[thirdparty/openssl.git] / crypto / store / store_result.c

/*
 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "e_os.h"
#include <string.h>

#include <openssl/core.h>
#include <openssl/core_names.h>
#include <openssl/core_object.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
#include <openssl/decoder.h>
#include <openssl/store.h>
#include "internal/provider.h"
#include "internal/passphrase.h"
#include "crypto/evp.h"
#include "crypto/x509.h"
#include "store_local.h"

#ifndef OSSL_OBJECT_PKCS12
/*
 * The object abstraction doesn't know PKCS#12, but we want to indicate
 * it anyway, so we create our own.  Since the public macros use positive
 * numbers, negative ones should be fine.  They must never slip out from
 * this translation unit anyway.
 */
# define OSSL_OBJECT_PKCS12 -1
#endif

/*
 * ossl_store_handle_load_result() is initially written to be a companion
 * to our 'file:' scheme provider implementation, but has been made generic
 * to serve others as well.
 *
 * This result handler takes any object abstraction (see provider-object(7))
 * and does the best it can with it.  If the object is passed by value (not
 * by reference), the contents are currently expected to be DER encoded.
 * If an object type is specified, that will be respected; otherwise, this
 * handler will guess the contents, by trying the following in order:
 *
 * 1.  Decode it into an EVP_PKEY, using OSSL_DECODER.
 * 2.  Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
 * 3.  Decode it into an X.509 CRL, using d2i_X509_CRL.
 * 4.  Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
 *
 * For the 'file:' scheme implementation, this is division of labor.  Since
 * the libcrypto <-> provider interface currently doesn't support certain
 * structures as first class objects, they must be unpacked from DER here
 * rather than in the provider.  The current exception is asymmetric keys,
 * which can reside within the provider boundary, most of all thanks to
 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
 * reference.
 */

struct extracted_param_data_st {
    int object_type;
    const char *data_type;
    const char *utf8_data;
    const void *octet_data;
    size_t octet_data_size;
    const void *ref;
    size_t ref_size;
    const char *desc;
};

static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                   OSSL_STORE_CTX *, const OSSL_PROVIDER *,
                   OSSL_LIB_CTX *, const char *);
static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                    OSSL_LIB_CTX *, const char *);
static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                   OSSL_LIB_CTX *, const char *);
static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                      OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);

#define SET_ERR_MARK() ERR_set_mark()
#define CLEAR_ERR_MARK()                                                \
    do {                                                                \
        int err = ERR_peek_last_error();                                \
                                                                        \
        if (ERR_GET_LIB(err) == ERR_LIB_ASN1                            \
            && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE   \
                || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \
                || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))     \
            ERR_pop_to_mark();                                          \
        else                                                            \
            ERR_clear_last_mark();                                      \
    } while(0)
#define RESET_ERR_MARK()                                                \
    do {                                                                \
        CLEAR_ERR_MARK();                                               \
        SET_ERR_MARK();                                                 \
    } while(0)

int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
{
    struct ossl_load_result_data_st *cbdata = arg;
    OSSL_STORE_INFO **v = &cbdata->v;
    OSSL_STORE_CTX *ctx = cbdata->ctx;
    const OSSL_PROVIDER *provider =
        OSSL_STORE_LOADER_provider(ctx->fetched_loader);
    OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
    const char *propq = ctx->properties;
    const OSSL_PARAM *p;
    struct extracted_param_data_st helper_data;

    memset(&helper_data, 0, sizeof(helper_data));
    helper_data.object_type = OSSL_OBJECT_UNKNOWN;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
        && !OSSL_PARAM_get_int(p, &helper_data.object_type))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
    if (p != NULL
        && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
    if (p != NULL
        && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
                                            &helper_data.octet_data_size)
        && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
    if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
                                                      &helper_data.ref_size))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
    if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
        return 0;

    /*
     * The helper functions return 0 on actual errors, otherwise 1, even if
     * they didn't fill out |*v|.
     */
    SET_ERR_MARK();
    if (!try_name(&helper_data, v))
        goto err;
    RESET_ERR_MARK();
    if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
        goto err;
    RESET_ERR_MARK();
    if (!try_cert(&helper_data, v, libctx, propq))
        goto err;
    RESET_ERR_MARK();
    if (!try_crl(&helper_data, v, libctx, propq))
        goto err;
    RESET_ERR_MARK();
    if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
        goto err;
    CLEAR_ERR_MARK();

    return (*v != NULL);
 err:
    return 0;
}

static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
{
    if (data->object_type == OSSL_OBJECT_NAME) {
        char *newname = NULL, *newdesc = NULL;

        if (data->utf8_data == NULL)
            return 0;
        if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
            || (data->desc != NULL
                && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
            || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
            OPENSSL_free(newname);
            OPENSSL_free(newdesc);
            return 0;
        }
        OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
    }
    return 1;
}

/*
 * For the rest of the object types, the provider code may not know what
 * type of data it gave us, so we may need to figure that out on our own.
 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
 * only return 0 on error if the object type is known.
 */

static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
                             OSSL_STORE_CTX *ctx,
                             const OSSL_PROVIDER *provider,
                             OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    EVP_KEYMGMT *keymgmt = NULL;
    void *keydata = NULL;

    /* If we have an object reference, we must have a data type */
    if (data->data_type == NULL)
        return 0;

    keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
    if (keymgmt != NULL) {
        /*
         * There are two possible cases
         *
         * 1.  The keymgmt is from the same provider as the loader,
         *     so we can use evp_keymgmt_load()
         * 2.  The keymgmt is from another provider, then we must
         *     do the export/import dance.
         */
        if (EVP_KEYMGMT_provider(keymgmt) == provider) {
            keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
        } else {
            struct evp_keymgmt_util_try_import_data_st import_data;
            OSSL_FUNC_store_export_object_fn *export_object =
                ctx->fetched_loader->p_export_object;

            import_data.keymgmt = keymgmt;
            import_data.keydata = NULL;
            import_data.selection = OSSL_KEYMGMT_SELECT_ALL;

            if (export_object != NULL) {
                /*
                 * No need to check for errors here, the value of
                 * |import_data.keydata| is as much an indicator.
                 */
                (void)export_object(ctx->loader_ctx,
                                    data->ref, data->ref_size,
                                    &evp_keymgmt_util_try_import,
                                    &import_data);
            }

            keydata = import_data.keydata;
        }
    }
    if (keydata != NULL)
        pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
    EVP_KEYMGMT_free(keymgmt);

    return pk;
}

static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
                               OSSL_STORE_CTX *ctx,
                               OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
                               OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    OSSL_DECODER_CTX *decoderctx = NULL;
    const unsigned char *pdata = data->octet_data;
    size_t pdatalen = data->octet_data_size;

    decoderctx =
        OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, NULL, NULL, NULL, 0,
                                         libctx, propq);
    (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);

    /* No error if this couldn't be decoded */
    (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);

    OSSL_DECODER_CTX_free(decoderctx);

    return pk;
}

typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);

static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
                                      store_info_new_fn **store_info_new,
                                      OSSL_STORE_CTX *ctx,
                                      OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
                                      OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    const unsigned char *der = data->octet_data, *derp;
    long der_len = (long)data->octet_data_size;

    SET_ERR_MARK();
    /* Try PUBKEY first, that's a real easy target */
    derp = der;
    pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
    if (pk != NULL)
        *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
    RESET_ERR_MARK();

    /* Try private keys next */
    if (pk == NULL) {
        unsigned char *new_der = NULL;
        X509_SIG *p8 = NULL;
        PKCS8_PRIV_KEY_INFO *p8info = NULL;

        /* See if it's an encrypted PKCS#8 and decrypt it */
        derp = der;
        if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
            char pbuf[PEM_BUFSIZE];
            size_t plen = 0;

            if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
                ERR_raise(ERR_LIB_OSSL_STORE,
                          OSSL_STORE_R_BAD_PASSWORD_READ);
            } else {
                const X509_ALGOR *alg = NULL;
                const ASN1_OCTET_STRING *oct = NULL;
                int len = 0;

                X509_SIG_get0(p8, &alg, &oct);

                /*
                 * No need to check the returned value, |new_der|
                 * will be NULL on error anyway.
                 */
                PKCS12_pbe_crypt(alg, pbuf, plen,
                                 oct->data, oct->length,
                                 &new_der, &len, 0);
                der_len = len;
                der = new_der;
            }
            X509_SIG_free(p8);
        }
        RESET_ERR_MARK();

        /*
         * If the encrypted PKCS#8 couldn't be decrypted,
         * |der| is NULL
         */
        if (der != NULL) {
            /* Try to unpack an unencrypted PKCS#8, that's easy */
            derp = der;
            p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
            RESET_ERR_MARK();
            if (p8info != NULL) {
                pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
                PKCS8_PRIV_KEY_INFO_free(p8info);
            }
        }

        if (pk != NULL)
            *store_info_new = OSSL_STORE_INFO_new_PKEY;

        OPENSSL_free(new_der);
        der = data->octet_data;
        der_len = (long)data->octet_data_size;
    }
    CLEAR_ERR_MARK();

    return pk;
}

static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                   OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
                   OSSL_LIB_CTX *libctx, const char *propq)
{
    store_info_new_fn *store_info_new = NULL;

    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_PKEY) {
        EVP_PKEY *pk = NULL;

        /* Prefer key by reference than key by value */
        if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
            pk = try_key_ref(data, ctx, provider, libctx, propq);

            /*
             * If for some reason we couldn't get a key, it's an error.
             * It indicates that while decoders could make a key reference,
             * the keymgmt somehow couldn't handle it, or doesn't have a
             * OSSL_FUNC_keymgmt_load function.
             */
            if (pk == NULL)
                return 0;
        } else if (data->octet_data != NULL) {
            OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
            void *cbarg = &ctx->pwdata;

            pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);

            /*
             * Desperate last maneuver, in case the decoders don't support
             * the data we have, then we try on our own to at least get a
             * legacy key.
             * This is the same as der2key_decode() does, but in a limited
             * way and within the walls of libcrypto.
             *
             * TODO Remove this when #legacy keys are gone
             */
            if (pk == NULL)
                pk = try_key_value_legacy(data, &store_info_new, ctx,
                                          cb, cbarg, libctx, propq);
        }

        if (pk != NULL) {
            data->object_type = OSSL_OBJECT_PKEY;

            if (store_info_new == NULL) {
                /*
                 * We determined the object type for OSSL_STORE_INFO, which
                 * makes an explicit difference between an EVP_PKEY with just
                 * (domain) parameters and an EVP_PKEY with actual key
                 * material.
                 * The logic is that an EVP_PKEY with actual key material
                 * always has the public half.
                 */
                if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
                    store_info_new = OSSL_STORE_INFO_new_PKEY;
                else if (evp_keymgmt_util_has(pk,
                                              OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
                    store_info_new = OSSL_STORE_INFO_new_PUBKEY;
                else
                    store_info_new = OSSL_STORE_INFO_new_PARAMS;
            }
            *v = store_info_new(pk);
        }

        if (*v == NULL)
            EVP_PKEY_free(pk);
    }

    return 1;
}

static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                    OSSL_LIB_CTX *libctx, const char *propq)
{
    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_CERT) {
        X509 *cert;

        /*
         * In most cases, we can try to interpret the serialized
         * data as a trusted cert (X509 + X509_AUX) and fall back
         * to reading it as a normal cert (just X509), but if
         * |data_type| (the PEM name) specifically declares it as a
         * trusted cert, then no fallback should be engaged.
         * |ignore_trusted| tells if the fallback can be used (1)
         * or not (0).
         */
        int ignore_trusted = 1;

        /* If we have a data type, it should be a PEM name */
        if (data->data_type != NULL
            && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
            ignore_trusted = 0;

        cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
                            data->octet_data_size);
        if (cert == NULL && ignore_trusted)
            cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
                            data->octet_data_size);

        if (cert != NULL)
            /* We determined the object type */
            data->object_type = OSSL_OBJECT_CERT;

        if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
            X509_free(cert);
            cert = NULL;
        }

        if (cert != NULL)
            *v = OSSL_STORE_INFO_new_CERT(cert);
        if (*v == NULL)
            X509_free(cert);
    }

    return 1;
}

static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                   OSSL_LIB_CTX *libctx, const char *propq)
{
    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_CRL) {
        X509_CRL *crl;

        crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
                           data->octet_data_size);
        if (crl != NULL)
            /* We determined the object type */
            data->object_type = OSSL_OBJECT_CRL;

        if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
            X509_CRL_free(crl);
            crl = NULL;
        }

        if (crl != NULL)
            *v = OSSL_STORE_INFO_new_CRL(crl);
        if (*v == NULL)
            X509_CRL_free(crl);
    }

    return 1;
}

static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                      OSSL_STORE_CTX *ctx,
                      OSSL_LIB_CTX *libctx, const char *propq)
{
    /* There is no specific object type for PKCS12 */
    if (data->object_type == OSSL_OBJECT_UNKNOWN) {
        /* Initial parsing */
        PKCS12 *p12;

        if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
                              data->octet_data_size)) != NULL) {
            char *pass = NULL;
            char tpass[PEM_BUFSIZE];
            size_t tpass_len;
            EVP_PKEY *pkey = NULL;
            X509 *cert = NULL;
            STACK_OF(X509) *chain = NULL;

            data->object_type = OSSL_OBJECT_PKCS12;

            if (PKCS12_verify_mac(p12, "", 0)
                || PKCS12_verify_mac(p12, NULL, 0)) {
                pass = "";
            } else {
                static char prompt_info[] = "PKCS12 import pass phrase";
                OSSL_PARAM pw_params[] = {
                    OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
                                           prompt_info,
                                           sizeof(prompt_info) - 1),
                    OSSL_PARAM_END
                };

                if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
                                            pw_params, 0, &ctx->pwdata)) {
                    ERR_raise(ERR_LIB_OSSL_STORE,
                              OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
                    goto p12_end;
                }
                pass = tpass;
                if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
                    ERR_raise(ERR_LIB_OSSL_STORE,
                              OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
                    goto p12_end;
                }
            }

            if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
                STACK_OF(OSSL_STORE_INFO) *infos = NULL;
                OSSL_STORE_INFO *osi_pkey = NULL;
                OSSL_STORE_INFO *osi_cert = NULL;
                OSSL_STORE_INFO *osi_ca = NULL;
                int ok = 1;

                if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
                    if (pkey != NULL) {
                        if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
                            /* clearing pkey here avoids case distinctions */
                            && (pkey = NULL) == NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
                            osi_pkey = NULL;
                        else
                            ok = 0;
                    }
                    if (ok && cert != NULL) {
                        if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
                            /* clearing cert here avoids case distinctions */
                            && (cert = NULL) == NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
                            osi_cert = NULL;
                        else
                            ok = 0;
                    }
                    while (ok && sk_X509_num(chain) > 0) {
                        X509 *ca = sk_X509_value(chain, 0);

                        if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
                            && sk_X509_shift(chain) != NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
                            osi_ca = NULL;
                        else
                            ok = 0;
                    }
                }
                EVP_PKEY_free(pkey);
                X509_free(cert);
                sk_X509_pop_free(chain, X509_free);
                OSSL_STORE_INFO_free(osi_pkey);
                OSSL_STORE_INFO_free(osi_cert);
                OSSL_STORE_INFO_free(osi_ca);
                if (!ok) {
                    sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
                    infos = NULL;
                }
                ctx->cached_info = infos;
            }
        }
     p12_end:
        PKCS12_free(p12);
        *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
    }

    return 1;
}
Commit	Line	Data
34b80d06 RL	1	/*
	2	* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include "e_os.h"
	11	#include <string.h>
	12
	13	#include <openssl/core.h>
	14	#include <openssl/core_names.h>
	15	#include <openssl/core_object.h>
	16	#include <openssl/err.h>
	17	#include <openssl/pkcs12.h>
	18	#include <openssl/provider.h>
	19	#include <openssl/decoder.h>
	20	#include <openssl/store.h>
	21	#include "internal/provider.h"
	22	#include "internal/passphrase.h"
	23	#include "crypto/evp.h"
	24	#include "crypto/x509.h"
	25	#include "store_local.h"
	26
	27	#ifndef OSSL_OBJECT_PKCS12
	28	/*
	29	* The object abstraction doesn't know PKCS#12, but we want to indicate
	30	* it anyway, so we create our own. Since the public macros use positive
	31	* numbers, negative ones should be fine. They must never slip out from
	32	* this translation unit anyway.
	33	*/
	34	# define OSSL_OBJECT_PKCS12 -1
	35	#endif
	36
	37	/*
	38	* ossl_store_handle_load_result() is initially written to be a companion
	39	* to our 'file:' scheme provider implementation, but has been made generic
	40	* to serve others as well.
	41	*
	42	* This result handler takes any object abstraction (see provider-object(7))
	43	* and does the best it can with it. If the object is passed by value (not
	44	* by reference), the contents are currently expected to be DER encoded.
	45	* If an object type is specified, that will be respected; otherwise, this
	46	* handler will guess the contents, by trying the following in order:
	47	*
	48	* 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
	49	* 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
	50	* 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
	51	* 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
	52	*
	53	* For the 'file:' scheme implementation, this is division of labor. Since
	54	* the libcrypto <-> provider interface currently doesn't support certain
	55	* structures as first class objects, they must be unpacked from DER here
	56	* rather than in the provider. The current exception is asymmetric keys,
	57	* which can reside within the provider boundary, most of all thanks to
	58	* OSSL_FUNC_keymgmt_load(), which allows loading the key material by
	59	* reference.
	60	*/
	61
34b80d06 RL	62	struct extracted_param_data_st {
	63	int object_type;
	64	const char *data_type;
	65	const char *utf8_data;
	66	const void *octet_data;
	67	size_t octet_data_size;
	68	const void *ref;
	69	size_t ref_size;
	70	const char *desc;
	71	};
	72
	73	static int try_name(struct extracted_param_data_st , OSSL_STORE_INFO *);
	74	static int try_key(struct extracted_param_data_st , OSSL_STORE_INFO *,
	75	OSSL_STORE_CTX , const OSSL_PROVIDER ,
b4250010	76	OSSL_LIB_CTX , const char );
34b80d06	77	static int try_cert(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	78	OSSL_LIB_CTX , const char );
34b80d06	79	static int try_crl(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	80	OSSL_LIB_CTX , const char );
34b80d06	81	static int try_pkcs12(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	82	OSSL_STORE_CTX , OSSL_LIB_CTX , const char *);
34b80d06	83
c2150f73 RL	84	#define SET_ERR_MARK() ERR_set_mark()
	85	#define CLEAR_ERR_MARK() \
	86	do { \
	87	int err = ERR_peek_last_error(); \
	88	\
	89	if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
29844ea5	90	&& (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \
66066e1b	91	\|\| ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \
29844ea5	92	\|\| ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \
c2150f73 RL	93	ERR_pop_to_mark(); \
	94	else \
	95	ERR_clear_last_mark(); \
	96	} while(0)
	97	#define RESET_ERR_MARK() \
	98	do { \
	99	CLEAR_ERR_MARK(); \
	100	SET_ERR_MARK(); \
	101	} while(0)
	102
34b80d06 RL	103	int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
	104	{
	105	struct ossl_load_result_data_st *cbdata = arg;
	106	OSSL_STORE_INFO **v = &cbdata->v;
	107	OSSL_STORE_CTX *ctx = cbdata->ctx;
	108	const OSSL_PROVIDER *provider =
	109	OSSL_STORE_LOADER_provider(ctx->fetched_loader);
a829b735	110	OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
34b80d06 RL	111	const char *propq = ctx->properties;
	112	const OSSL_PARAM *p;
	113	struct extracted_param_data_st helper_data;
	114
	115	memset(&helper_data, 0, sizeof(helper_data));
	116	helper_data.object_type = OSSL_OBJECT_UNKNOWN;
	117
	118	if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
	119	&& !OSSL_PARAM_get_int(p, &helper_data.object_type))
	120	return 0;
	121	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
	122	if (p != NULL
	123	&& !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
	124	return 0;
	125	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
	126	if (p != NULL
	127	&& !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
	128	&helper_data.octet_data_size)
	129	&& !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
	130	return 0;
	131	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
	132	if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
	133	&helper_data.ref_size))
	134	return 0;
	135	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
	136	if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
	137	return 0;
	138
	139	/*
	140	* The helper functions return 0 on actual errors, otherwise 1, even if
	141	* they didn't fill out \|*v\|.
	142	*/
c2150f73 RL	143	SET_ERR_MARK();
	144	if (!try_name(&helper_data, v))
	145	goto err;
	146	RESET_ERR_MARK();
	147	if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
	148	goto err;
	149	RESET_ERR_MARK();
	150	if (!try_cert(&helper_data, v, libctx, propq))
	151	goto err;
	152	RESET_ERR_MARK();
	153	if (!try_crl(&helper_data, v, libctx, propq))
	154	goto err;
	155	RESET_ERR_MARK();
	156	if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
	157	goto err;
	158	CLEAR_ERR_MARK();
34b80d06 RL	159
34b80d06 RL	160	return (*v != NULL);
c2150f73 RL	161	err:
c2150f73 RL	162	return 0;
34b80d06 RL	163	}
	164
	165	static int try_name(struct extracted_param_data_st data, OSSL_STORE_INFO *v)
	166	{
	167	if (data->object_type == OSSL_OBJECT_NAME) {
	168	char newname = NULL, newdesc = NULL;
	169
	170	if (data->utf8_data == NULL)
	171	return 0;
	172	if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
	173	\|\| (data->desc != NULL
	174	&& (newdesc = OPENSSL_strdup(data->desc)) == NULL)
	175	\|\| (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
	176	OPENSSL_free(newname);
	177	OPENSSL_free(newdesc);
	178	return 0;
	179	}
	180	OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
	181	}
	182	return 1;
	183	}
	184
	185	/*
	186	* For the rest of the object types, the provider code may not know what
	187	* type of data it gave us, so we may need to figure that out on our own.
	188	* Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
	189	* only return 0 on error if the object type is known.
	190	*/
	191
	192	static EVP_PKEY try_key_ref(struct extracted_param_data_st data,
	193	OSSL_STORE_CTX *ctx,
	194	const OSSL_PROVIDER *provider,
b4250010	195	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	196	{
	197	EVP_PKEY *pk = NULL;
	198	EVP_KEYMGMT *keymgmt = NULL;
	199	void *keydata = NULL;
	200
	201	/* If we have an object reference, we must have a data type */
	202	if (data->data_type == NULL)
	203	return 0;
	204
	205	keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
	206	if (keymgmt != NULL) {
	207	/*
	208	* There are two possible cases
	209	*
	210	* 1. The keymgmt is from the same provider as the loader,
	211	* so we can use evp_keymgmt_load()
	212	* 2. The keymgmt is from another provider, then we must
	213	* do the export/import dance.
	214	*/
	215	if (EVP_KEYMGMT_provider(keymgmt) == provider) {
	216	keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
	217	} else {
	218	struct evp_keymgmt_util_try_import_data_st import_data;
	219	OSSL_FUNC_store_export_object_fn *export_object =
	220	ctx->fetched_loader->p_export_object;
	221
	222	import_data.keymgmt = keymgmt;
	223	import_data.keydata = NULL;
	224	import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
	225
	226	if (export_object != NULL) {
	227	/*
	228	* No need to check for errors here, the value of
	229	* \|import_data.keydata\| is as much an indicator.
	230	*/
	231	(void)export_object(ctx->loader_ctx,
	232	data->ref, data->ref_size,
	233	&evp_keymgmt_util_try_import,
	234	&import_data);
	235	}
	236
	237	keydata = import_data.keydata;
	238	}
	239	}
	240	if (keydata != NULL)
	241	pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
	242	EVP_KEYMGMT_free(keymgmt);
	243
	244	return pk;
	245	}
	246
	247	static EVP_PKEY try_key_value(struct extracted_param_data_st data,
	248	OSSL_STORE_CTX *ctx,
	249	OSSL_PASSPHRASE_CALLBACK cb, void cbarg,
b4250010	250	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	251	{
	252	EVP_PKEY *pk = NULL;
	253	OSSL_DECODER_CTX *decoderctx = NULL;
113adc1f RL	254	const unsigned char *pdata = data->octet_data;
113adc1f RL	255	size_t pdatalen = data->octet_data_size;
34b80d06	256
70c06aaf	257	decoderctx =
4f2abe43 RL	258	OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, NULL, NULL, NULL, 0,
4f2abe43 RL	259	libctx, propq);
34b80d06 RL	260	(void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
	261
	262	/* No error if this couldn't be decoded */
113adc1f	263	(void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
34b80d06 RL	264
34b80d06 RL	265	OSSL_DECODER_CTX_free(decoderctx);
34b80d06 RL	266
	267	return pk;
	268	}
	269
	270	typedef OSSL_STORE_INFO store_info_new_fn(EVP_PKEY );
	271
	272	static EVP_PKEY try_key_value_legacy(struct extracted_param_data_st data,
	273	store_info_new_fn **store_info_new,
	274	OSSL_STORE_CTX *ctx,
	275	OSSL_PASSPHRASE_CALLBACK cb, void cbarg,
b4250010	276	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	277	{
	278	EVP_PKEY *pk = NULL;
	279	const unsigned char der = data->octet_data, derp;
	280	long der_len = (long)data->octet_data_size;
	281
29844ea5	282	SET_ERR_MARK();
34b80d06 RL	283	/* Try PUBKEY first, that's a real easy target */
	284	derp = der;
	285	pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
	286	if (pk != NULL)
	287	*store_info_new = OSSL_STORE_INFO_new_PUBKEY;
29844ea5	288	RESET_ERR_MARK();
34b80d06 RL	289
	290	/* Try private keys next */
	291	if (pk == NULL) {
	292	unsigned char *new_der = NULL;
	293	X509_SIG *p8 = NULL;
	294	PKCS8_PRIV_KEY_INFO *p8info = NULL;
	295
	296	/* See if it's an encrypted PKCS#8 and decrypt it */
	297	derp = der;
	298	if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
	299	char pbuf[PEM_BUFSIZE];
	300	size_t plen = 0;
	301
	302	if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
	303	ERR_raise(ERR_LIB_OSSL_STORE,
	304	OSSL_STORE_R_BAD_PASSWORD_READ);
	305	} else {
	306	const X509_ALGOR *alg = NULL;
	307	const ASN1_OCTET_STRING *oct = NULL;
	308	int len = 0;
	309
	310	X509_SIG_get0(p8, &alg, &oct);
	311
	312	/*
	313	* No need to check the returned value, \|new_der\|
	314	* will be NULL on error anyway.
	315	*/
	316	PKCS12_pbe_crypt(alg, pbuf, plen,
	317	oct->data, oct->length,
	318	&new_der, &len, 0);
	319	der_len = len;
	320	der = new_der;
	321	}
	322	X509_SIG_free(p8);
	323	}
29844ea5	324	RESET_ERR_MARK();
34b80d06 RL	325
	326	/*
	327	* If the encrypted PKCS#8 couldn't be decrypted,
	328	* \|der\| is NULL
	329	*/
	330	if (der != NULL) {
	331	/* Try to unpack an unencrypted PKCS#8, that's easy */
	332	derp = der;
	333	p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
29844ea5	334	RESET_ERR_MARK();
34b80d06	335	if (p8info != NULL) {
d8652be0	336	pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
34b80d06 RL	337	PKCS8_PRIV_KEY_INFO_free(p8info);
34b80d06 RL	338	}
34b80d06 RL	339	}
	340
	341	if (pk != NULL)
	342	*store_info_new = OSSL_STORE_INFO_new_PKEY;
	343
	344	OPENSSL_free(new_der);
	345	der = data->octet_data;
	346	der_len = (long)data->octet_data_size;
	347	}
29844ea5	348	CLEAR_ERR_MARK();
34b80d06 RL	349
	350	return pk;
	351	}
	352
	353	static int try_key(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
	354	OSSL_STORE_CTX ctx, const OSSL_PROVIDER provider,
b4250010	355	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	356	{
	357	store_info_new_fn *store_info_new = NULL;
	358
	359	if (data->object_type == OSSL_OBJECT_UNKNOWN
	360	\|\| data->object_type == OSSL_OBJECT_PKEY) {
	361	EVP_PKEY *pk = NULL;
	362
	363	/* Prefer key by reference than key by value */
	364	if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
	365	pk = try_key_ref(data, ctx, provider, libctx, propq);
	366
	367	/*
	368	* If for some reason we couldn't get a key, it's an error.
	369	* It indicates that while decoders could make a key reference,
	370	* the keymgmt somehow couldn't handle it, or doesn't have a
	371	* OSSL_FUNC_keymgmt_load function.
	372	*/
	373	if (pk == NULL)
	374	return 0;
	375	} else if (data->octet_data != NULL) {
	376	OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
	377	void *cbarg = &ctx->pwdata;
	378
	379	pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
	380
	381	/*
	382	* Desperate last maneuver, in case the decoders don't support
	383	* the data we have, then we try on our own to at least get a
	384	* legacy key.
	385	* This is the same as der2key_decode() does, but in a limited
	386	* way and within the walls of libcrypto.
	387	*
	388	* TODO Remove this when #legacy keys are gone
	389	*/
	390	if (pk == NULL)
	391	pk = try_key_value_legacy(data, &store_info_new, ctx,
	392	cb, cbarg, libctx, propq);
	393	}
	394
	395	if (pk != NULL) {
	396	data->object_type = OSSL_OBJECT_PKEY;
	397
	398	if (store_info_new == NULL) {
	399	/*
	400	* We determined the object type for OSSL_STORE_INFO, which
	401	* makes an explicit difference between an EVP_PKEY with just
	402	* (domain) parameters and an EVP_PKEY with actual key
	403	* material.
	404	* The logic is that an EVP_PKEY with actual key material
	405	* always has the public half.
	406	*/
	407	if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
	408	store_info_new = OSSL_STORE_INFO_new_PKEY;
	409	else if (evp_keymgmt_util_has(pk,
	410	OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
	411	store_info_new = OSSL_STORE_INFO_new_PUBKEY;
	412	else
	413	store_info_new = OSSL_STORE_INFO_new_PARAMS;
	414	}
	415	*v = store_info_new(pk);
	416	}
	417
	418	if (*v == NULL)
	419	EVP_PKEY_free(pk);
420	}
421
422	return 1;
423	}
424
425	static int try_cert(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
b4250010	426	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	427	{
	428	if (data->object_type == OSSL_OBJECT_UNKNOWN
	429	\|\| data->object_type == OSSL_OBJECT_CERT) {
	430	X509 *cert;
	431
	432	/*
	433	* In most cases, we can try to interpret the serialized
	434	* data as a trusted cert (X509 + X509_AUX) and fall back
	435	* to reading it as a normal cert (just X509), but if
	436	* \|data_type\| (the PEM name) specifically declares it as a
	437	* trusted cert, then no fallback should be engaged.
	438	* \|ignore_trusted\| tells if the fallback can be used (1)
	439	* or not (0).
	440	*/
	441	int ignore_trusted = 1;
	442
	443	/* If we have a data type, it should be a PEM name */
	444	if (data->data_type != NULL
	445	&& (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
	446	ignore_trusted = 0;
	447
	448	cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
	449	data->octet_data_size);
	450	if (cert == NULL && ignore_trusted)
	451	cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
	452	data->octet_data_size);
	453
	454	if (cert != NULL)
	455	/* We determined the object type */
	456	data->object_type = OSSL_OBJECT_CERT;
	457
	458	if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
	459	X509_free(cert);
	460	cert = NULL;
	461	}
	462
	463	if (cert != NULL)
	464	*v = OSSL_STORE_INFO_new_CERT(cert);
	465	if (*v == NULL)
	466	X509_free(cert);
	467	}
	468
	469	return 1;
	470	}
	471
	472	static int try_crl(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
b4250010	473	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	474	{
	475	if (data->object_type == OSSL_OBJECT_UNKNOWN
	476	\|\| data->object_type == OSSL_OBJECT_CRL) {
	477	X509_CRL *crl;
	478
	479	crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
	480	data->octet_data_size);
	481	if (crl != NULL)
	482	/* We determined the object type */
	483	data->object_type = OSSL_OBJECT_CRL;
	484
	485	if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
	486	X509_CRL_free(crl);
	487	crl = NULL;
	488	}
	489
	490	if (crl != NULL)
	491	*v = OSSL_STORE_INFO_new_CRL(crl);
	492	if (*v == NULL)
	493	X509_CRL_free(crl);
	494	}
	495
	496	return 1;
	497	}
	498
	499	static int try_pkcs12(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
	500	OSSL_STORE_CTX *ctx,
b4250010	501	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	502	{
	503	/* There is no specific object type for PKCS12 */
	504	if (data->object_type == OSSL_OBJECT_UNKNOWN) {
	505	/* Initial parsing */
	506	PKCS12 *p12;
	507
	508	if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
	509	data->octet_data_size)) != NULL) {
	510	char *pass = NULL;
	511	char tpass[PEM_BUFSIZE];
	512	size_t tpass_len;
	513	EVP_PKEY *pkey = NULL;
	514	X509 *cert = NULL;
	515	STACK_OF(X509) *chain = NULL;
	516
	517	data->object_type = OSSL_OBJECT_PKCS12;
	518
	519	if (PKCS12_verify_mac(p12, "", 0)
	520	\|\| PKCS12_verify_mac(p12, NULL, 0)) {
	521	pass = "";
	522	} else {
	523	static char prompt_info[] = "PKCS12 import pass phrase";
	524	OSSL_PARAM pw_params[] = {
	525	OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
	526	prompt_info,
	527	sizeof(prompt_info) - 1),
	528	OSSL_PARAM_END
	529	};
	530
	531	if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
	532	pw_params, 0, &ctx->pwdata)) {
	533	ERR_raise(ERR_LIB_OSSL_STORE,
	534	OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
	535	goto p12_end;
	536	}
	537	pass = tpass;
	538	if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
	539	ERR_raise(ERR_LIB_OSSL_STORE,
	540	OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
	541	goto p12_end;
	542	}
	543	}
	544
	545	if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
	546	STACK_OF(OSSL_STORE_INFO) *infos = NULL;
	547	OSSL_STORE_INFO *osi_pkey = NULL;
	548	OSSL_STORE_INFO *osi_cert = NULL;
	549	OSSL_STORE_INFO *osi_ca = NULL;
	550	int ok = 1;
	551
	552	if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
	553	if (pkey != NULL) {
	554	if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
	555	/* clearing pkey here avoids case distinctions */
	556	&& (pkey = NULL) == NULL
	557	&& sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
	558	osi_pkey = NULL;
	559	else
	560	ok = 0;
	561	}
	562	if (ok && cert != NULL) {
	563	if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
	564	/* clearing cert here avoids case distinctions */
	565	&& (cert = NULL) == NULL
566	&& sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
567	osi_cert = NULL;
568	else
569	ok = 0;
570	}
571	while (ok && sk_X509_num(chain) > 0) {
572	X509 *ca = sk_X509_value(chain, 0);
573
574	if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
575	&& sk_X509_shift(chain) != NULL
576	&& sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
577	osi_ca = NULL;
578	else
579	ok = 0;
580	}
581	}
582	EVP_PKEY_free(pkey);
583	X509_free(cert);
584	sk_X509_pop_free(chain, X509_free);
585	OSSL_STORE_INFO_free(osi_pkey);
586	OSSL_STORE_INFO_free(osi_cert);
587	OSSL_STORE_INFO_free(osi_ca);
588	if (!ok) {
589	sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
590	infos = NULL;
591	}
592	ctx->cached_info = infos;
593	}
594	}
595	p12_end:
596	PKCS12_free(p12);
597	*v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
598	}
599
600	return 1;
601	}