2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/provider.h>
13 #include <openssl/evp.h>
14 #include <openssl/ui.h>
15 #include <openssl/decoder.h>
16 #include <openssl/safestack.h>
17 #include <openssl/trace.h>
18 #include "crypto/evp.h"
19 #include "crypto/decoder.h"
20 #include "crypto/evp/evp_local.h"
21 #include "encoder_local.h"
22 #include "internal/e_os.h" /* strcasecmp on Windows */
23 #include "internal/namemap.h"
25 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX
*ctx
,
26 const unsigned char *kstr
,
29 return ossl_pw_set_passphrase(&ctx
->pwdata
, kstr
, klen
);
32 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX
*ctx
,
33 const UI_METHOD
*ui_method
,
36 return ossl_pw_set_ui_method(&ctx
->pwdata
, ui_method
, ui_data
);
39 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX
*ctx
,
40 pem_password_cb
*cb
, void *cbarg
)
42 return ossl_pw_set_pem_password_cb(&ctx
->pwdata
, cb
, cbarg
);
45 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX
*ctx
,
46 OSSL_PASSPHRASE_CALLBACK
*cb
,
49 return ossl_pw_set_ossl_passphrase_cb(&ctx
->pwdata
, cb
, cbarg
);
53 * Support for OSSL_DECODER_CTX_new_for_pkey:
54 * The construct data, and collecting keymgmt information for it
57 DEFINE_STACK_OF(EVP_KEYMGMT
)
59 struct decoder_pkey_data_st
{
64 STACK_OF(EVP_KEYMGMT
) *keymgmts
;
65 char *object_type
; /* recorded object data type, may be NULL */
66 void **object
; /* Where the result should end up */
69 static int decoder_construct_pkey(OSSL_DECODER_INSTANCE
*decoder_inst
,
70 const OSSL_PARAM
*params
,
73 struct decoder_pkey_data_st
*data
= construct_data
;
74 OSSL_DECODER
*decoder
= OSSL_DECODER_INSTANCE_get_decoder(decoder_inst
);
75 void *decoderctx
= OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst
);
76 const OSSL_PROVIDER
*decoder_prov
= OSSL_DECODER_get0_provider(decoder
);
77 EVP_KEYMGMT
*keymgmt
= NULL
;
78 const OSSL_PROVIDER
*keymgmt_prov
= NULL
;
81 * |object_ref| points to a provider reference to an object, its exact
82 * contents entirely opaque to us, but may be passed to any provider
83 * function that expects this (such as OSSL_FUNC_keymgmt_load().
85 * This pointer is considered volatile, i.e. whatever it points at
86 * is assumed to be freed as soon as this function returns.
88 void *object_ref
= NULL
;
89 size_t object_ref_sz
= 0;
92 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_DATA_TYPE
);
94 char *object_type
= NULL
;
96 if (!OSSL_PARAM_get_utf8_string(p
, &object_type
, 0))
98 OPENSSL_free(data
->object_type
);
99 data
->object_type
= object_type
;
103 * For stuff that should end up in an EVP_PKEY, we only accept an object
104 * reference for the moment. This enforces that the key data itself
105 * remains with the provider.
107 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_REFERENCE
);
108 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_OCTET_STRING
)
110 object_ref
= p
->data
;
111 object_ref_sz
= p
->data_size
;
114 * First, we try to find a keymgmt that comes from the same provider as
115 * the decoder that passed the params.
117 end
= sk_EVP_KEYMGMT_num(data
->keymgmts
);
118 for (i
= 0; i
< end
; i
++) {
119 keymgmt
= sk_EVP_KEYMGMT_value(data
->keymgmts
, i
);
120 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
122 if (keymgmt_prov
== decoder_prov
123 && evp_keymgmt_has_load(keymgmt
)
124 && EVP_KEYMGMT_is_a(keymgmt
, data
->object_type
))
128 /* To allow it to be freed further down */
129 if (!EVP_KEYMGMT_up_ref(keymgmt
))
131 } else if ((keymgmt
= EVP_KEYMGMT_fetch(data
->libctx
,
133 data
->propq
)) != NULL
) {
134 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
137 if (keymgmt
!= NULL
) {
138 EVP_PKEY
*pkey
= NULL
;
139 void *keydata
= NULL
;
142 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
143 * same provider, we assume that the KEYMGMT has a key loading
144 * function that can handle the provider reference we hold.
146 * Otherwise, we export from the decoder and import the
147 * result in the keymgmt.
149 if (keymgmt_prov
== decoder_prov
) {
150 keydata
= evp_keymgmt_load(keymgmt
, object_ref
, object_ref_sz
);
152 struct evp_keymgmt_util_try_import_data_st import_data
;
154 import_data
.keymgmt
= keymgmt
;
155 import_data
.keydata
= NULL
;
156 import_data
.selection
= data
->selection
;
159 * No need to check for errors here, the value of
160 * |import_data.keydata| is as much an indicator.
162 (void)decoder
->export_object(decoderctx
,
163 object_ref
, object_ref_sz
,
164 &evp_keymgmt_util_try_import
,
166 keydata
= import_data
.keydata
;
167 import_data
.keydata
= NULL
;
171 && (pkey
= evp_keymgmt_util_make_pkey(keymgmt
, keydata
)) == NULL
)
172 evp_keymgmt_freedata(keymgmt
, keydata
);
174 *data
->object
= pkey
;
177 * evp_keymgmt_util_make_pkey() increments the reference count when
178 * assigning the EVP_PKEY, so we can free the keymgmt here.
180 EVP_KEYMGMT_free(keymgmt
);
183 * We successfully looked through, |*ctx->object| determines if we
184 * actually found something.
186 return (*data
->object
!= NULL
);
189 static void decoder_clean_pkey_construct_arg(void *construct_data
)
191 struct decoder_pkey_data_st
*data
= construct_data
;
194 sk_EVP_KEYMGMT_pop_free(data
->keymgmts
, EVP_KEYMGMT_free
);
195 OPENSSL_free(data
->propq
);
196 OPENSSL_free(data
->object_type
);
201 struct collect_data_st
{
202 OSSL_LIB_CTX
*libctx
;
203 OSSL_DECODER_CTX
*ctx
;
205 const char *keytype
; /* the keytype requested, if any */
206 int keytype_id
; /* if keytype_resolved is set, keymgmt name_id; else 0 */
207 int sm2_id
; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */
208 int total
; /* number of matching results */
210 char keytype_resolved
;
212 STACK_OF(EVP_KEYMGMT
) *keymgmts
;
215 static void collect_decoder_keymgmt(EVP_KEYMGMT
*keymgmt
, OSSL_DECODER
*decoder
,
216 void *provctx
, struct collect_data_st
*data
)
218 void *decoderctx
= NULL
;
219 OSSL_DECODER_INSTANCE
*di
= NULL
;
222 * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we
223 * don't check it again here.
226 if (keymgmt
->name_id
!= decoder
->base
.id
)
227 /* Mismatch is not an error, continue. */
230 if ((decoderctx
= decoder
->newctx(provctx
)) == NULL
) {
231 data
->error_occurred
= 1;
235 if ((di
= ossl_decoder_instance_new(decoder
, decoderctx
)) == NULL
) {
236 decoder
->freectx(decoderctx
);
237 data
->error_occurred
= 1;
241 OSSL_TRACE_BEGIN(DECODER
) {
243 "(ctx %p) Checking out decoder %p:\n"
245 (void *)data
->ctx
, (void *)decoder
,
246 OSSL_DECODER_get0_name(decoder
),
247 OSSL_DECODER_get0_properties(decoder
));
248 } OSSL_TRACE_END(DECODER
);
250 if (!ossl_decoder_ctx_add_decoder_inst(data
->ctx
, di
)) {
251 ossl_decoder_instance_free(di
);
252 data
->error_occurred
= 1;
259 static void collect_decoder(OSSL_DECODER
*decoder
, void *arg
)
261 struct collect_data_st
*data
= arg
;
262 STACK_OF(EVP_KEYMGMT
) *keymgmts
= data
->keymgmts
;
264 EVP_KEYMGMT
*keymgmt
;
265 const OSSL_PROVIDER
*prov
;
268 if (data
->error_occurred
)
271 prov
= OSSL_DECODER_get0_provider(decoder
);
272 provctx
= OSSL_PROVIDER_get0_provider_ctx(prov
);
275 * Either the caller didn't give us a selection, or if they did, the decoder
276 * must tell us if it supports that selection to be accepted. If the decoder
277 * doesn't have |does_selection|, it's seen as taking anything.
279 if (decoder
->does_selection
!= NULL
280 && !decoder
->does_selection(provctx
, data
->ctx
->selection
))
283 OSSL_TRACE_BEGIN(DECODER
) {
285 "(ctx %p) Checking out decoder %p:\n"
287 (void *)data
->ctx
, (void *)decoder
,
288 OSSL_DECODER_get0_name(decoder
),
289 OSSL_DECODER_get0_properties(decoder
));
290 } OSSL_TRACE_END(DECODER
);
292 end_i
= sk_EVP_KEYMGMT_num(keymgmts
);
293 for (i
= 0; i
< end_i
; ++i
) {
294 keymgmt
= sk_EVP_KEYMGMT_value(keymgmts
, i
);
296 collect_decoder_keymgmt(keymgmt
, decoder
, provctx
, data
);
297 if (data
->error_occurred
)
303 * Is this EVP_KEYMGMT applicable given the key type given in the call to
304 * ossl_decoder_ctx_setup_for_pkey (if any)?
306 static int check_keymgmt(EVP_KEYMGMT
*keymgmt
, struct collect_data_st
*data
)
308 /* If no keytype was specified, everything matches. */
309 if (data
->keytype
== NULL
)
312 if (!data
->keytype_resolved
) {
313 /* We haven't cached the IDs from the keytype string yet. */
314 OSSL_NAMEMAP
*namemap
= ossl_namemap_stored(data
->libctx
);
315 data
->keytype_id
= ossl_namemap_name2num(namemap
, data
->keytype
);
318 * If keytype is a value ambiguously used for both EC and SM2,
319 * collect the ID for SM2 as well.
321 if (data
->keytype_id
!= 0
322 && (strcmp(data
->keytype
, "id-ecPublicKey") == 0
323 || strcmp(data
->keytype
, "1.2.840.10045.2.1") == 0))
324 data
->sm2_id
= ossl_namemap_name2num(namemap
, "SM2");
327 * If keytype_id is zero the name was not found, but we still
328 * set keytype_resolved to avoid trying all this again.
330 data
->keytype_resolved
= 1;
333 /* Specified keytype could not be resolved, so nothing matches. */
334 if (data
->keytype_id
== 0)
337 /* Does not match the keytype specified, so skip. */
338 if (keymgmt
->name_id
!= data
->keytype_id
339 && keymgmt
->name_id
!= data
->sm2_id
)
345 static void collect_keymgmt(EVP_KEYMGMT
*keymgmt
, void *arg
)
347 struct collect_data_st
*data
= arg
;
349 if (!check_keymgmt(keymgmt
, data
))
353 * We have to ref EVP_KEYMGMT here because in the success case,
354 * data->keymgmts is referenced by the constructor we register in the
355 * OSSL_DECODER_CTX. The registered cleanup function
356 * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and
359 if (!EVP_KEYMGMT_up_ref(keymgmt
))
362 if (sk_EVP_KEYMGMT_push(data
->keymgmts
, keymgmt
) <= 0) {
363 EVP_KEYMGMT_free(keymgmt
);
364 data
->error_occurred
= 1;
369 * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It
370 * searches for decoders matching 'keytype', which is a string like "RSA", "DH",
371 * etc. If 'keytype' is NULL, decoders for all keytypes are bound.
373 int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX
*ctx
,
374 EVP_PKEY
**pkey
, const char *keytype
,
375 OSSL_LIB_CTX
*libctx
,
376 const char *propquery
)
379 struct decoder_pkey_data_st
*process_data
= NULL
;
380 struct collect_data_st collect_data
= { NULL
};
381 STACK_OF(EVP_KEYMGMT
) *keymgmts
= NULL
;
383 OSSL_TRACE_BEGIN(DECODER
) {
384 const char *input_type
= ctx
->start_input_type
;
385 const char *input_structure
= ctx
->input_structure
;
388 "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n",
390 keytype
!= NULL
? keytype
: "",
391 keytype
!= NULL
? " keys" : "keys of any type",
392 input_type
!= NULL
? " from " : "",
393 input_type
!= NULL
? input_type
: "",
394 input_structure
!= NULL
? " with " : "",
395 input_structure
!= NULL
? input_structure
: "");
396 } OSSL_TRACE_END(DECODER
);
399 if ((process_data
= OPENSSL_zalloc(sizeof(*process_data
))) == NULL
400 || (propquery
!= NULL
401 && (process_data
->propq
= OPENSSL_strdup(propquery
)) == NULL
)) {
402 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
406 /* Allocate our list of EVP_KEYMGMTs. */
407 keymgmts
= sk_EVP_KEYMGMT_new_null();
408 if (keymgmts
== NULL
) {
409 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
413 process_data
->object
= (void **)pkey
;
414 process_data
->libctx
= libctx
;
415 process_data
->selection
= ctx
->selection
;
416 process_data
->keymgmts
= keymgmts
;
419 * Enumerate all keymgmts into a stack.
421 * We could nest EVP_KEYMGMT_do_all_provided inside
422 * OSSL_DECODER_do_all_provided or vice versa but these functions become
423 * bottlenecks if called repeatedly, which is why we collect the
424 * EVP_KEYMGMTs into a stack here and call both functions only once.
426 * We resolve the keytype string to a name ID so we don't have to resolve it
427 * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a
428 * performance bottleneck. However, we do this lazily on the first call to
429 * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it
430 * upfront, as this ensures that the names for all loaded providers have
431 * been registered by the time we try to resolve the keytype string.
433 collect_data
.ctx
= ctx
;
434 collect_data
.libctx
= libctx
;
435 collect_data
.keymgmts
= keymgmts
;
436 collect_data
.keytype
= keytype
;
437 EVP_KEYMGMT_do_all_provided(libctx
, collect_keymgmt
, &collect_data
);
439 if (collect_data
.error_occurred
)
442 /* Enumerate all matching decoders. */
443 OSSL_DECODER_do_all_provided(libctx
, collect_decoder
, &collect_data
);
445 if (collect_data
.error_occurred
)
448 OSSL_TRACE_BEGIN(DECODER
) {
450 "(ctx %p) Got %d decoders producing keys\n",
451 (void *)ctx
, collect_data
.total
);
452 } OSSL_TRACE_END(DECODER
);
455 * Finish initializing the decoder context. If one or more decoders matched
456 * above then the number of decoders attached to the OSSL_DECODER_CTX will
457 * be nonzero. Else nothing was found and we do nothing.
459 if (OSSL_DECODER_CTX_get_num_decoders(ctx
) != 0) {
460 if (!OSSL_DECODER_CTX_set_construct(ctx
, decoder_construct_pkey
)
461 || !OSSL_DECODER_CTX_set_construct_data(ctx
, process_data
)
462 || !OSSL_DECODER_CTX_set_cleanup(ctx
,
463 decoder_clean_pkey_construct_arg
))
466 process_data
= NULL
; /* Avoid it being freed */
471 decoder_clean_pkey_construct_arg(process_data
);
476 OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY
**pkey
,
477 const char *input_type
,
478 const char *input_structure
,
479 const char *keytype
, int selection
,
480 OSSL_LIB_CTX
*libctx
, const char *propquery
)
482 OSSL_DECODER_CTX
*ctx
= NULL
;
484 if ((ctx
= OSSL_DECODER_CTX_new()) == NULL
) {
485 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
489 OSSL_TRACE_BEGIN(DECODER
) {
491 "(ctx %p) Looking for %s decoders with selection %d\n",
492 (void *)ctx
, keytype
, selection
);
493 BIO_printf(trc_out
, " input type: %s, input structure: %s\n",
494 input_type
, input_structure
);
495 } OSSL_TRACE_END(DECODER
);
497 if (OSSL_DECODER_CTX_set_input_type(ctx
, input_type
)
498 && OSSL_DECODER_CTX_set_input_structure(ctx
, input_structure
)
499 && OSSL_DECODER_CTX_set_selection(ctx
, selection
)
500 && ossl_decoder_ctx_setup_for_pkey(ctx
, pkey
, keytype
,
502 && OSSL_DECODER_CTX_add_extra(ctx
, libctx
, propquery
)) {
503 OSSL_TRACE_BEGIN(DECODER
) {
504 BIO_printf(trc_out
, "(ctx %p) Got %d decoders\n",
505 (void *)ctx
, OSSL_DECODER_CTX_get_num_decoders(ctx
));
506 } OSSL_TRACE_END(DECODER
);
510 OSSL_DECODER_CTX_free(ctx
);