2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/provider.h>
13 #include <openssl/evp.h>
14 #include <openssl/ui.h>
15 #include <openssl/decoder.h>
16 #include <openssl/safestack.h>
17 #include <openssl/trace.h>
18 #include "crypto/evp.h"
19 #include "crypto/decoder.h"
20 #include "crypto/evp/evp_local.h"
21 #include "encoder_local.h"
22 #include "internal/namemap.h"
24 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX
*ctx
,
25 const unsigned char *kstr
,
28 return ossl_pw_set_passphrase(&ctx
->pwdata
, kstr
, klen
);
31 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX
*ctx
,
32 const UI_METHOD
*ui_method
,
35 return ossl_pw_set_ui_method(&ctx
->pwdata
, ui_method
, ui_data
);
38 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX
*ctx
,
39 pem_password_cb
*cb
, void *cbarg
)
41 return ossl_pw_set_pem_password_cb(&ctx
->pwdata
, cb
, cbarg
);
44 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX
*ctx
,
45 OSSL_PASSPHRASE_CALLBACK
*cb
,
48 return ossl_pw_set_ossl_passphrase_cb(&ctx
->pwdata
, cb
, cbarg
);
52 * Support for OSSL_DECODER_CTX_new_for_pkey:
53 * The construct data, and collecting keymgmt information for it
56 DEFINE_STACK_OF(EVP_KEYMGMT
)
58 struct decoder_pkey_data_st
{
63 STACK_OF(EVP_KEYMGMT
) *keymgmts
;
64 char *object_type
; /* recorded object data type, may be NULL */
65 void **object
; /* Where the result should end up */
68 static int decoder_construct_pkey(OSSL_DECODER_INSTANCE
*decoder_inst
,
69 const OSSL_PARAM
*params
,
72 struct decoder_pkey_data_st
*data
= construct_data
;
73 OSSL_DECODER
*decoder
= OSSL_DECODER_INSTANCE_get_decoder(decoder_inst
);
74 void *decoderctx
= OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst
);
75 const OSSL_PROVIDER
*decoder_prov
= OSSL_DECODER_get0_provider(decoder
);
76 EVP_KEYMGMT
*keymgmt
= NULL
;
77 const OSSL_PROVIDER
*keymgmt_prov
= NULL
;
80 * |object_ref| points to a provider reference to an object, its exact
81 * contents entirely opaque to us, but may be passed to any provider
82 * function that expects this (such as OSSL_FUNC_keymgmt_load().
84 * This pointer is considered volatile, i.e. whatever it points at
85 * is assumed to be freed as soon as this function returns.
87 void *object_ref
= NULL
;
88 size_t object_ref_sz
= 0;
91 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_DATA_TYPE
);
93 char *object_type
= NULL
;
95 if (!OSSL_PARAM_get_utf8_string(p
, &object_type
, 0))
97 OPENSSL_free(data
->object_type
);
98 data
->object_type
= object_type
;
102 * For stuff that should end up in an EVP_PKEY, we only accept an object
103 * reference for the moment. This enforces that the key data itself
104 * remains with the provider.
106 p
= OSSL_PARAM_locate_const(params
, OSSL_OBJECT_PARAM_REFERENCE
);
107 if (p
== NULL
|| p
->data_type
!= OSSL_PARAM_OCTET_STRING
)
109 object_ref
= p
->data
;
110 object_ref_sz
= p
->data_size
;
113 * First, we try to find a keymgmt that comes from the same provider as
114 * the decoder that passed the params.
116 end
= sk_EVP_KEYMGMT_num(data
->keymgmts
);
117 for (i
= 0; i
< end
; i
++) {
118 keymgmt
= sk_EVP_KEYMGMT_value(data
->keymgmts
, i
);
119 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
121 if (keymgmt_prov
== decoder_prov
122 && evp_keymgmt_has_load(keymgmt
)
123 && EVP_KEYMGMT_is_a(keymgmt
, data
->object_type
))
127 /* To allow it to be freed further down */
128 if (!EVP_KEYMGMT_up_ref(keymgmt
))
130 } else if ((keymgmt
= EVP_KEYMGMT_fetch(data
->libctx
,
132 data
->propq
)) != NULL
) {
133 keymgmt_prov
= EVP_KEYMGMT_get0_provider(keymgmt
);
136 if (keymgmt
!= NULL
) {
137 EVP_PKEY
*pkey
= NULL
;
138 void *keydata
= NULL
;
141 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
142 * same provider, we assume that the KEYMGMT has a key loading
143 * function that can handle the provider reference we hold.
145 * Otherwise, we export from the decoder and import the
146 * result in the keymgmt.
148 if (keymgmt_prov
== decoder_prov
) {
149 keydata
= evp_keymgmt_load(keymgmt
, object_ref
, object_ref_sz
);
151 struct evp_keymgmt_util_try_import_data_st import_data
;
153 import_data
.keymgmt
= keymgmt
;
154 import_data
.keydata
= NULL
;
155 import_data
.selection
= data
->selection
;
158 * No need to check for errors here, the value of
159 * |import_data.keydata| is as much an indicator.
161 (void)decoder
->export_object(decoderctx
,
162 object_ref
, object_ref_sz
,
163 &evp_keymgmt_util_try_import
,
165 keydata
= import_data
.keydata
;
166 import_data
.keydata
= NULL
;
170 && (pkey
= evp_keymgmt_util_make_pkey(keymgmt
, keydata
)) == NULL
)
171 evp_keymgmt_freedata(keymgmt
, keydata
);
173 *data
->object
= pkey
;
176 * evp_keymgmt_util_make_pkey() increments the reference count when
177 * assigning the EVP_PKEY, so we can free the keymgmt here.
179 EVP_KEYMGMT_free(keymgmt
);
182 * We successfully looked through, |*ctx->object| determines if we
183 * actually found something.
185 return (*data
->object
!= NULL
);
188 static void decoder_clean_pkey_construct_arg(void *construct_data
)
190 struct decoder_pkey_data_st
*data
= construct_data
;
193 sk_EVP_KEYMGMT_pop_free(data
->keymgmts
, EVP_KEYMGMT_free
);
194 OPENSSL_free(data
->propq
);
195 OPENSSL_free(data
->object_type
);
200 struct collect_data_st
{
201 OSSL_LIB_CTX
*libctx
;
202 OSSL_DECODER_CTX
*ctx
;
204 const char *keytype
; /* the keytype requested, if any */
205 int keytype_id
; /* if keytype_resolved is set, keymgmt name_id; else 0 */
206 int sm2_id
; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */
207 int total
; /* number of matching results */
209 char keytype_resolved
;
211 STACK_OF(EVP_KEYMGMT
) *keymgmts
;
214 static void collect_decoder_keymgmt(EVP_KEYMGMT
*keymgmt
, OSSL_DECODER
*decoder
,
215 void *provctx
, struct collect_data_st
*data
)
217 void *decoderctx
= NULL
;
218 OSSL_DECODER_INSTANCE
*di
= NULL
;
221 * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we
222 * don't check it again here.
225 if (keymgmt
->name_id
!= decoder
->base
.id
)
226 /* Mismatch is not an error, continue. */
229 if ((decoderctx
= decoder
->newctx(provctx
)) == NULL
) {
230 data
->error_occurred
= 1;
234 if ((di
= ossl_decoder_instance_new(decoder
, decoderctx
)) == NULL
) {
235 decoder
->freectx(decoderctx
);
236 data
->error_occurred
= 1;
240 OSSL_TRACE_BEGIN(DECODER
) {
242 "(ctx %p) Checking out decoder %p:\n"
244 (void *)data
->ctx
, (void *)decoder
,
245 OSSL_DECODER_get0_name(decoder
),
246 OSSL_DECODER_get0_properties(decoder
));
247 } OSSL_TRACE_END(DECODER
);
249 if (!ossl_decoder_ctx_add_decoder_inst(data
->ctx
, di
)) {
250 ossl_decoder_instance_free(di
);
251 data
->error_occurred
= 1;
258 static void collect_decoder(OSSL_DECODER
*decoder
, void *arg
)
260 struct collect_data_st
*data
= arg
;
261 STACK_OF(EVP_KEYMGMT
) *keymgmts
= data
->keymgmts
;
263 EVP_KEYMGMT
*keymgmt
;
264 const OSSL_PROVIDER
*prov
;
267 if (data
->error_occurred
)
270 prov
= OSSL_DECODER_get0_provider(decoder
);
271 provctx
= OSSL_PROVIDER_get0_provider_ctx(prov
);
274 * Either the caller didn't give us a selection, or if they did, the decoder
275 * must tell us if it supports that selection to be accepted. If the decoder
276 * doesn't have |does_selection|, it's seen as taking anything.
278 if (decoder
->does_selection
!= NULL
279 && !decoder
->does_selection(provctx
, data
->ctx
->selection
))
282 OSSL_TRACE_BEGIN(DECODER
) {
284 "(ctx %p) Checking out decoder %p:\n"
286 (void *)data
->ctx
, (void *)decoder
,
287 OSSL_DECODER_get0_name(decoder
),
288 OSSL_DECODER_get0_properties(decoder
));
289 } OSSL_TRACE_END(DECODER
);
291 end_i
= sk_EVP_KEYMGMT_num(keymgmts
);
292 for (i
= 0; i
< end_i
; ++i
) {
293 keymgmt
= sk_EVP_KEYMGMT_value(keymgmts
, i
);
295 collect_decoder_keymgmt(keymgmt
, decoder
, provctx
, data
);
296 if (data
->error_occurred
)
302 * Is this EVP_KEYMGMT applicable given the key type given in the call to
303 * ossl_decoder_ctx_setup_for_pkey (if any)?
305 static int check_keymgmt(EVP_KEYMGMT
*keymgmt
, struct collect_data_st
*data
)
307 /* If no keytype was specified, everything matches. */
308 if (data
->keytype
== NULL
)
311 if (!data
->keytype_resolved
) {
312 /* We haven't cached the IDs from the keytype string yet. */
313 OSSL_NAMEMAP
*namemap
= ossl_namemap_stored(data
->libctx
);
314 data
->keytype_id
= ossl_namemap_name2num(namemap
, data
->keytype
);
317 * If keytype is a value ambiguously used for both EC and SM2,
318 * collect the ID for SM2 as well.
320 if (data
->keytype_id
!= 0
321 && (strcmp(data
->keytype
, "id-ecPublicKey") == 0
322 || strcmp(data
->keytype
, "1.2.840.10045.2.1") == 0))
323 data
->sm2_id
= ossl_namemap_name2num(namemap
, "SM2");
326 * If keytype_id is zero the name was not found, but we still
327 * set keytype_resolved to avoid trying all this again.
329 data
->keytype_resolved
= 1;
332 /* Specified keytype could not be resolved, so nothing matches. */
333 if (data
->keytype_id
== 0)
336 /* Does not match the keytype specified, so skip. */
337 if (keymgmt
->name_id
!= data
->keytype_id
338 && keymgmt
->name_id
!= data
->sm2_id
)
344 static void collect_keymgmt(EVP_KEYMGMT
*keymgmt
, void *arg
)
346 struct collect_data_st
*data
= arg
;
348 if (!check_keymgmt(keymgmt
, data
))
352 * We have to ref EVP_KEYMGMT here because in the success case,
353 * data->keymgmts is referenced by the constructor we register in the
354 * OSSL_DECODER_CTX. The registered cleanup function
355 * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and
358 if (!EVP_KEYMGMT_up_ref(keymgmt
))
361 if (sk_EVP_KEYMGMT_push(data
->keymgmts
, keymgmt
) <= 0) {
362 EVP_KEYMGMT_free(keymgmt
);
363 data
->error_occurred
= 1;
368 * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It
369 * searches for decoders matching 'keytype', which is a string like "RSA", "DH",
370 * etc. If 'keytype' is NULL, decoders for all keytypes are bound.
372 int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX
*ctx
,
373 EVP_PKEY
**pkey
, const char *keytype
,
374 OSSL_LIB_CTX
*libctx
,
375 const char *propquery
)
378 struct decoder_pkey_data_st
*process_data
= NULL
;
379 struct collect_data_st collect_data
= { NULL
};
380 STACK_OF(EVP_KEYMGMT
) *keymgmts
= NULL
;
382 OSSL_TRACE_BEGIN(DECODER
) {
383 const char *input_type
= ctx
->start_input_type
;
384 const char *input_structure
= ctx
->input_structure
;
387 "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n",
389 keytype
!= NULL
? keytype
: "",
390 keytype
!= NULL
? " keys" : "keys of any type",
391 input_type
!= NULL
? " from " : "",
392 input_type
!= NULL
? input_type
: "",
393 input_structure
!= NULL
? " with " : "",
394 input_structure
!= NULL
? input_structure
: "");
395 } OSSL_TRACE_END(DECODER
);
398 if ((process_data
= OPENSSL_zalloc(sizeof(*process_data
))) == NULL
399 || (propquery
!= NULL
400 && (process_data
->propq
= OPENSSL_strdup(propquery
)) == NULL
)) {
401 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
405 /* Allocate our list of EVP_KEYMGMTs. */
406 keymgmts
= sk_EVP_KEYMGMT_new_null();
407 if (keymgmts
== NULL
) {
408 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
412 process_data
->object
= (void **)pkey
;
413 process_data
->libctx
= libctx
;
414 process_data
->selection
= ctx
->selection
;
415 process_data
->keymgmts
= keymgmts
;
418 * Enumerate all keymgmts into a stack.
420 * We could nest EVP_KEYMGMT_do_all_provided inside
421 * OSSL_DECODER_do_all_provided or vice versa but these functions become
422 * bottlenecks if called repeatedly, which is why we collect the
423 * EVP_KEYMGMTs into a stack here and call both functions only once.
425 * We resolve the keytype string to a name ID so we don't have to resolve it
426 * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a
427 * performance bottleneck. However, we do this lazily on the first call to
428 * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it
429 * upfront, as this ensures that the names for all loaded providers have
430 * been registered by the time we try to resolve the keytype string.
432 collect_data
.ctx
= ctx
;
433 collect_data
.libctx
= libctx
;
434 collect_data
.keymgmts
= keymgmts
;
435 collect_data
.keytype
= keytype
;
436 EVP_KEYMGMT_do_all_provided(libctx
, collect_keymgmt
, &collect_data
);
438 if (collect_data
.error_occurred
)
441 /* Enumerate all matching decoders. */
442 OSSL_DECODER_do_all_provided(libctx
, collect_decoder
, &collect_data
);
444 if (collect_data
.error_occurred
)
447 OSSL_TRACE_BEGIN(DECODER
) {
449 "(ctx %p) Got %d decoders producing keys\n",
450 (void *)ctx
, collect_data
.total
);
451 } OSSL_TRACE_END(DECODER
);
454 * Finish initializing the decoder context. If one or more decoders matched
455 * above then the number of decoders attached to the OSSL_DECODER_CTX will
456 * be nonzero. Else nothing was found and we do nothing.
458 if (OSSL_DECODER_CTX_get_num_decoders(ctx
) != 0) {
459 if (!OSSL_DECODER_CTX_set_construct(ctx
, decoder_construct_pkey
)
460 || !OSSL_DECODER_CTX_set_construct_data(ctx
, process_data
)
461 || !OSSL_DECODER_CTX_set_cleanup(ctx
,
462 decoder_clean_pkey_construct_arg
))
465 process_data
= NULL
; /* Avoid it being freed */
470 decoder_clean_pkey_construct_arg(process_data
);
475 OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY
**pkey
,
476 const char *input_type
,
477 const char *input_structure
,
478 const char *keytype
, int selection
,
479 OSSL_LIB_CTX
*libctx
, const char *propquery
)
481 OSSL_DECODER_CTX
*ctx
= NULL
;
483 if ((ctx
= OSSL_DECODER_CTX_new()) == NULL
) {
484 ERR_raise(ERR_LIB_OSSL_DECODER
, ERR_R_MALLOC_FAILURE
);
488 OSSL_TRACE_BEGIN(DECODER
) {
490 "(ctx %p) Looking for %s decoders with selection %d\n",
491 (void *)ctx
, keytype
, selection
);
492 BIO_printf(trc_out
, " input type: %s, input structure: %s\n",
493 input_type
, input_structure
);
494 } OSSL_TRACE_END(DECODER
);
496 if (OSSL_DECODER_CTX_set_input_type(ctx
, input_type
)
497 && OSSL_DECODER_CTX_set_input_structure(ctx
, input_structure
)
498 && OSSL_DECODER_CTX_set_selection(ctx
, selection
)
499 && ossl_decoder_ctx_setup_for_pkey(ctx
, pkey
, keytype
,
501 && OSSL_DECODER_CTX_add_extra(ctx
, libctx
, propquery
)) {
502 OSSL_TRACE_BEGIN(DECODER
) {
503 BIO_printf(trc_out
, "(ctx %p) Got %d decoders\n",
504 (void *)ctx
, OSSL_DECODER_CTX_get_num_decoders(ctx
));
505 } OSSL_TRACE_END(DECODER
);
509 OSSL_DECODER_CTX_free(ctx
);