2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/provider.h>
13 #include <openssl/evp.h>
14 #include <openssl/ui.h>
15 #include <openssl/decoder.h>
16 #include <openssl/safestack.h>
17 #include <openssl/trace.h>
18 #include "crypto/evp.h"
19 #include "crypto/decoder.h"
20 #include "encoder_local.h"
21 #include "e_os.h" /* strcasecmp on Windows */
23 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX
*ctx
,
24 const unsigned char *kstr
,
27 return ossl_pw_set_passphrase(&ctx
->pwdata
, kstr
, klen
);
30 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX
*ctx
,
31 const UI_METHOD
*ui_method
,
34 return ossl_pw_set_ui_method(&ctx
->pwdata
, ui_method
, ui_data
);
37 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX
*ctx
,
38 pem_password_cb
*cb
, void *cbarg
)
40 return ossl_pw_set_pem_password_cb(&ctx
->pwdata
, cb
, cbarg
);
43 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX
*ctx
,
44 OSSL_PASSPHRASE_CALLBACK
*cb
,
47 return ossl_pw_set_ossl_passphrase_cb(&ctx
->pwdata
, cb
, cbarg
);
51 * Support for OSSL_DECODER_CTX_new_for_pkey:
52 * The construct data, and collecting keymgmt information for it
55 DEFINE_STACK_OF(EVP_KEYMGMT
)
57 struct decoder_pkey_data_st
{
62 STACK_OF(EVP_KEYMGMT
) *keymgmts
;
63 char *object_type
; /* recorded object data type, may be NULL */
64 void **object
; /* Where the result should end up */
67 static int decoder_construct_pkey(OSSL_DECODER_INSTANCE
*decoder_inst
,
68 const OSSL_PARAM
*params
,
71 struct decoder_pkey_data_st
*data
= construct_data
;
72 OSSL_DECODER
*decoder
= OSSL_DECODER_INSTANCE_get_decoder(decoder_inst
);
73 void *decoderctx
= OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst
);
74 const OSSL_PROVIDER
*decoder_prov
= OSSL_DECODER_get0_provider(decoder
);
75 EVP_KEYMGMT
*keymgmt
= NULL
;
76 const OSSL_PROVIDER
*keymgmt_prov
= NULL
;
79 * |object_ref| points to a provider reference to an object, its exact
80 * contents entirely opaque to us, but may be passed to any provider
81 * function that expects this (such as OSSL_FUNC_keymgmt_load().
83 * This pointer is considered volatile, i.e. whatever it points at
84 * is assumed to be freed as soon as this function returns.
86 void *object_ref
= NULL
;
87 size_t object_ref_sz
= 0;
90 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_DATA_TYPE
);
92 char *object_type
= NULL
;
94 if (!OSSL_PARAM_get_utf8_string(p
, &object_type
, 0))
96 OPENSSL_free(data
->object_type
);
97 data
->object_type
= object_type
;
101 * For stuff that should end up in an EVP_PKEY, we only accept an object
102 * reference for the moment. This enforces that the key data itself
103 * remains with the provider.
105 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_REFERENCE
);
106 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_OCTET_STRING
)
108 object_ref
= p
->data
;
109 object_ref_sz
= p
->data_size
;
112 * First, we try to find a keymgmt that comes from the same provider as
113 * the decoder that passed the params.
115 end
= sk_EVP_KEYMGMT_num(data
->keymgmts
);
116 for (i
= 0; i
< end
; i
++) {
117 keymgmt
= sk_EVP_KEYMGMT_value(data
->keymgmts
, i
);
118 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
120 if (keymgmt_prov
== decoder_prov
121 && evp_keymgmt_has_load(keymgmt
)
122 && EVP_KEYMGMT_is_a(keymgmt
, data
->object_type
))
126 /* To allow it to be freed further down */
127 if (!EVP_KEYMGMT_up_ref(keymgmt
))
129 } else if ((keymgmt
= EVP_KEYMGMT_fetch(data
->libctx
,
131 data
->propq
)) != NULL
) {
132 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
135 if (keymgmt
!= NULL
) {
136 EVP_PKEY
*pkey
= NULL
;
137 void *keydata
= NULL
;
140 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
141 * same provider, we assume that the KEYMGMT has a key loading
142 * function that can handle the provider reference we hold.
144 * Otherwise, we export from the decoder and import the
145 * result in the keymgmt.
147 if (keymgmt_prov
== decoder_prov
) {
148 keydata
= evp_keymgmt_load(keymgmt
, object_ref
, object_ref_sz
);
150 struct evp_keymgmt_util_try_import_data_st import_data
;
152 import_data
.keymgmt
= keymgmt
;
153 import_data
.keydata
= NULL
;
154 import_data
.selection
= data
->selection
;
157 * No need to check for errors here, the value of
158 * |import_data.keydata| is as much an indicator.
160 (void)decoder
->export_object(decoderctx
,
161 object_ref
, object_ref_sz
,
162 &evp_keymgmt_util_try_import
,
164 keydata
= import_data
.keydata
;
165 import_data
.keydata
= NULL
;
169 && (pkey
= evp_keymgmt_util_make_pkey(keymgmt
, keydata
)) == NULL
)
170 evp_keymgmt_freedata(keymgmt
, keydata
);
172 *data
->object
= pkey
;
175 * evp_keymgmt_util_make_pkey() increments the reference count when
176 * assigning the EVP_PKEY, so we can free the keymgmt here.
178 EVP_KEYMGMT_free(keymgmt
);
181 * We successfully looked through, |*ctx->object| determines if we
182 * actually found something.
184 return (*data
->object
!= NULL
);
187 static void decoder_clean_pkey_construct_arg(void *construct_data
)
189 struct decoder_pkey_data_st
*data
= construct_data
;
192 sk_EVP_KEYMGMT_pop_free(data
->keymgmts
, EVP_KEYMGMT_free
);
193 OPENSSL_free(data
->propq
);
194 OPENSSL_free(data
->object_type
);
199 static void collect_name(const char *name
, void *arg
)
201 STACK_OF(OPENSSL_CSTRING
) *names
= arg
;
203 sk_OPENSSL_CSTRING_push(names
, name
);
206 static void collect_keymgmt(EVP_KEYMGMT
*keymgmt
, void *arg
)
208 STACK_OF(EVP_KEYMGMT
) *keymgmts
= arg
;
210 if (!EVP_KEYMGMT_up_ref(keymgmt
) /* ref++ */)
212 if (sk_EVP_KEYMGMT_push(keymgmts
, keymgmt
) <= 0) {
213 EVP_KEYMGMT_free(keymgmt
); /* ref-- */
219 * The input structure check is only done on the initial decoder
222 static int decoder_check_input_structure(OSSL_DECODER_CTX
*ctx
,
223 OSSL_DECODER_INSTANCE
*di
)
225 int di_is_was_set
= 0;
227 OSSL_DECODER_INSTANCE_get_input_structure(di
, &di_is_was_set
);
230 * If caller didn't give an input structure name, the decoder is accepted
231 * unconditionally with regards to the input structure.
233 if (ctx
->input_structure
== NULL
)
236 * If the caller did give an input structure name, the decoder must have
237 * a matching input structure to be accepted.
239 if (di_is
!= NULL
&& strcasecmp(ctx
->input_structure
, di_is
) == 0)
244 struct collect_decoder_data_st
{
245 STACK_OF(OPENSSL_CSTRING
) *names
;
246 OSSL_DECODER_CTX
*ctx
;
249 unsigned int error_occurred
:1;
252 static void collect_decoder(OSSL_DECODER
*decoder
, void *arg
)
254 struct collect_decoder_data_st
*data
= arg
;
256 const OSSL_PROVIDER
*prov
= OSSL_DECODER_get0_provider(decoder
);
257 void *provctx
= OSSL_PROVIDER_get0_provider_ctx(prov
);
259 if (data
->error_occurred
)
262 if (data
->names
== NULL
) {
263 data
->error_occurred
= 1;
268 * Either the caller didn't give a selection, or if they did,
269 * the decoder must tell us if it supports that selection to
270 * be accepted. If the decoder doesn't have |does_selection|,
271 * it's seen as taking anything.
273 if (decoder
->does_selection
!= NULL
274 && !decoder
->does_selection(provctx
, data
->ctx
->selection
))
277 OSSL_TRACE_BEGIN(DECODER
) {
279 "(ctx %p) Checking out decoder %p:\n"
281 (void *)data
->ctx
, (void *)decoder
,
282 OSSL_DECODER_get0_name(decoder
),
283 OSSL_DECODER_get0_properties(decoder
));
284 } OSSL_TRACE_END(DECODER
);
286 end_i
= sk_OPENSSL_CSTRING_num(data
->names
);
287 for (i
= 0; i
< end_i
; i
++) {
288 const char *name
= sk_OPENSSL_CSTRING_value(data
->names
, i
);
290 if (OSSL_DECODER_is_a(decoder
, name
)) {
291 void *decoderctx
= NULL
;
292 OSSL_DECODER_INSTANCE
*di
= NULL
;
294 if ((decoderctx
= decoder
->newctx(provctx
)) == NULL
) {
295 data
->error_occurred
= 1;
298 if ((di
= ossl_decoder_instance_new(decoder
, decoderctx
)) == NULL
) {
299 decoder
->freectx(decoderctx
);
300 data
->error_occurred
= 1;
304 OSSL_TRACE_BEGIN(DECODER
) {
306 "(ctx %p) Checking out decoder %p:\n"
308 (void *)data
->ctx
, (void *)decoder
,
309 OSSL_DECODER_get0_name(decoder
),
310 OSSL_DECODER_get0_properties(decoder
));
311 } OSSL_TRACE_END(DECODER
);
313 if (!decoder_check_input_structure(data
->ctx
, di
)) {
314 OSSL_TRACE_BEGIN(DECODER
) {
316 " REJECTED: not the desired input structure\n");
317 } OSSL_TRACE_END(DECODER
);
318 ossl_decoder_instance_free(di
);
319 /* Not a fatal error. Just return */
322 if (!ossl_decoder_ctx_add_decoder_inst(data
->ctx
, di
)) {
323 ossl_decoder_instance_free(di
);
324 data
->error_occurred
= 1;
334 /* Decoder not suitable - but not a fatal error */
335 data
->error_occurred
= 0;
338 int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX
*ctx
,
339 EVP_PKEY
**pkey
, const char *keytype
,
340 OSSL_LIB_CTX
*libctx
,
341 const char *propquery
)
343 struct decoder_pkey_data_st
*process_data
= NULL
;
344 STACK_OF(OPENSSL_CSTRING
) *names
= NULL
;
345 const char *input_type
= ctx
->start_input_type
;
346 const char *input_structure
= ctx
->input_structure
;
352 && (strcmp(keytype
, "id-ecPublicKey") == 0
353 || strcmp(keytype
, "1.2.840.10045.2.1") == 0))
356 OSSL_TRACE_BEGIN(DECODER
) {
358 "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n",
360 keytype
!= NULL
? keytype
: "",
361 keytype
!= NULL
? " keys" : "keys of any type",
362 input_type
!= NULL
? " from " : "",
363 input_type
!= NULL
? input_type
: "",
364 input_structure
!= NULL
? " with " : "",
365 input_structure
!= NULL
? input_structure
: "");
366 } OSSL_TRACE_END(DECODER
);
368 if ((process_data
= OPENSSL_zalloc(sizeof(*process_data
))) == NULL
369 || (propquery
!= NULL
370 && (process_data
->propq
= OPENSSL_strdup(propquery
)) == NULL
)
371 || (process_data
->keymgmts
= sk_EVP_KEYMGMT_new_null()) == NULL
372 || (names
= sk_OPENSSL_CSTRING_new_null()) == NULL
) {
373 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
377 process_data
->object
= (void **)pkey
;
378 process_data
->libctx
= libctx
;
379 process_data
->selection
= ctx
->selection
;
381 /* First, find all keymgmts to form goals */
382 EVP_KEYMGMT_do_all_provided(libctx
, collect_keymgmt
,
383 process_data
->keymgmts
);
385 /* Then, we collect all the keymgmt names */
386 end
= sk_EVP_KEYMGMT_num(process_data
->keymgmts
);
387 for (i
= 0; i
< end
; i
++) {
388 EVP_KEYMGMT
*keymgmt
= sk_EVP_KEYMGMT_value(process_data
->keymgmts
, i
);
391 * If the key type is given by the caller, we only use the matching
392 * KEYMGMTs, otherwise we use them all.
393 * We have to special case SM2 here because of its abuse of the EC OID.
394 * The EC OID can be used to identify an EC key or an SM2 key - so if
395 * we have seen that OID we try both key types
398 || EVP_KEYMGMT_is_a(keymgmt
, keytype
)
399 || (isecoid
&& EVP_KEYMGMT_is_a(keymgmt
, "SM2"))) {
400 if (!EVP_KEYMGMT_names_do_all(keymgmt
, collect_name
, names
)) {
401 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_INTERNAL_ERROR
);
407 OSSL_TRACE_BEGIN(DECODER
) {
408 end
= sk_OPENSSL_CSTRING_num(names
);
410 " Found %d keytypes (possibly with duplicates)",
412 for (i
= 0; i
< end
; i
++)
413 BIO_printf(trc_out
, "%s%s",
414 i
== 0 ? ": " : ", ",
415 sk_OPENSSL_CSTRING_value(names
, i
));
416 BIO_printf(trc_out
, "\n");
417 } OSSL_TRACE_END(DECODER
);
420 * Finally, find all decoders that have any keymgmt of the collected
424 struct collect_decoder_data_st collect_decoder_data
= { NULL
, };
426 collect_decoder_data
.names
= names
;
427 collect_decoder_data
.ctx
= ctx
;
428 OSSL_DECODER_do_all_provided(libctx
,
429 collect_decoder
, &collect_decoder_data
);
430 sk_OPENSSL_CSTRING_free(names
);
433 if (collect_decoder_data
.error_occurred
)
436 OSSL_TRACE_BEGIN(DECODER
) {
438 "(ctx %p) Got %d decoders producing keys\n",
439 (void *)ctx
, collect_decoder_data
.total
);
440 } OSSL_TRACE_END(DECODER
);
443 if (OSSL_DECODER_CTX_get_num_decoders(ctx
) != 0) {
444 if (!OSSL_DECODER_CTX_set_construct(ctx
, decoder_construct_pkey
)
445 || !OSSL_DECODER_CTX_set_construct_data(ctx
, process_data
)
446 || !OSSL_DECODER_CTX_set_cleanup(ctx
,
447 decoder_clean_pkey_construct_arg
))
450 process_data
= NULL
; /* Avoid it being freed */
455 decoder_clean_pkey_construct_arg(process_data
);
456 sk_OPENSSL_CSTRING_free(names
);
462 OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY
**pkey
,
463 const char *input_type
,
464 const char *input_structure
,
465 const char *keytype
, int selection
,
466 OSSL_LIB_CTX
*libctx
, const char *propquery
)
468 OSSL_DECODER_CTX
*ctx
= NULL
;
470 if ((ctx
= OSSL_DECODER_CTX_new()) == NULL
) {
471 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
475 OSSL_TRACE_BEGIN(DECODER
) {
477 "(ctx %p) Looking for %s decoders with selection %d\n",
478 (void *)ctx
, keytype
, selection
);
479 BIO_printf(trc_out
, " input type: %s, input structure: %s\n",
480 input_type
, input_structure
);
481 } OSSL_TRACE_END(DECODER
);
483 if (OSSL_DECODER_CTX_set_input_type(ctx
, input_type
)
484 && OSSL_DECODER_CTX_set_input_structure(ctx
, input_structure
)
485 && OSSL_DECODER_CTX_set_selection(ctx
, selection
)
486 && ossl_decoder_ctx_setup_for_pkey(ctx
, pkey
, keytype
,
488 && OSSL_DECODER_CTX_add_extra(ctx
, libctx
, propquery
)) {
489 OSSL_TRACE_BEGIN(DECODER
) {
490 BIO_printf(trc_out
, "(ctx %p) Got %d decoders\n",
491 (void *)ctx
, OSSL_DECODER_CTX_get_num_decoders(ctx
));
492 } OSSL_TRACE_END(DECODER
);
496 OSSL_DECODER_CTX_free(ctx
);