2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/buffer.h>
13 #include <openssl/objects.h>
14 #include <openssl/evp.h>
15 #include <openssl/x509.h>
16 #include <openssl/pem.h>
17 #include <openssl/rsa.h>
18 #include <openssl/dsa.h>
20 #ifndef OPENSSL_NO_STDIO
21 STACK_OF(X509_INFO
) *PEM_X509_INFO_read(FILE *fp
, STACK_OF(X509_INFO
) *sk
,
22 pem_password_cb
*cb
, void *u
)
25 STACK_OF(X509_INFO
) *ret
;
27 if ((b
= BIO_new(BIO_s_file())) == NULL
) {
28 PEMerr(PEM_F_PEM_X509_INFO_READ
, ERR_R_BUF_LIB
);
31 BIO_set_fp(b
, fp
, BIO_NOCLOSE
);
32 ret
= PEM_X509_INFO_read_bio(b
, sk
, cb
, u
);
38 STACK_OF(X509_INFO
) *PEM_X509_INFO_read_bio(BIO
*bp
, STACK_OF(X509_INFO
) *sk
,
39 pem_password_cb
*cb
, void *u
)
42 char *name
= NULL
, *header
= NULL
;
44 unsigned char *data
= NULL
;
45 const unsigned char *p
;
48 STACK_OF(X509_INFO
) *ret
= NULL
;
49 unsigned int i
, raw
, ptype
;
53 if ((ret
= sk_X509_INFO_new_null()) == NULL
) {
54 PEMerr(PEM_F_PEM_X509_INFO_READ_BIO
, ERR_R_MALLOC_FAILURE
);
60 if ((xi
= X509_INFO_new()) == NULL
)
65 i
= PEM_read_bio(bp
, &name
, &header
, &data
, &len
);
67 error
= ERR_GET_REASON(ERR_peek_last_error());
68 if (error
== PEM_R_NO_START_LINE
) {
75 if ((strcmp(name
, PEM_STRING_X509
) == 0) ||
76 (strcmp(name
, PEM_STRING_X509_OLD
) == 0)) {
77 d2i
= (D2I_OF(void)) d2i_X509
;
78 if (xi
->x509
!= NULL
) {
79 if (!sk_X509_INFO_push(ret
, xi
))
81 if ((xi
= X509_INFO_new()) == NULL
)
86 } else if ((strcmp(name
, PEM_STRING_X509_TRUSTED
) == 0)) {
87 d2i
= (D2I_OF(void)) d2i_X509_AUX
;
88 if (xi
->x509
!= NULL
) {
89 if (!sk_X509_INFO_push(ret
, xi
))
91 if ((xi
= X509_INFO_new()) == NULL
)
96 } else if (strcmp(name
, PEM_STRING_X509_CRL
) == 0) {
97 d2i
= (D2I_OF(void)) d2i_X509_CRL
;
98 if (xi
->crl
!= NULL
) {
99 if (!sk_X509_INFO_push(ret
, xi
))
101 if ((xi
= X509_INFO_new()) == NULL
)
107 #ifndef OPENSSL_NO_RSA
108 if (strcmp(name
, PEM_STRING_RSA
) == 0) {
109 d2i
= (D2I_OF(void)) d2i_RSAPrivateKey
;
110 if (xi
->x_pkey
!= NULL
) {
111 if (!sk_X509_INFO_push(ret
, xi
))
113 if ((xi
= X509_INFO_new()) == NULL
)
121 xi
->x_pkey
= X509_PKEY_new();
122 if (xi
->x_pkey
== NULL
)
124 ptype
= EVP_PKEY_RSA
;
125 pp
= &xi
->x_pkey
->dec_pkey
;
126 if ((int)strlen(header
) > 10) /* assume encrypted */
130 #ifndef OPENSSL_NO_DSA
131 if (strcmp(name
, PEM_STRING_DSA
) == 0) {
132 d2i
= (D2I_OF(void)) d2i_DSAPrivateKey
;
133 if (xi
->x_pkey
!= NULL
) {
134 if (!sk_X509_INFO_push(ret
, xi
))
136 if ((xi
= X509_INFO_new()) == NULL
)
144 xi
->x_pkey
= X509_PKEY_new();
145 if (xi
->x_pkey
== NULL
)
147 ptype
= EVP_PKEY_DSA
;
148 pp
= &xi
->x_pkey
->dec_pkey
;
149 if ((int)strlen(header
) > 10) /* assume encrypted */
153 #ifndef OPENSSL_NO_EC
154 if (strcmp(name
, PEM_STRING_ECPRIVATEKEY
) == 0) {
155 d2i
= (D2I_OF(void)) d2i_ECPrivateKey
;
156 if (xi
->x_pkey
!= NULL
) {
157 if (!sk_X509_INFO_push(ret
, xi
))
159 if ((xi
= X509_INFO_new()) == NULL
)
167 xi
->x_pkey
= X509_PKEY_new();
168 if (xi
->x_pkey
== NULL
)
171 pp
= &xi
->x_pkey
->dec_pkey
;
172 if ((int)strlen(header
) > 10) /* assume encrypted */
183 EVP_CIPHER_INFO cipher
;
185 if (!PEM_get_EVP_CIPHER_INFO(header
, &cipher
))
187 if (!PEM_do_header(&cipher
, data
, &len
, cb
, u
))
191 if (!d2i_PrivateKey(ptype
, pp
, &p
, len
)) {
192 PEMerr(PEM_F_PEM_X509_INFO_READ_BIO
, ERR_R_ASN1_LIB
);
195 } else if (d2i(pp
, &p
, len
) == NULL
) {
196 PEMerr(PEM_F_PEM_X509_INFO_READ_BIO
, ERR_R_ASN1_LIB
);
199 } else { /* encrypted RSA data */
200 if (!PEM_get_EVP_CIPHER_INFO(header
, &xi
->enc_cipher
))
202 xi
->enc_data
= (char *)data
;
203 xi
->enc_len
= (int)len
;
211 OPENSSL_free(header
);
218 * if the last one hasn't been pushed yet and there is anything in it
219 * then add it to the stack ...
221 if ((xi
->x509
!= NULL
) || (xi
->crl
!= NULL
) ||
222 (xi
->x_pkey
!= NULL
) || (xi
->enc_data
!= NULL
)) {
223 if (!sk_X509_INFO_push(ret
, xi
))
231 for (i
= 0; ((int)i
) < sk_X509_INFO_num(ret
); i
++) {
232 xi
= sk_X509_INFO_value(ret
, i
);
236 sk_X509_INFO_free(ret
);
241 OPENSSL_free(header
);
247 int PEM_X509_INFO_write_bio(BIO
*bp
, X509_INFO
*xi
, EVP_CIPHER
*enc
,
248 unsigned char *kstr
, int klen
,
249 pem_password_cb
*cb
, void *u
)
252 unsigned char *data
= NULL
;
253 const char *objstr
= NULL
;
254 char buf
[PEM_BUFSIZE
];
255 unsigned char *iv
= NULL
;
258 objstr
= OBJ_nid2sn(EVP_CIPHER_nid(enc
));
261 * Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n"
264 || (strlen(objstr
) + 23 + 2 * EVP_CIPHER_iv_length(enc
) + 13)
266 PEMerr(PEM_F_PEM_X509_INFO_WRITE_BIO
, PEM_R_UNSUPPORTED_CIPHER
);
272 * now for the fun part ... if we have a private key then we have to be
273 * able to handle a not-yet-decrypted key being written out correctly ...
274 * if it is decrypted or it is non-encrypted then we use the base code
276 if (xi
->x_pkey
!= NULL
) {
277 if ((xi
->enc_data
!= NULL
) && (xi
->enc_len
> 0)) {
279 PEMerr(PEM_F_PEM_X509_INFO_WRITE_BIO
, PEM_R_CIPHER_IS_NULL
);
283 /* copy from weirdo names into more normal things */
284 iv
= xi
->enc_cipher
.iv
;
285 data
= (unsigned char *)xi
->enc_data
;
289 * we take the encryption data from the internal stuff rather
290 * than what the user has passed us ... as we have to match
291 * exactly for some strange reason
293 objstr
= OBJ_nid2sn(EVP_CIPHER_nid(xi
->enc_cipher
.cipher
));
294 if (objstr
== NULL
) {
295 PEMerr(PEM_F_PEM_X509_INFO_WRITE_BIO
,
296 PEM_R_UNSUPPORTED_CIPHER
);
300 /* Create the right magic header stuff */
302 PEM_proc_type(buf
, PEM_TYPE_ENCRYPTED
);
303 PEM_dek_info(buf
, objstr
, EVP_CIPHER_iv_length(enc
),
306 /* use the normal code to write things out */
307 i
= PEM_write_bio(bp
, PEM_STRING_RSA
, buf
, data
, i
);
312 #ifndef OPENSSL_NO_RSA
313 /* normal optionally encrypted stuff */
314 if (PEM_write_bio_RSAPrivateKey(bp
,
315 EVP_PKEY_get0_RSA(xi
->x_pkey
->dec_pkey
),
316 enc
, kstr
, klen
, cb
, u
) <= 0)
322 /* if we have a certificate then write it out now */
323 if ((xi
->x509
!= NULL
) && (PEM_write_bio_X509(bp
, xi
->x509
) <= 0))
327 * we are ignoring anything else that is loaded into the X509_INFO
328 * structure for the moment ... as I don't need it so I'm not coding it
329 * here and Eric can do it when this makes it into the base library --tjh
335 OPENSSL_cleanse(buf
, PEM_BUFSIZE
);