+  /* Register preferences */
+  pkcs12_module = prefs_register_protocol(proto_pkcs12, NULL);
+
+  prefs_register_string_preference(pkcs12_module, "password",
+	"Password to decrypt the file with",
+	"The password to used to decrypt the encrypted elements within"
+	" the PKCS#12 file", &password);
+
+  prefs_register_bool_preference(pkcs12_module, "try_null_password",
+	"Try to decrypt with a empty password",
+	"Whether to try and decrypt the encrypted data within the"
+	" PKCS#12 with a NULL password", &try_null_password);
+
+  register_ber_syntax_dissector("PKCS#12", proto_pkcs12, dissect_PFX_PDU);
+  register_ber_oid_syntax(".p12", NULL, "PKCS#12");
+  register_ber_oid_syntax(".pfx", NULL, "PKCS#12");
+}
+
+
+/*--- proto_reg_handoff_pkcs12 -------------------------------------------*/
+void proto_reg_handoff_pkcs12(void) {
+#include "packet-pkcs12-dis-tab.c"
+
+	register_ber_oid_dissector("1.2.840.113549.1.9.22.1", dissect_X509Certificate_OCTETSTRING_PDU, proto_pkcs12, "x509Certificate");
+
+}
+
diff --git a/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.h b/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.h
new file mode 100644
index 00000000..269f3ac6
--- /dev/null
+++ b/epan/dissectors/asn1/pkcs12/packet-pkcs12-template.h
@@ -0,0 +1,19 @@
+/* packet-pkcs12.h
+ * Routines for PKCS#12 Personal Information Exchange packet dissection
+ * Graeme Lunt 2006
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_PKCS12_H
+#define PACKET_PKCS12_H
+
+void PBE_reset_parameters(void);
+int PBE_decrypt_data(const char *object_identifier_id, tvbuff_t *encrypted_tvb, packet_info *pinfo, asn1_ctx_t *actx, proto_item *item);
+
+#endif  /* PACKET_PKCS12_H */
+
diff --git a/epan/dissectors/asn1/pkcs12/pkcs12.asn b/epan/dissectors/asn1/pkcs12/pkcs12.asn
new file mode 100644
index 00000000..1bbf2a14
--- /dev/null
+++ b/epan/dissectors/asn1/pkcs12/pkcs12.asn
@@ -0,0 +1,269 @@
+PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+                 pkcs-12(12) modules(0)  pkcs-12(1)}
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL
+-- All types and values defined in this module is exported for use in
+-- other ASN.1 modules. 
+
+IMPORTS
+
+informationFramework
+        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+        usefulDefinitions(0) 3}
+
+Attribute
+	FROM InformationFramework informationFramework
+
+ContentInfo, DigestInfo, Digest, DigestAlgorithmIdentifier
+	FROM PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-7(7) modules(0) pkcs-7(1)}
+
+--PrivateKeyInfo, EncryptedPrivateKeyInfo
+--	FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
+--	pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
+--
+--pkcs-9, friendlyName, localKeyId, certTypes, crlTypes
+--	FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549)
+--	pkcs(1) pkcs-9(9) modules(0) pkcs-9(1) };--
+
+-- A PKCS#8 IMPORT from below
+AlgorithmIdentifier, ALGORITHM-IDENTIFIER
+        FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
+        pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)};
+
+
+-- Object identifiers
+
+--rsadsi	OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549)}
+--pkcs    OBJECT IDENTIFIER ::= {rsadsi pkcs(1)}
+--pkcs-12	OBJECT IDENTIFIER ::= {pkcs 12}
+--pkcs-12PbeIds                  	OBJECT IDENTIFIER ::= {pkcs-12 1}
+--pbeWithSHAAnd128BitRC4          OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1}
+--pbeWithSHAAnd40BitRC4           OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2}
+--pbeWithSHAAnd3-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
+--pbeWithSHAAnd2-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4}
+--pbeWithSHAAnd128BitRC2-CBC      OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
+--pbewithSHAAnd40BitRC2-CBC       OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6}
+
+--bagtypes			OBJECT IDENTIFIER ::= {pkcs-12 10 1}
+
+-- The PFX PDU
+
+PFX ::= SEQUENCE {
+    	version		INTEGER {v3(3)}(v3,...),
+    	authSafe	ContentInfo,
+    	macData    	MacData OPTIONAL
+}
+
+MacData ::= SEQUENCE {
+    	mac 		DigestInfo,
+	macSalt	        OCTET STRING,
+	iterations	INTEGER DEFAULT 1
+-- Note: The default is for historical reasons and its use is
+-- deprecated. A higher value, like 1024 is recommended.
+}
+
+AuthenticatedSafe ::= SEQUENCE OF ContentInfo
+	-- Data if unencrypted
+	-- EncryptedData if password-encrypted
+	-- EnvelopedData if public key-encrypted
+
+SafeContents ::= SEQUENCE OF SafeBag
+
+SafeBag ::= SEQUENCE {
+  	bagId	      	-- BAG-TYPE.&id ({PKCS12BagSet}) -- OBJECT IDENTIFIER,
+  	bagValue      	[0] EXPLICIT --BAG-TYPE.&Type({PKCS12BagSet}{@bagId}) -- ANY,
+  	bagAttributes 	SET OF PKCS12Attribute OPTIONAL
+}
+
+-- Bag types
+
+--keyBag 	  BAG-TYPE ::= 
+--	{KeyBag IDENTIFIED BY {bagtypes 1}}
+--pkcs8ShroudedKeyBag BAG-TYPE ::=
+--	{PKCS8ShroudedKeyBag IDENTIFIED BY {bagtypes 2}}
+--certBag BAG-TYPE ::= 
+--	{CertBag IDENTIFIED BY {bagtypes 3}}
+--crlBag BAG-TYPE ::=
+--	{CRLBag IDENTIFIED BY {bagtypes 4}}
+--secretBag BAG-TYPE ::=    
+--	{SecretBag IDENTIFIED BY {bagtypes 5}}
+--safeContentsBag BAG-TYPE ::=
+--	{SafeContents IDENTIFIED BY {bagtypes 6}}
+
+--PKCS12BagSet BAG-TYPE ::= {
+--	keyBag | 
+--	pkcs8ShroudedKeyBag |
+--	certBag |
+--	crlBag | 
+--	secretBag | 
+--	safeContentsBag,
+--	... - - For future extensions
+--}
+
+--BAG-TYPE ::= TYPE-IDENTIFIER
+
+-- KeyBag
+
+KeyBag ::= PrivateKeyInfo
+
+-- Shrouded KeyBag
+
+PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
+
+-- CertBag
+
+CertBag ::= SEQUENCE {
+	certId    --BAG-TYPE.&id   ({CertTypes}) -- OBJECT IDENTIFIER,
+	certValue [0] EXPLICIT --BAG-TYPE.&Type ({CertTypes}{@certId})-- ANY
+}
+
+--x509Certificate BAG-TYPE ::=
+--	{OCTET STRING IDENTIFIED BY {certTypes 1}}
+	-- DER-encoded X.509 certificate stored in OCTET STRING
+--sdsiCertificate BAG-TYPE ::=
+--	{IA5String IDENTIFIED BY {certTypes 2}}
+	-- Base64-encoded SDSI certificate stored in IA5String
+
+--CertTypes BAG-TYPE ::= {
+--	x509Certificate |
+--	sdsiCertificate,
+--	... - - For future extensions
+--}
+
+-- CRLBag
+
+CRLBag ::= SEQUENCE {
+	crlId     	--BAG-TYPE.&id ({CRLTypes})-- OBJECT IDENTIFIER,
+	crlValue 	[0] EXPLICIT --BAG-TYPE.&Type ({CRLTypes}{@crlId})-- ANY
+}
+
+--x509CRL BAG-TYPE ::=
+--	{OCTET STRING IDENTIFIED BY {crlTypes 1}}
+	-- DER-encoded X.509 CRL stored in OCTET STRING
+
+--CRLTypes BAG-TYPE ::= {
+--	x509CRL,
+--	... - - For future extensions
+--}
+
+-- Secret Bag
+
+SecretBag ::= SEQUENCE {
+	secretTypeId --BAG-TYPE.&id ({SecretTypes})-- OBJECT IDENTIFIER,
+	secretValue  [0] EXPLICIT --BAG-TYPE.&Type ({SecretTypes}{@secretTypeId})-- ANY
+}
+
+--SecretTypes BAG-TYPE ::= {
+--	... - - For future extensions
+--}
+
+-- Attributes
+
+PKCS12Attribute ::= SEQUENCE {
+	attrId	   	--ATTRIBUTE.&id ({PKCS12AttrSet})-- OBJECT IDENTIFIER,
+	attrValues 	SET OF --ATTRIBUTE.&Type ({PKCS12AttrSet}{@attrId})-- ANY
+} -- This type is compatible with the X.500 type 'Attribute'
+
+--PKCS12AttrSet ATTRIBUTE ::= {
+--	friendlyName |
+--	localKeyId,
+--	... - - Other attributes are allowed
+--}
+
+--END
+
+-- We import PKCS#8 here directly rather than creating another dissector
+
+--PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-8(8)
+--        modules(1) pkcs-8(1)} 
+
+-- $Revision: 1.5 $
+
+-- This module has been checked for conformance with the ASN.1
+-- standard by the OSS ASN.1 Tools
+
+--DEFINITIONS IMPLICIT TAGS ::= 
+
+--BEGIN
+
+-- EXPORTS All --
+-- All types and values defined in this module is exported for use in other
+-- ASN.1 modules.
+
+--IMPORTS
+
+--informationFramework
+--        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+--                                usefulDefinitions(0) 3} 
+
+--Attribute
+--        FROM InformationFramework informationFramework
+
+--AlgorithmIdentifier, ALGORITHM-IDENTIFIER
+--        FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
+--        pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)};
+
+-- Private-key information syntax
+
+PrivateKeyInfo ::= SEQUENCE {
+  version Version,
+  privateKeyAlgorithm AlgorithmIdentifier --{{PrivateKeyAlgorithms}}--,
+  privateKey PrivateKey,
+  attributes [0] Attributes OPTIONAL }
+
+Version ::= INTEGER {v1(0)} (v1,...)
+
+PrivateKey ::= OCTET STRING
+
+Attributes ::= SET OF Attribute
+
+-- Encrypted private-key information syntax
+
+EncryptedPrivateKeyInfo ::= SEQUENCE {
+    encryptionAlgorithm AlgorithmIdentifier --{{KeyEncryptionAlgorithms}}--,
+    encryptedData EncryptedData 
+}
+
+EncryptedData ::= OCTET STRING
+
+--PrivateKeyAlgorithms ALGORITHM-IDENTIFIER ::= {
+--    ... - - For local profiles
+--}
+
+--KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+--    ... - - For local profiles
+--}
+
+-- From RFC 2898
+PBEParameter ::= SEQUENCE {
+    salt		OCTET STRING,
+    iterationCount 	INTEGER
+}
+
+
+PBKDF2Params ::= SEQUENCE {
+    salt CHOICE {
+        specified OCTET STRING,
+	otherSource AlgorithmIdentifier --{{PBKDF2-SaltSources}}--
+	},
+    iterationCount INTEGER --(1..MAX)--,
+    keyLength INTEGER (1..MAX) OPTIONAL,
+    prf AlgorithmIdentifier --{{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1-- OPTIONAL }
+
+PBES2Params ::= SEQUENCE {
+    keyDerivationFunc AlgorithmIdentifier --{{PBES2-KDFs}}--,
+    encryptionScheme AlgorithmIdentifier --{{PBES2-Encs}}-- }
+
+PBMAC1Params ::=  SEQUENCE {
+    keyDerivationFunc AlgorithmIdentifier --{{PBMAC1-KDFs}}--,
+    messageAuthScheme AlgorithmIdentifier --{{PBMAC1-MACs}}-- }
+
+
+END
+
+
diff --git a/epan/dissectors/asn1/pkcs12/pkcs12.cnf b/epan/dissectors/asn1/pkcs12/pkcs12.cnf
new file mode 100644
index 00000000..aa078a22
--- /dev/null
+++ b/epan/dissectors/asn1/pkcs12/pkcs12.cnf
@@ -0,0 +1,159 @@
+# pkcs12.cnf
+# PKCS12 conformation file
+
+#.MODULE_IMPORT
+PKCS-7	cms
+PKCS-5	x509af
+
+#.IMPORT ../cms/cms-exp.cnf
+#.IMPORT ../x509if/x509if-exp.cnf
+#.IMPORT ../x509af/x509af-exp.cnf
+
+#.EXPORTS
+
+#.REGISTER
+KeyBag				B "1.2.840.113549.1.12.10.1.1"	"keyBag"
+PKCS8ShroudedKeyBag	B "1.2.840.113549.1.12.10.1.2"	"pkcs8ShroudedKeyBag"
+CertBag				B "1.2.840.113549.1.12.10.1.3"	"certBag"
+SecretBag			B "1.2.840.113549.1.12.10.1.4"	"secretBag"
+CRLBag				B "1.2.840.113549.1.12.10.1.5"	"crlBag"
+SafeContents		B "1.2.840.113549.1.12.10.1.6"	"safeContentsBag"
+
+# PKCS#9 Attributes - see master list in x509sat.cnf
+PFX			B "2.16.840.1.113730.3.1.216"   "pkcs-9-at-PKCS12"
+EncryptedPrivateKeyInfo	B "1.2.840.113549.1.9.25.2"	"pkcs-9-at-encryptedPrivateKeyInfo"
+
+# Password Based Encryption
+PBEParameter		B "1.2.840.113549.1.12.1.1" "pbeWithSHAAnd128BitRC4"
+PBEParameter		B "1.2.840.113549.1.12.1.2" "pbeWithSHAAnd40BitRC4"
+PBEParameter		B "1.2.840.113549.1.12.1.3" "pbeWithSHAAnd3-KeyTripleDES-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.4" "pbeWithSHAAnd2-KeyTripleDES-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.5" "pbeWithSHAAnd128BitRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.6" "pbeWithSHAAnd40BitRC2-CBC"
+
+PBEParameter		B "1.2.840.113549.1.5.1" "pbeWithMD2AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.3" "pbeWithMD5AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.4" "pbeWithMD2AndRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.5.6" "pbeWithMD5AndRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.5.10" "pbeWithSHA1AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.11" "pbeWithSHA1AndRC2-CBC"
+
+PBKDF2Params		B "1.2.840.113549.1.5.12" "id-PBKDF2"
+PBES2Params			B "1.2.840.113549.1.5.13" "id-PBES2"
+PBMAC1Params		B "1.2.840.113549.1.5.14" "id-PBMAC1"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+PrivateKeyInfo/version		privateKeyVersion
+PBKDF2Params/salt		saltChoice
+
+#.PDU
+#AuthenticatedSafe
+PrivateKeyInfo
+
+#.FN_BODY PFX
+	dissector_handle_t dissector_handle;
+
+	/* we change the CMS id-data dissector to dissect as AuthenticatedSafe
+	   not sure why PKCS#12 couldn't have used its own content type OID for AuthenticatedSafe */
+	dissector_handle=create_dissector_handle(dissect_AuthenticatedSafe_OCTETSTRING_PDU, proto_pkcs12);
+	dissector_change_string("ber.oid", "1.2.840.113549.1.7.1", dissector_handle);
+
+	%(DEFAULT_BODY)s
+
+	/* restore the original dissector */
+	dissector_reset_string("ber.oid", "1.2.840.113549.1.7.1");
+
+#.FN_BODY AuthenticatedSafe
+	dissector_handle_t dissector_handle;
+
+	/* we change the CMS id-data dissector to dissect as SafeContents */
+	dissector_handle=create_dissector_handle(dissect_SafeContents_OCTETSTRING_PDU, proto_pkcs12);
+	dissector_change_string("ber.oid", "1.2.840.113549.1.7.1", dissector_handle);
+
+	%(DEFAULT_BODY)s
+
+	/* restore the original dissector */
+	dissector_reset_string("ber.oid", "1.2.840.113549.1.7.1");
+
+#.FN_PARS SafeBag/bagId 	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+#.FN_FTR SafeBag/bagId
+  append_oid(actx->pinfo->pool, tree, object_identifier_id);
+#.END
+
+#.FN_PARS CertBag/certId 	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+#.FN_FTR CertBag/certId
+  append_oid(actx->pinfo->pool, tree, object_identifier_id);
+#.END
+
+#.FN_PARS CRLBag/crlId 	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+#.FN_FTR CRLBag/crlId
+  append_oid(actx->pinfo->pool, tree, object_identifier_id);
+#.END
+
+#.FN_PARS SecretBag/secretTypeId 	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+#.FN_FTR SecretBag/secretTypeId
+  append_oid(actx->pinfo->pool, tree, object_identifier_id);
+#.END
+
+#.FN_PARS PKCS12Attribute/attrId 	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+#.FN_FTR PKCS12Attribute/attrId
+  append_oid(actx->pinfo->pool, tree, object_identifier_id);
+#.END
+
+#.FN_BODY SafeBag/bagValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY PKCS12Attribute/attrValues/_item
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY CertBag/certValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY CRLBag/crlValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY SecretBag/secretValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_HDR PBEParameter
+	/* initialise the encryption parameters */
+	PBE_reset_parameters();
+
+#.END
+
+#.FN_PARS OCTET_STRING VAL_PTR = (hf_index == hf_pkcs12_salt ? &salt : NULL)
+#.FN_PARS INTEGER VAL_PTR = (hf_index == hf_pkcs12_iterationCount ? &iteration_count : NULL)
+
+#.FN_PARS EncryptedData VAL_PTR = &encrypted_tvb
+
+#.FN_HDR EncryptedData
+	tvbuff_t *encrypted_tvb;
+	dissector_handle_t dissector_handle;
+
+#.END
+
+#.FN_FTR EncryptedData
+
+
+
+	dissector_handle=create_dissector_handle(dissect_PrivateKeyInfo_PDU, proto_pkcs12);
+	dissector_change_string("ber.oid", object_identifier_id, dissector_handle);
+
+	PBE_decrypt_data(object_identifier_id, encrypted_tvb, actx->pinfo, actx, actx->created_item);
+
+	/* restore the original dissector */
+	dissector_reset_string("ber.oid", object_identifier_id);
+
+#.END
+
+
+