]>
Commit | Line | Data |
---|---|---|
34b80d06 | 1 | /* |
a28d06f3 | 2 | * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. |
34b80d06 RL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "e_os.h" | |
11 | #include <string.h> | |
12 | ||
13 | #include <openssl/core.h> | |
14 | #include <openssl/core_names.h> | |
15 | #include <openssl/core_object.h> | |
16 | #include <openssl/err.h> | |
17 | #include <openssl/pkcs12.h> | |
18 | #include <openssl/provider.h> | |
19 | #include <openssl/decoder.h> | |
20 | #include <openssl/store.h> | |
21 | #include "internal/provider.h" | |
22 | #include "internal/passphrase.h" | |
23 | #include "crypto/evp.h" | |
24 | #include "crypto/x509.h" | |
25 | #include "store_local.h" | |
26 | ||
27 | #ifndef OSSL_OBJECT_PKCS12 | |
28 | /* | |
29 | * The object abstraction doesn't know PKCS#12, but we want to indicate | |
30 | * it anyway, so we create our own. Since the public macros use positive | |
31 | * numbers, negative ones should be fine. They must never slip out from | |
32 | * this translation unit anyway. | |
33 | */ | |
34 | # define OSSL_OBJECT_PKCS12 -1 | |
35 | #endif | |
36 | ||
37 | /* | |
38 | * ossl_store_handle_load_result() is initially written to be a companion | |
39 | * to our 'file:' scheme provider implementation, but has been made generic | |
40 | * to serve others as well. | |
41 | * | |
42 | * This result handler takes any object abstraction (see provider-object(7)) | |
43 | * and does the best it can with it. If the object is passed by value (not | |
44 | * by reference), the contents are currently expected to be DER encoded. | |
45 | * If an object type is specified, that will be respected; otherwise, this | |
46 | * handler will guess the contents, by trying the following in order: | |
47 | * | |
48 | * 1. Decode it into an EVP_PKEY, using OSSL_DECODER. | |
49 | * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX. | |
50 | * 3. Decode it into an X.509 CRL, using d2i_X509_CRL. | |
51 | * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*). | |
52 | * | |
53 | * For the 'file:' scheme implementation, this is division of labor. Since | |
54 | * the libcrypto <-> provider interface currently doesn't support certain | |
55 | * structures as first class objects, they must be unpacked from DER here | |
56 | * rather than in the provider. The current exception is asymmetric keys, | |
57 | * which can reside within the provider boundary, most of all thanks to | |
58 | * OSSL_FUNC_keymgmt_load(), which allows loading the key material by | |
59 | * reference. | |
60 | */ | |
61 | ||
34b80d06 RL |
62 | struct extracted_param_data_st { |
63 | int object_type; | |
64 | const char *data_type; | |
70793dbb | 65 | const char *data_structure; |
34b80d06 RL |
66 | const char *utf8_data; |
67 | const void *octet_data; | |
68 | size_t octet_data_size; | |
69 | const void *ref; | |
70 | size_t ref_size; | |
71 | const char *desc; | |
72 | }; | |
73 | ||
74 | static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **); | |
75 | static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **, | |
76 | OSSL_STORE_CTX *, const OSSL_PROVIDER *, | |
b4250010 | 77 | OSSL_LIB_CTX *, const char *); |
34b80d06 | 78 | static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
b4250010 | 79 | OSSL_LIB_CTX *, const char *); |
34b80d06 | 80 | static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
b4250010 | 81 | OSSL_LIB_CTX *, const char *); |
34b80d06 | 82 | static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
b4250010 | 83 | OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *); |
34b80d06 RL |
84 | |
85 | int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) | |
86 | { | |
87 | struct ossl_load_result_data_st *cbdata = arg; | |
88 | OSSL_STORE_INFO **v = &cbdata->v; | |
89 | OSSL_STORE_CTX *ctx = cbdata->ctx; | |
90 | const OSSL_PROVIDER *provider = | |
ed576acd | 91 | OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader); |
a829b735 | 92 | OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider); |
34b80d06 RL |
93 | const char *propq = ctx->properties; |
94 | const OSSL_PARAM *p; | |
95 | struct extracted_param_data_st helper_data; | |
96 | ||
97 | memset(&helper_data, 0, sizeof(helper_data)); | |
98 | helper_data.object_type = OSSL_OBJECT_UNKNOWN; | |
99 | ||
100 | if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL | |
101 | && !OSSL_PARAM_get_int(p, &helper_data.object_type)) | |
102 | return 0; | |
103 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); | |
104 | if (p != NULL | |
105 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type)) | |
106 | return 0; | |
107 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA); | |
108 | if (p != NULL | |
109 | && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data, | |
110 | &helper_data.octet_data_size) | |
111 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data)) | |
112 | return 0; | |
70793dbb MC |
113 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE); |
114 | if (p != NULL | |
115 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure)) | |
116 | return 0; | |
34b80d06 RL |
117 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); |
118 | if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref, | |
119 | &helper_data.ref_size)) | |
120 | return 0; | |
121 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC); | |
122 | if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc)) | |
123 | return 0; | |
124 | ||
125 | /* | |
126 | * The helper functions return 0 on actual errors, otherwise 1, even if | |
127 | * they didn't fill out |*v|. | |
128 | */ | |
521a0bf6 RL |
129 | ERR_set_mark(); |
130 | if (*v == NULL && !try_name(&helper_data, v)) | |
c2150f73 | 131 | goto err; |
521a0bf6 RL |
132 | ERR_pop_to_mark(); |
133 | ERR_set_mark(); | |
134 | if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq)) | |
c2150f73 | 135 | goto err; |
521a0bf6 RL |
136 | ERR_pop_to_mark(); |
137 | ERR_set_mark(); | |
138 | if (*v == NULL && !try_cert(&helper_data, v, libctx, propq)) | |
c2150f73 | 139 | goto err; |
521a0bf6 RL |
140 | ERR_pop_to_mark(); |
141 | ERR_set_mark(); | |
142 | if (*v == NULL && !try_crl(&helper_data, v, libctx, propq)) | |
c2150f73 | 143 | goto err; |
521a0bf6 RL |
144 | ERR_pop_to_mark(); |
145 | ERR_set_mark(); | |
146 | if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq)) | |
c2150f73 | 147 | goto err; |
521a0bf6 RL |
148 | ERR_pop_to_mark(); |
149 | ||
150 | if (*v == NULL) | |
151 | ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED); | |
34b80d06 RL |
152 | |
153 | return (*v != NULL); | |
c2150f73 | 154 | err: |
521a0bf6 | 155 | ERR_clear_last_mark(); |
c2150f73 | 156 | return 0; |
34b80d06 RL |
157 | } |
158 | ||
159 | static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v) | |
160 | { | |
161 | if (data->object_type == OSSL_OBJECT_NAME) { | |
162 | char *newname = NULL, *newdesc = NULL; | |
163 | ||
164 | if (data->utf8_data == NULL) | |
165 | return 0; | |
166 | if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL | |
167 | || (data->desc != NULL | |
168 | && (newdesc = OPENSSL_strdup(data->desc)) == NULL) | |
169 | || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) { | |
170 | OPENSSL_free(newname); | |
171 | OPENSSL_free(newdesc); | |
172 | return 0; | |
173 | } | |
174 | OSSL_STORE_INFO_set0_NAME_description(*v, newdesc); | |
175 | } | |
176 | return 1; | |
177 | } | |
178 | ||
179 | /* | |
180 | * For the rest of the object types, the provider code may not know what | |
181 | * type of data it gave us, so we may need to figure that out on our own. | |
182 | * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and | |
183 | * only return 0 on error if the object type is known. | |
184 | */ | |
185 | ||
186 | static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data, | |
187 | OSSL_STORE_CTX *ctx, | |
188 | const OSSL_PROVIDER *provider, | |
b4250010 | 189 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
190 | { |
191 | EVP_PKEY *pk = NULL; | |
192 | EVP_KEYMGMT *keymgmt = NULL; | |
193 | void *keydata = NULL; | |
194 | ||
195 | /* If we have an object reference, we must have a data type */ | |
196 | if (data->data_type == NULL) | |
197 | return 0; | |
198 | ||
199 | keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq); | |
200 | if (keymgmt != NULL) { | |
201 | /* | |
202 | * There are two possible cases | |
203 | * | |
204 | * 1. The keymgmt is from the same provider as the loader, | |
205 | * so we can use evp_keymgmt_load() | |
206 | * 2. The keymgmt is from another provider, then we must | |
207 | * do the export/import dance. | |
208 | */ | |
ed576acd | 209 | if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { |
34b80d06 RL |
210 | keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size); |
211 | } else { | |
212 | struct evp_keymgmt_util_try_import_data_st import_data; | |
213 | OSSL_FUNC_store_export_object_fn *export_object = | |
214 | ctx->fetched_loader->p_export_object; | |
215 | ||
216 | import_data.keymgmt = keymgmt; | |
217 | import_data.keydata = NULL; | |
218 | import_data.selection = OSSL_KEYMGMT_SELECT_ALL; | |
219 | ||
220 | if (export_object != NULL) { | |
221 | /* | |
222 | * No need to check for errors here, the value of | |
223 | * |import_data.keydata| is as much an indicator. | |
224 | */ | |
225 | (void)export_object(ctx->loader_ctx, | |
226 | data->ref, data->ref_size, | |
227 | &evp_keymgmt_util_try_import, | |
228 | &import_data); | |
229 | } | |
230 | ||
231 | keydata = import_data.keydata; | |
232 | } | |
233 | } | |
234 | if (keydata != NULL) | |
235 | pk = evp_keymgmt_util_make_pkey(keymgmt, keydata); | |
236 | EVP_KEYMGMT_free(keymgmt); | |
237 | ||
238 | return pk; | |
239 | } | |
240 | ||
241 | static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, | |
242 | OSSL_STORE_CTX *ctx, | |
243 | OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, | |
b4250010 | 244 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
245 | { |
246 | EVP_PKEY *pk = NULL; | |
247 | OSSL_DECODER_CTX *decoderctx = NULL; | |
113adc1f RL |
248 | const unsigned char *pdata = data->octet_data; |
249 | size_t pdatalen = data->octet_data_size; | |
9787b5b8 RL |
250 | int selection = 0; |
251 | ||
252 | switch (ctx->expected_type) { | |
253 | case 0: | |
254 | break; | |
255 | case OSSL_STORE_INFO_PARAMS: | |
256 | selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; | |
257 | break; | |
258 | case OSSL_STORE_INFO_PUBKEY: | |
259 | selection = | |
260 | OSSL_KEYMGMT_SELECT_PUBLIC_KEY | |
261 | | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; | |
262 | break; | |
263 | case OSSL_STORE_INFO_PKEY: | |
264 | selection = OSSL_KEYMGMT_SELECT_ALL; | |
265 | break; | |
266 | default: | |
267 | return NULL; | |
268 | } | |
34b80d06 | 269 | |
70c06aaf | 270 | decoderctx = |
70793dbb MC |
271 | OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", data->data_structure, |
272 | data->data_type, selection, libctx, | |
273 | propq); | |
34b80d06 RL |
274 | (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); |
275 | ||
276 | /* No error if this couldn't be decoded */ | |
113adc1f | 277 | (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen); |
34b80d06 RL |
278 | |
279 | OSSL_DECODER_CTX_free(decoderctx); | |
34b80d06 RL |
280 | |
281 | return pk; | |
282 | } | |
283 | ||
284 | typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *); | |
285 | ||
286 | static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, | |
287 | store_info_new_fn **store_info_new, | |
288 | OSSL_STORE_CTX *ctx, | |
289 | OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, | |
b4250010 | 290 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
291 | { |
292 | EVP_PKEY *pk = NULL; | |
293 | const unsigned char *der = data->octet_data, *derp; | |
294 | long der_len = (long)data->octet_data_size; | |
295 | ||
296 | /* Try PUBKEY first, that's a real easy target */ | |
9787b5b8 RL |
297 | if (ctx->expected_type == 0 |
298 | || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) { | |
299 | derp = der; | |
300 | pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq); | |
1fbf7079 | 301 | |
9787b5b8 RL |
302 | if (pk != NULL) |
303 | *store_info_new = OSSL_STORE_INFO_new_PUBKEY; | |
9787b5b8 | 304 | } |
34b80d06 RL |
305 | |
306 | /* Try private keys next */ | |
9787b5b8 RL |
307 | if (pk == NULL |
308 | && (ctx->expected_type == 0 | |
309 | || ctx->expected_type == OSSL_STORE_INFO_PKEY)) { | |
34b80d06 RL |
310 | unsigned char *new_der = NULL; |
311 | X509_SIG *p8 = NULL; | |
312 | PKCS8_PRIV_KEY_INFO *p8info = NULL; | |
313 | ||
521a0bf6 | 314 | /* See if it's an encrypted PKCS#8 and decrypt it. */ |
34b80d06 | 315 | derp = der; |
1fbf7079 | 316 | p8 = d2i_X509_SIG(NULL, &derp, der_len); |
1fbf7079 RL |
317 | |
318 | if (p8 != NULL) { | |
34b80d06 RL |
319 | char pbuf[PEM_BUFSIZE]; |
320 | size_t plen = 0; | |
321 | ||
322 | if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) { | |
9311d0c4 | 323 | ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ); |
34b80d06 RL |
324 | } else { |
325 | const X509_ALGOR *alg = NULL; | |
326 | const ASN1_OCTET_STRING *oct = NULL; | |
327 | int len = 0; | |
328 | ||
329 | X509_SIG_get0(p8, &alg, &oct); | |
330 | ||
331 | /* | |
332 | * No need to check the returned value, |new_der| | |
333 | * will be NULL on error anyway. | |
334 | */ | |
335 | PKCS12_pbe_crypt(alg, pbuf, plen, | |
336 | oct->data, oct->length, | |
337 | &new_der, &len, 0); | |
338 | der_len = len; | |
339 | der = new_der; | |
340 | } | |
341 | X509_SIG_free(p8); | |
342 | } | |
343 | ||
344 | /* | |
345 | * If the encrypted PKCS#8 couldn't be decrypted, | |
346 | * |der| is NULL | |
347 | */ | |
348 | if (der != NULL) { | |
521a0bf6 | 349 | /* Try to unpack an unencrypted PKCS#8, that's easy */ |
34b80d06 RL |
350 | derp = der; |
351 | p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len); | |
1fbf7079 | 352 | |
34b80d06 | 353 | if (p8info != NULL) { |
d8652be0 | 354 | pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq); |
34b80d06 RL |
355 | PKCS8_PRIV_KEY_INFO_free(p8info); |
356 | } | |
34b80d06 RL |
357 | } |
358 | ||
359 | if (pk != NULL) | |
360 | *store_info_new = OSSL_STORE_INFO_new_PKEY; | |
361 | ||
362 | OPENSSL_free(new_der); | |
34b80d06 | 363 | } |
34b80d06 RL |
364 | |
365 | return pk; | |
366 | } | |
367 | ||
368 | static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, | |
369 | OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider, | |
b4250010 | 370 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
371 | { |
372 | store_info_new_fn *store_info_new = NULL; | |
373 | ||
374 | if (data->object_type == OSSL_OBJECT_UNKNOWN | |
375 | || data->object_type == OSSL_OBJECT_PKEY) { | |
376 | EVP_PKEY *pk = NULL; | |
377 | ||
378 | /* Prefer key by reference than key by value */ | |
379 | if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) { | |
380 | pk = try_key_ref(data, ctx, provider, libctx, propq); | |
381 | ||
382 | /* | |
383 | * If for some reason we couldn't get a key, it's an error. | |
384 | * It indicates that while decoders could make a key reference, | |
385 | * the keymgmt somehow couldn't handle it, or doesn't have a | |
386 | * OSSL_FUNC_keymgmt_load function. | |
387 | */ | |
388 | if (pk == NULL) | |
389 | return 0; | |
390 | } else if (data->octet_data != NULL) { | |
391 | OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec; | |
392 | void *cbarg = &ctx->pwdata; | |
393 | ||
394 | pk = try_key_value(data, ctx, cb, cbarg, libctx, propq); | |
395 | ||
396 | /* | |
397 | * Desperate last maneuver, in case the decoders don't support | |
521a0bf6 RL |
398 | * the data we have, then we try on our own to at least get an |
399 | * engine provided legacy key. | |
34b80d06 RL |
400 | * This is the same as der2key_decode() does, but in a limited |
401 | * way and within the walls of libcrypto. | |
402 | * | |
403 | * TODO Remove this when #legacy keys are gone | |
404 | */ | |
405 | if (pk == NULL) | |
406 | pk = try_key_value_legacy(data, &store_info_new, ctx, | |
407 | cb, cbarg, libctx, propq); | |
408 | } | |
409 | ||
410 | if (pk != NULL) { | |
411 | data->object_type = OSSL_OBJECT_PKEY; | |
412 | ||
413 | if (store_info_new == NULL) { | |
414 | /* | |
415 | * We determined the object type for OSSL_STORE_INFO, which | |
416 | * makes an explicit difference between an EVP_PKEY with just | |
417 | * (domain) parameters and an EVP_PKEY with actual key | |
418 | * material. | |
419 | * The logic is that an EVP_PKEY with actual key material | |
420 | * always has the public half. | |
421 | */ | |
422 | if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) | |
423 | store_info_new = OSSL_STORE_INFO_new_PKEY; | |
424 | else if (evp_keymgmt_util_has(pk, | |
425 | OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) | |
426 | store_info_new = OSSL_STORE_INFO_new_PUBKEY; | |
427 | else | |
428 | store_info_new = OSSL_STORE_INFO_new_PARAMS; | |
429 | } | |
430 | *v = store_info_new(pk); | |
431 | } | |
432 | ||
433 | if (*v == NULL) | |
434 | EVP_PKEY_free(pk); | |
435 | } | |
436 | ||
437 | return 1; | |
438 | } | |
439 | ||
440 | static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, | |
b4250010 | 441 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
442 | { |
443 | if (data->object_type == OSSL_OBJECT_UNKNOWN | |
444 | || data->object_type == OSSL_OBJECT_CERT) { | |
34b80d06 RL |
445 | /* |
446 | * In most cases, we can try to interpret the serialized | |
447 | * data as a trusted cert (X509 + X509_AUX) and fall back | |
448 | * to reading it as a normal cert (just X509), but if | |
449 | * |data_type| (the PEM name) specifically declares it as a | |
450 | * trusted cert, then no fallback should be engaged. | |
451 | * |ignore_trusted| tells if the fallback can be used (1) | |
452 | * or not (0). | |
453 | */ | |
454 | int ignore_trusted = 1; | |
99be8ed3 MC |
455 | X509 *cert = X509_new_ex(libctx, propq); |
456 | ||
457 | if (cert == NULL) | |
458 | return 0; | |
34b80d06 RL |
459 | |
460 | /* If we have a data type, it should be a PEM name */ | |
461 | if (data->data_type != NULL | |
462 | && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) | |
463 | ignore_trusted = 0; | |
464 | ||
99be8ed3 MC |
465 | if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data, |
466 | data->octet_data_size) == NULL | |
467 | && (!ignore_trusted | |
468 | || d2i_X509(&cert, (const unsigned char **)&data->octet_data, | |
469 | data->octet_data_size) == NULL)) { | |
34b80d06 RL |
470 | X509_free(cert); |
471 | cert = NULL; | |
472 | } | |
473 | ||
99be8ed3 MC |
474 | if (cert != NULL) { |
475 | /* We determined the object type */ | |
476 | data->object_type = OSSL_OBJECT_CERT; | |
34b80d06 | 477 | *v = OSSL_STORE_INFO_new_CERT(cert); |
99be8ed3 MC |
478 | if (*v == NULL) |
479 | X509_free(cert); | |
480 | } | |
34b80d06 RL |
481 | } |
482 | ||
483 | return 1; | |
484 | } | |
485 | ||
486 | static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, | |
b4250010 | 487 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 RL |
488 | { |
489 | if (data->object_type == OSSL_OBJECT_UNKNOWN | |
490 | || data->object_type == OSSL_OBJECT_CRL) { | |
491 | X509_CRL *crl; | |
492 | ||
493 | crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data, | |
494 | data->octet_data_size); | |
1fbf7079 | 495 | |
34b80d06 RL |
496 | if (crl != NULL) |
497 | /* We determined the object type */ | |
498 | data->object_type = OSSL_OBJECT_CRL; | |
499 | ||
4669015d | 500 | if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) { |
34b80d06 RL |
501 | X509_CRL_free(crl); |
502 | crl = NULL; | |
503 | } | |
504 | ||
505 | if (crl != NULL) | |
506 | *v = OSSL_STORE_INFO_new_CRL(crl); | |
507 | if (*v == NULL) | |
508 | X509_CRL_free(crl); | |
509 | } | |
510 | ||
511 | return 1; | |
512 | } | |
513 | ||
514 | static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, | |
515 | OSSL_STORE_CTX *ctx, | |
b4250010 | 516 | OSSL_LIB_CTX *libctx, const char *propq) |
34b80d06 | 517 | { |
1fbf7079 RL |
518 | int ok = 1; |
519 | ||
34b80d06 RL |
520 | /* There is no specific object type for PKCS12 */ |
521 | if (data->object_type == OSSL_OBJECT_UNKNOWN) { | |
522 | /* Initial parsing */ | |
523 | PKCS12 *p12; | |
524 | ||
1fbf7079 RL |
525 | p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data, |
526 | data->octet_data_size); | |
1fbf7079 RL |
527 | |
528 | if (p12 != NULL) { | |
34b80d06 RL |
529 | char *pass = NULL; |
530 | char tpass[PEM_BUFSIZE]; | |
531 | size_t tpass_len; | |
532 | EVP_PKEY *pkey = NULL; | |
533 | X509 *cert = NULL; | |
534 | STACK_OF(X509) *chain = NULL; | |
535 | ||
536 | data->object_type = OSSL_OBJECT_PKCS12; | |
537 | ||
1fbf7079 RL |
538 | ok = 0; /* Assume decryption or parse error */ |
539 | ||
34b80d06 RL |
540 | if (PKCS12_verify_mac(p12, "", 0) |
541 | || PKCS12_verify_mac(p12, NULL, 0)) { | |
542 | pass = ""; | |
543 | } else { | |
544 | static char prompt_info[] = "PKCS12 import pass phrase"; | |
545 | OSSL_PARAM pw_params[] = { | |
546 | OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, | |
547 | prompt_info, | |
548 | sizeof(prompt_info) - 1), | |
549 | OSSL_PARAM_END | |
550 | }; | |
551 | ||
552 | if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len, | |
553 | pw_params, 0, &ctx->pwdata)) { | |
554 | ERR_raise(ERR_LIB_OSSL_STORE, | |
555 | OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); | |
556 | goto p12_end; | |
557 | } | |
558 | pass = tpass; | |
559 | if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { | |
39a61e69 DDO |
560 | ERR_raise_data(ERR_LIB_OSSL_STORE, |
561 | OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, | |
562 | strlen(pass) == 0 ? "empty password" : | |
563 | "maybe wrong password"); | |
34b80d06 RL |
564 | goto p12_end; |
565 | } | |
566 | } | |
567 | ||
568 | if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) { | |
569 | STACK_OF(OSSL_STORE_INFO) *infos = NULL; | |
570 | OSSL_STORE_INFO *osi_pkey = NULL; | |
571 | OSSL_STORE_INFO *osi_cert = NULL; | |
572 | OSSL_STORE_INFO *osi_ca = NULL; | |
1fbf7079 RL |
573 | |
574 | ok = 1; /* Parsing went through correctly! */ | |
34b80d06 RL |
575 | |
576 | if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) { | |
577 | if (pkey != NULL) { | |
578 | if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL | |
579 | /* clearing pkey here avoids case distinctions */ | |
580 | && (pkey = NULL) == NULL | |
581 | && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0) | |
582 | osi_pkey = NULL; | |
583 | else | |
584 | ok = 0; | |
585 | } | |
586 | if (ok && cert != NULL) { | |
587 | if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL | |
588 | /* clearing cert here avoids case distinctions */ | |
589 | && (cert = NULL) == NULL | |
590 | && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0) | |
591 | osi_cert = NULL; | |
592 | else | |
593 | ok = 0; | |
594 | } | |
595 | while (ok && sk_X509_num(chain) > 0) { | |
596 | X509 *ca = sk_X509_value(chain, 0); | |
597 | ||
598 | if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL | |
599 | && sk_X509_shift(chain) != NULL | |
600 | && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0) | |
601 | osi_ca = NULL; | |
602 | else | |
603 | ok = 0; | |
604 | } | |
605 | } | |
606 | EVP_PKEY_free(pkey); | |
607 | X509_free(cert); | |
608 | sk_X509_pop_free(chain, X509_free); | |
609 | OSSL_STORE_INFO_free(osi_pkey); | |
610 | OSSL_STORE_INFO_free(osi_cert); | |
611 | OSSL_STORE_INFO_free(osi_ca); | |
612 | if (!ok) { | |
613 | sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free); | |
614 | infos = NULL; | |
615 | } | |
616 | ctx->cached_info = infos; | |
617 | } | |
618 | } | |
619 | p12_end: | |
620 | PKCS12_free(p12); | |
621 | *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); | |
622 | } | |
623 | ||
1fbf7079 | 624 | return ok; |
34b80d06 | 625 | } |