[thirdparty/openssl.git] / crypto / store / store_result.c

/*
 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "e_os.h"
#include <string.h>

#include <openssl/core.h>
#include <openssl/core_names.h>
#include <openssl/core_object.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
#include <openssl/decoder.h>
#include <openssl/store.h>
#include "internal/provider.h"
#include "internal/passphrase.h"
#include "crypto/evp.h"
#include "crypto/x509.h"
#include "store_local.h"

#ifndef OSSL_OBJECT_PKCS12
/*
 * The object abstraction doesn't know PKCS#12, but we want to indicate
 * it anyway, so we create our own.  Since the public macros use positive
 * numbers, negative ones should be fine.  They must never slip out from
 * this translation unit anyway.
 */
# define OSSL_OBJECT_PKCS12 -1
#endif

/*
 * ossl_store_handle_load_result() is initially written to be a companion
 * to our 'file:' scheme provider implementation, but has been made generic
 * to serve others as well.
 *
 * This result handler takes any object abstraction (see provider-object(7))
 * and does the best it can with it.  If the object is passed by value (not
 * by reference), the contents are currently expected to be DER encoded.
 * If an object type is specified, that will be respected; otherwise, this
 * handler will guess the contents, by trying the following in order:
 *
 * 1.  Decode it into an EVP_PKEY, using OSSL_DECODER.
 * 2.  Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
 * 3.  Decode it into an X.509 CRL, using d2i_X509_CRL.
 * 4.  Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
 *
 * For the 'file:' scheme implementation, this is division of labor.  Since
 * the libcrypto <-> provider interface currently doesn't support certain
 * structures as first class objects, they must be unpacked from DER here
 * rather than in the provider.  The current exception is asymmetric keys,
 * which can reside within the provider boundary, most of all thanks to
 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
 * reference.
 */

struct extracted_param_data_st {
    int object_type;
    const char *data_type;
    const char *data_structure;
    const char *utf8_data;
    const void *octet_data;
    size_t octet_data_size;
    const void *ref;
    size_t ref_size;
    const char *desc;
};

static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                   OSSL_STORE_CTX *, const OSSL_PROVIDER *,
                   OSSL_LIB_CTX *, const char *);
static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                    OSSL_LIB_CTX *, const char *);
static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                   OSSL_LIB_CTX *, const char *);
static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
                      OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);

int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
{
    struct ossl_load_result_data_st *cbdata = arg;
    OSSL_STORE_INFO **v = &cbdata->v;
    OSSL_STORE_CTX *ctx = cbdata->ctx;
    const OSSL_PROVIDER *provider =
        OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader);
    OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
    const char *propq = ctx->properties;
    const OSSL_PARAM *p;
    struct extracted_param_data_st helper_data;

    memset(&helper_data, 0, sizeof(helper_data));
    helper_data.object_type = OSSL_OBJECT_UNKNOWN;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
        && !OSSL_PARAM_get_int(p, &helper_data.object_type))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
    if (p != NULL
        && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
    if (p != NULL
        && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
                                            &helper_data.octet_data_size)
        && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE);
    if (p != NULL
        && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
    if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
                                                      &helper_data.ref_size))
        return 0;
    p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
    if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
        return 0;

    /*
     * The helper functions return 0 on actual errors, otherwise 1, even if
     * they didn't fill out |*v|.
     */
    ERR_set_mark();
    if (*v == NULL && !try_name(&helper_data, v))
        goto err;
    ERR_pop_to_mark();
    ERR_set_mark();
    if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq))
        goto err;
    ERR_pop_to_mark();
    ERR_set_mark();
    if (*v == NULL && !try_cert(&helper_data, v, libctx, propq))
        goto err;
    ERR_pop_to_mark();
    ERR_set_mark();
    if (*v == NULL && !try_crl(&helper_data, v, libctx, propq))
        goto err;
    ERR_pop_to_mark();
    ERR_set_mark();
    if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq))
        goto err;
    ERR_pop_to_mark();

    if (*v == NULL)
        ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED);

    return (*v != NULL);
 err:
    ERR_clear_last_mark();
    return 0;
}

static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
{
    if (data->object_type == OSSL_OBJECT_NAME) {
        char *newname = NULL, *newdesc = NULL;

        if (data->utf8_data == NULL)
            return 0;
        if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
            || (data->desc != NULL
                && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
            || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
            OPENSSL_free(newname);
            OPENSSL_free(newdesc);
            return 0;
        }
        OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
    }
    return 1;
}

/*
 * For the rest of the object types, the provider code may not know what
 * type of data it gave us, so we may need to figure that out on our own.
 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
 * only return 0 on error if the object type is known.
 */

static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
                             OSSL_STORE_CTX *ctx,
                             const OSSL_PROVIDER *provider,
                             OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    EVP_KEYMGMT *keymgmt = NULL;
    void *keydata = NULL;

    /* If we have an object reference, we must have a data type */
    if (data->data_type == NULL)
        return 0;

    keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
    if (keymgmt != NULL) {
        /*
         * There are two possible cases
         *
         * 1.  The keymgmt is from the same provider as the loader,
         *     so we can use evp_keymgmt_load()
         * 2.  The keymgmt is from another provider, then we must
         *     do the export/import dance.
         */
        if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
            keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
        } else {
            struct evp_keymgmt_util_try_import_data_st import_data;
            OSSL_FUNC_store_export_object_fn *export_object =
                ctx->fetched_loader->p_export_object;

            import_data.keymgmt = keymgmt;
            import_data.keydata = NULL;
            import_data.selection = OSSL_KEYMGMT_SELECT_ALL;

            if (export_object != NULL) {
                /*
                 * No need to check for errors here, the value of
                 * |import_data.keydata| is as much an indicator.
                 */
                (void)export_object(ctx->loader_ctx,
                                    data->ref, data->ref_size,
                                    &evp_keymgmt_util_try_import,
                                    &import_data);
            }

            keydata = import_data.keydata;
        }
    }
    if (keydata != NULL)
        pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
    EVP_KEYMGMT_free(keymgmt);

    return pk;
}

static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
                               OSSL_STORE_CTX *ctx,
                               OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
                               OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    OSSL_DECODER_CTX *decoderctx = NULL;
    const unsigned char *pdata = data->octet_data;
    size_t pdatalen = data->octet_data_size;
    int selection = 0;

    switch (ctx->expected_type) {
    case 0:
        break;
    case OSSL_STORE_INFO_PARAMS:
        selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
        break;
    case OSSL_STORE_INFO_PUBKEY:
        selection =
            OSSL_KEYMGMT_SELECT_PUBLIC_KEY
            | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
        break;
    case OSSL_STORE_INFO_PKEY:
        selection = OSSL_KEYMGMT_SELECT_ALL;
        break;
    default:
        return NULL;
    }

    decoderctx =
        OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", data->data_structure,
                                      data->data_type, selection, libctx,
                                      propq);
    (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);

    /* No error if this couldn't be decoded */
    (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);

    OSSL_DECODER_CTX_free(decoderctx);

    return pk;
}

typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);

static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
                                      store_info_new_fn **store_info_new,
                                      OSSL_STORE_CTX *ctx,
                                      OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
                                      OSSL_LIB_CTX *libctx, const char *propq)
{
    EVP_PKEY *pk = NULL;
    const unsigned char *der = data->octet_data, *derp;
    long der_len = (long)data->octet_data_size;

    /* Try PUBKEY first, that's a real easy target */
    if (ctx->expected_type == 0
        || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
        derp = der;
        pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);

        if (pk != NULL)
            *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
    }

    /* Try private keys next */
    if (pk == NULL
        && (ctx->expected_type == 0
            || ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
        unsigned char *new_der = NULL;
        X509_SIG *p8 = NULL;
        PKCS8_PRIV_KEY_INFO *p8info = NULL;

        /* See if it's an encrypted PKCS#8 and decrypt it. */
        derp = der;
        p8 = d2i_X509_SIG(NULL, &derp, der_len);

        if (p8 != NULL) {
            char pbuf[PEM_BUFSIZE];
            size_t plen = 0;

            if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
                ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
            } else {
                const X509_ALGOR *alg = NULL;
                const ASN1_OCTET_STRING *oct = NULL;
                int len = 0;

                X509_SIG_get0(p8, &alg, &oct);

                /*
                 * No need to check the returned value, |new_der|
                 * will be NULL on error anyway.
                 */
                PKCS12_pbe_crypt(alg, pbuf, plen,
                                 oct->data, oct->length,
                                 &new_der, &len, 0);
                der_len = len;
                der = new_der;
            }
            X509_SIG_free(p8);
        }

        /*
         * If the encrypted PKCS#8 couldn't be decrypted,
         * |der| is NULL
         */
        if (der != NULL) {
            /* Try to unpack an unencrypted PKCS#8, that's easy */
            derp = der;
            p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);

            if (p8info != NULL) {
                pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
                PKCS8_PRIV_KEY_INFO_free(p8info);
            }
        }

        if (pk != NULL)
            *store_info_new = OSSL_STORE_INFO_new_PKEY;

        OPENSSL_free(new_der);
    }

    return pk;
}

static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                   OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
                   OSSL_LIB_CTX *libctx, const char *propq)
{
    store_info_new_fn *store_info_new = NULL;

    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_PKEY) {
        EVP_PKEY *pk = NULL;

        /* Prefer key by reference than key by value */
        if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
            pk = try_key_ref(data, ctx, provider, libctx, propq);

            /*
             * If for some reason we couldn't get a key, it's an error.
             * It indicates that while decoders could make a key reference,
             * the keymgmt somehow couldn't handle it, or doesn't have a
             * OSSL_FUNC_keymgmt_load function.
             */
            if (pk == NULL)
                return 0;
        } else if (data->octet_data != NULL) {
            OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
            void *cbarg = &ctx->pwdata;

            pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);

            /*
             * Desperate last maneuver, in case the decoders don't support
             * the data we have, then we try on our own to at least get an
             * engine provided legacy key.
             * This is the same as der2key_decode() does, but in a limited
             * way and within the walls of libcrypto.
             *
             * TODO Remove this when #legacy keys are gone
             */
            if (pk == NULL)
                pk = try_key_value_legacy(data, &store_info_new, ctx,
                                          cb, cbarg, libctx, propq);
        }

        if (pk != NULL) {
            data->object_type = OSSL_OBJECT_PKEY;

            if (store_info_new == NULL) {
                /*
                 * We determined the object type for OSSL_STORE_INFO, which
                 * makes an explicit difference between an EVP_PKEY with just
                 * (domain) parameters and an EVP_PKEY with actual key
                 * material.
                 * The logic is that an EVP_PKEY with actual key material
                 * always has the public half.
                 */
                if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
                    store_info_new = OSSL_STORE_INFO_new_PKEY;
                else if (evp_keymgmt_util_has(pk,
                                              OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
                    store_info_new = OSSL_STORE_INFO_new_PUBKEY;
                else
                    store_info_new = OSSL_STORE_INFO_new_PARAMS;
            }
            *v = store_info_new(pk);
        }

        if (*v == NULL)
            EVP_PKEY_free(pk);
    }

    return 1;
}

static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                    OSSL_LIB_CTX *libctx, const char *propq)
{
    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_CERT) {
        /*
         * In most cases, we can try to interpret the serialized
         * data as a trusted cert (X509 + X509_AUX) and fall back
         * to reading it as a normal cert (just X509), but if
         * |data_type| (the PEM name) specifically declares it as a
         * trusted cert, then no fallback should be engaged.
         * |ignore_trusted| tells if the fallback can be used (1)
         * or not (0).
         */
        int ignore_trusted = 1;
        X509 *cert = X509_new_ex(libctx, propq);

        if (cert == NULL)
            return 0;

        /* If we have a data type, it should be a PEM name */
        if (data->data_type != NULL
            && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
            ignore_trusted = 0;

        if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
                         data->octet_data_size) == NULL
            && (!ignore_trusted
                || d2i_X509(&cert, (const unsigned char **)&data->octet_data,
                            data->octet_data_size) == NULL)) {
            X509_free(cert);
            cert = NULL;
        }

        if (cert != NULL) {
            /* We determined the object type */
            data->object_type = OSSL_OBJECT_CERT;
            *v = OSSL_STORE_INFO_new_CERT(cert);
            if (*v == NULL)
                X509_free(cert);
        }
    }

    return 1;
}

static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                   OSSL_LIB_CTX *libctx, const char *propq)
{
    if (data->object_type == OSSL_OBJECT_UNKNOWN
        || data->object_type == OSSL_OBJECT_CRL) {
        X509_CRL *crl;

        crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
                           data->octet_data_size);

        if (crl != NULL)
            /* We determined the object type */
            data->object_type = OSSL_OBJECT_CRL;

        if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
            X509_CRL_free(crl);
            crl = NULL;
        }

        if (crl != NULL)
            *v = OSSL_STORE_INFO_new_CRL(crl);
        if (*v == NULL)
            X509_CRL_free(crl);
    }

    return 1;
}

static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                      OSSL_STORE_CTX *ctx,
                      OSSL_LIB_CTX *libctx, const char *propq)
{
    int ok = 1;

    /* There is no specific object type for PKCS12 */
    if (data->object_type == OSSL_OBJECT_UNKNOWN) {
        /* Initial parsing */
        PKCS12 *p12;

        p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
                         data->octet_data_size);

        if (p12 != NULL) {
            char *pass = NULL;
            char tpass[PEM_BUFSIZE];
            size_t tpass_len;
            EVP_PKEY *pkey = NULL;
            X509 *cert = NULL;
            STACK_OF(X509) *chain = NULL;

            data->object_type = OSSL_OBJECT_PKCS12;

            ok = 0;              /* Assume decryption or parse error */

            if (PKCS12_verify_mac(p12, "", 0)
                || PKCS12_verify_mac(p12, NULL, 0)) {
                pass = "";
            } else {
                static char prompt_info[] = "PKCS12 import pass phrase";
                OSSL_PARAM pw_params[] = {
                    OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
                                           prompt_info,
                                           sizeof(prompt_info) - 1),
                    OSSL_PARAM_END
                };

                if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
                                            pw_params, 0, &ctx->pwdata)) {
                    ERR_raise(ERR_LIB_OSSL_STORE,
                              OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
                    goto p12_end;
                }
                pass = tpass;
                if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
                    ERR_raise_data(ERR_LIB_OSSL_STORE,
                                   OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
                                   strlen(pass) == 0 ? "empty password" :
                                   "maybe wrong password");
                    goto p12_end;
                }
            }

            if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
                STACK_OF(OSSL_STORE_INFO) *infos = NULL;
                OSSL_STORE_INFO *osi_pkey = NULL;
                OSSL_STORE_INFO *osi_cert = NULL;
                OSSL_STORE_INFO *osi_ca = NULL;

                ok = 1;          /* Parsing went through correctly! */

                if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
                    if (pkey != NULL) {
                        if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
                            /* clearing pkey here avoids case distinctions */
                            && (pkey = NULL) == NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
                            osi_pkey = NULL;
                        else
                            ok = 0;
                    }
                    if (ok && cert != NULL) {
                        if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
                            /* clearing cert here avoids case distinctions */
                            && (cert = NULL) == NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
                            osi_cert = NULL;
                        else
                            ok = 0;
                    }
                    while (ok && sk_X509_num(chain) > 0) {
                        X509 *ca = sk_X509_value(chain, 0);

                        if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
                            && sk_X509_shift(chain) != NULL
                            && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
                            osi_ca = NULL;
                        else
                            ok = 0;
                    }
                }
                EVP_PKEY_free(pkey);
                X509_free(cert);
                sk_X509_pop_free(chain, X509_free);
                OSSL_STORE_INFO_free(osi_pkey);
                OSSL_STORE_INFO_free(osi_cert);
                OSSL_STORE_INFO_free(osi_ca);
                if (!ok) {
                    sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
                    infos = NULL;
                }
                ctx->cached_info = infos;
            }
        }
     p12_end:
        PKCS12_free(p12);
        *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
    }

    return ok;
}
Commit	Line	Data
34b80d06	1	/*
a28d06f3	2	* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
34b80d06 RL	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include "e_os.h"
	11	#include <string.h>
	12
	13	#include <openssl/core.h>
	14	#include <openssl/core_names.h>
	15	#include <openssl/core_object.h>
	16	#include <openssl/err.h>
	17	#include <openssl/pkcs12.h>
	18	#include <openssl/provider.h>
	19	#include <openssl/decoder.h>
	20	#include <openssl/store.h>
	21	#include "internal/provider.h"
	22	#include "internal/passphrase.h"
	23	#include "crypto/evp.h"
	24	#include "crypto/x509.h"
	25	#include "store_local.h"
	26
	27	#ifndef OSSL_OBJECT_PKCS12
	28	/*
	29	* The object abstraction doesn't know PKCS#12, but we want to indicate
	30	* it anyway, so we create our own. Since the public macros use positive
	31	* numbers, negative ones should be fine. They must never slip out from
	32	* this translation unit anyway.
	33	*/
	34	# define OSSL_OBJECT_PKCS12 -1
	35	#endif
	36
	37	/*
	38	* ossl_store_handle_load_result() is initially written to be a companion
	39	* to our 'file:' scheme provider implementation, but has been made generic
	40	* to serve others as well.
	41	*
	42	* This result handler takes any object abstraction (see provider-object(7))
	43	* and does the best it can with it. If the object is passed by value (not
	44	* by reference), the contents are currently expected to be DER encoded.
	45	* If an object type is specified, that will be respected; otherwise, this
	46	* handler will guess the contents, by trying the following in order:
	47	*
	48	* 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
	49	* 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
	50	* 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
	51	* 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
	52	*
	53	* For the 'file:' scheme implementation, this is division of labor. Since
	54	* the libcrypto <-> provider interface currently doesn't support certain
	55	* structures as first class objects, they must be unpacked from DER here
	56	* rather than in the provider. The current exception is asymmetric keys,
	57	* which can reside within the provider boundary, most of all thanks to
	58	* OSSL_FUNC_keymgmt_load(), which allows loading the key material by
	59	* reference.
	60	*/
	61
34b80d06 RL	62	struct extracted_param_data_st {
	63	int object_type;
	64	const char *data_type;
70793dbb	65	const char *data_structure;
34b80d06 RL	66	const char *utf8_data;
	67	const void *octet_data;
	68	size_t octet_data_size;
	69	const void *ref;
	70	size_t ref_size;
	71	const char *desc;
	72	};
	73
	74	static int try_name(struct extracted_param_data_st , OSSL_STORE_INFO *);
	75	static int try_key(struct extracted_param_data_st , OSSL_STORE_INFO *,
	76	OSSL_STORE_CTX , const OSSL_PROVIDER ,
b4250010	77	OSSL_LIB_CTX , const char );
34b80d06	78	static int try_cert(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	79	OSSL_LIB_CTX , const char );
34b80d06	80	static int try_crl(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	81	OSSL_LIB_CTX , const char );
34b80d06	82	static int try_pkcs12(struct extracted_param_data_st , OSSL_STORE_INFO *,
b4250010	83	OSSL_STORE_CTX , OSSL_LIB_CTX , const char *);
34b80d06 RL	84
	85	int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
	86	{
	87	struct ossl_load_result_data_st *cbdata = arg;
	88	OSSL_STORE_INFO **v = &cbdata->v;
	89	OSSL_STORE_CTX *ctx = cbdata->ctx;
	90	const OSSL_PROVIDER *provider =
ed576acd	91	OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader);
a829b735	92	OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
34b80d06 RL	93	const char *propq = ctx->properties;
	94	const OSSL_PARAM *p;
	95	struct extracted_param_data_st helper_data;
	96
	97	memset(&helper_data, 0, sizeof(helper_data));
	98	helper_data.object_type = OSSL_OBJECT_UNKNOWN;
	99
	100	if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
	101	&& !OSSL_PARAM_get_int(p, &helper_data.object_type))
	102	return 0;
	103	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
	104	if (p != NULL
	105	&& !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
	106	return 0;
	107	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
	108	if (p != NULL
	109	&& !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
	110	&helper_data.octet_data_size)
	111	&& !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
	112	return 0;
70793dbb MC	113	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE);
	114	if (p != NULL
	115	&& !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure))
	116	return 0;
34b80d06 RL	117	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
	118	if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
	119	&helper_data.ref_size))
	120	return 0;
	121	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
	122	if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
	123	return 0;
	124
	125	/*
	126	* The helper functions return 0 on actual errors, otherwise 1, even if
	127	* they didn't fill out \|*v\|.
	128	*/
521a0bf6 RL	129	ERR_set_mark();
521a0bf6 RL	130	if (*v == NULL && !try_name(&helper_data, v))
c2150f73	131	goto err;
521a0bf6 RL	132	ERR_pop_to_mark();
	133	ERR_set_mark();
	134	if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq))
c2150f73	135	goto err;
521a0bf6 RL	136	ERR_pop_to_mark();
	137	ERR_set_mark();
	138	if (*v == NULL && !try_cert(&helper_data, v, libctx, propq))
c2150f73	139	goto err;
521a0bf6 RL	140	ERR_pop_to_mark();
	141	ERR_set_mark();
	142	if (*v == NULL && !try_crl(&helper_data, v, libctx, propq))
c2150f73	143	goto err;
521a0bf6 RL	144	ERR_pop_to_mark();
	145	ERR_set_mark();
	146	if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq))
c2150f73	147	goto err;
521a0bf6 RL	148	ERR_pop_to_mark();
	149
	150	if (*v == NULL)
	151	ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED);
34b80d06 RL	152
34b80d06 RL	153	return (*v != NULL);
c2150f73	154	err:
521a0bf6	155	ERR_clear_last_mark();
c2150f73	156	return 0;
34b80d06 RL	157	}
	158
	159	static int try_name(struct extracted_param_data_st data, OSSL_STORE_INFO *v)
	160	{
	161	if (data->object_type == OSSL_OBJECT_NAME) {
	162	char newname = NULL, newdesc = NULL;
	163
	164	if (data->utf8_data == NULL)
	165	return 0;
	166	if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
	167	\|\| (data->desc != NULL
	168	&& (newdesc = OPENSSL_strdup(data->desc)) == NULL)
	169	\|\| (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
	170	OPENSSL_free(newname);
	171	OPENSSL_free(newdesc);
	172	return 0;
	173	}
	174	OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
	175	}
	176	return 1;
	177	}
	178
	179	/*
	180	* For the rest of the object types, the provider code may not know what
	181	* type of data it gave us, so we may need to figure that out on our own.
	182	* Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
	183	* only return 0 on error if the object type is known.
	184	*/
	185
	186	static EVP_PKEY try_key_ref(struct extracted_param_data_st data,
	187	OSSL_STORE_CTX *ctx,
	188	const OSSL_PROVIDER *provider,
b4250010	189	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	190	{
	191	EVP_PKEY *pk = NULL;
	192	EVP_KEYMGMT *keymgmt = NULL;
	193	void *keydata = NULL;
	194
	195	/* If we have an object reference, we must have a data type */
	196	if (data->data_type == NULL)
	197	return 0;
	198
	199	keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
	200	if (keymgmt != NULL) {
	201	/*
	202	* There are two possible cases
	203	*
	204	* 1. The keymgmt is from the same provider as the loader,
	205	* so we can use evp_keymgmt_load()
	206	* 2. The keymgmt is from another provider, then we must
	207	* do the export/import dance.
	208	*/
ed576acd	209	if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
34b80d06 RL	210	keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
	211	} else {
	212	struct evp_keymgmt_util_try_import_data_st import_data;
	213	OSSL_FUNC_store_export_object_fn *export_object =
	214	ctx->fetched_loader->p_export_object;
	215
	216	import_data.keymgmt = keymgmt;
	217	import_data.keydata = NULL;
	218	import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
	219
	220	if (export_object != NULL) {
	221	/*
	222	* No need to check for errors here, the value of
	223	* \|import_data.keydata\| is as much an indicator.
	224	*/
	225	(void)export_object(ctx->loader_ctx,
	226	data->ref, data->ref_size,
	227	&evp_keymgmt_util_try_import,
	228	&import_data);
	229	}
	230
	231	keydata = import_data.keydata;
	232	}
	233	}
	234	if (keydata != NULL)
	235	pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
	236	EVP_KEYMGMT_free(keymgmt);
	237
	238	return pk;
	239	}
	240
	241	static EVP_PKEY try_key_value(struct extracted_param_data_st data,
	242	OSSL_STORE_CTX *ctx,
	243	OSSL_PASSPHRASE_CALLBACK cb, void cbarg,
b4250010	244	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	245	{
	246	EVP_PKEY *pk = NULL;
	247	OSSL_DECODER_CTX *decoderctx = NULL;
113adc1f RL	248	const unsigned char *pdata = data->octet_data;
113adc1f RL	249	size_t pdatalen = data->octet_data_size;
9787b5b8 RL	250	int selection = 0;
	251
	252	switch (ctx->expected_type) {
	253	case 0:
	254	break;
	255	case OSSL_STORE_INFO_PARAMS:
	256	selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
	257	break;
	258	case OSSL_STORE_INFO_PUBKEY:
	259	selection =
	260	OSSL_KEYMGMT_SELECT_PUBLIC_KEY
	261	\| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
	262	break;
	263	case OSSL_STORE_INFO_PKEY:
	264	selection = OSSL_KEYMGMT_SELECT_ALL;
	265	break;
	266	default:
	267	return NULL;
	268	}
34b80d06	269
70c06aaf	270	decoderctx =
70793dbb MC	271	OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", data->data_structure,
	272	data->data_type, selection, libctx,
	273	propq);
34b80d06 RL	274	(void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
	275
	276	/* No error if this couldn't be decoded */
113adc1f	277	(void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
34b80d06 RL	278
34b80d06 RL	279	OSSL_DECODER_CTX_free(decoderctx);
34b80d06 RL	280
	281	return pk;
	282	}
	283
	284	typedef OSSL_STORE_INFO store_info_new_fn(EVP_PKEY );
	285
	286	static EVP_PKEY try_key_value_legacy(struct extracted_param_data_st data,
	287	store_info_new_fn **store_info_new,
	288	OSSL_STORE_CTX *ctx,
	289	OSSL_PASSPHRASE_CALLBACK cb, void cbarg,
b4250010	290	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	291	{
	292	EVP_PKEY *pk = NULL;
	293	const unsigned char der = data->octet_data, derp;
	294	long der_len = (long)data->octet_data_size;
	295
	296	/* Try PUBKEY first, that's a real easy target */
9787b5b8 RL	297	if (ctx->expected_type == 0
	298	\|\| ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
	299	derp = der;
	300	pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
1fbf7079	301
9787b5b8 RL	302	if (pk != NULL)
9787b5b8 RL	303	*store_info_new = OSSL_STORE_INFO_new_PUBKEY;
9787b5b8	304	}
34b80d06 RL	305
34b80d06 RL	306	/* Try private keys next */
9787b5b8 RL	307	if (pk == NULL
	308	&& (ctx->expected_type == 0
	309	\|\| ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
34b80d06 RL	310	unsigned char *new_der = NULL;
	311	X509_SIG *p8 = NULL;
	312	PKCS8_PRIV_KEY_INFO *p8info = NULL;
	313
521a0bf6	314	/* See if it's an encrypted PKCS#8 and decrypt it. */
34b80d06	315	derp = der;
1fbf7079	316	p8 = d2i_X509_SIG(NULL, &derp, der_len);
1fbf7079 RL	317
1fbf7079 RL	318	if (p8 != NULL) {
34b80d06 RL	319	char pbuf[PEM_BUFSIZE];
	320	size_t plen = 0;
	321
	322	if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
9311d0c4	323	ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
34b80d06 RL	324	} else {
	325	const X509_ALGOR *alg = NULL;
	326	const ASN1_OCTET_STRING *oct = NULL;
	327	int len = 0;
	328
	329	X509_SIG_get0(p8, &alg, &oct);
	330
	331	/*
	332	* No need to check the returned value, \|new_der\|
	333	* will be NULL on error anyway.
	334	*/
	335	PKCS12_pbe_crypt(alg, pbuf, plen,
	336	oct->data, oct->length,
	337	&new_der, &len, 0);
	338	der_len = len;
	339	der = new_der;
	340	}
	341	X509_SIG_free(p8);
	342	}
	343
	344	/*
	345	* If the encrypted PKCS#8 couldn't be decrypted,
	346	* \|der\| is NULL
	347	*/
	348	if (der != NULL) {
521a0bf6	349	/* Try to unpack an unencrypted PKCS#8, that's easy */
34b80d06 RL	350	derp = der;
34b80d06 RL	351	p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
1fbf7079	352
34b80d06	353	if (p8info != NULL) {
d8652be0	354	pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
34b80d06 RL	355	PKCS8_PRIV_KEY_INFO_free(p8info);
34b80d06 RL	356	}
34b80d06 RL	357	}
	358
	359	if (pk != NULL)
	360	*store_info_new = OSSL_STORE_INFO_new_PKEY;
	361
	362	OPENSSL_free(new_der);
34b80d06	363	}
34b80d06 RL	364
	365	return pk;
	366	}
	367
	368	static int try_key(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
	369	OSSL_STORE_CTX ctx, const OSSL_PROVIDER provider,
b4250010	370	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	371	{
	372	store_info_new_fn *store_info_new = NULL;
	373
	374	if (data->object_type == OSSL_OBJECT_UNKNOWN
	375	\|\| data->object_type == OSSL_OBJECT_PKEY) {
	376	EVP_PKEY *pk = NULL;
	377
	378	/* Prefer key by reference than key by value */
	379	if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
	380	pk = try_key_ref(data, ctx, provider, libctx, propq);
	381
	382	/*
	383	* If for some reason we couldn't get a key, it's an error.
	384	* It indicates that while decoders could make a key reference,
	385	* the keymgmt somehow couldn't handle it, or doesn't have a
	386	* OSSL_FUNC_keymgmt_load function.
	387	*/
	388	if (pk == NULL)
	389	return 0;
	390	} else if (data->octet_data != NULL) {
	391	OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
	392	void *cbarg = &ctx->pwdata;
	393
	394	pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
	395
	396	/*
	397	* Desperate last maneuver, in case the decoders don't support
521a0bf6 RL	398	* the data we have, then we try on our own to at least get an
521a0bf6 RL	399	* engine provided legacy key.
34b80d06 RL	400	* This is the same as der2key_decode() does, but in a limited
	401	* way and within the walls of libcrypto.
	402	*
	403	* TODO Remove this when #legacy keys are gone
	404	*/
	405	if (pk == NULL)
	406	pk = try_key_value_legacy(data, &store_info_new, ctx,
	407	cb, cbarg, libctx, propq);
	408	}
	409
	410	if (pk != NULL) {
	411	data->object_type = OSSL_OBJECT_PKEY;
	412
	413	if (store_info_new == NULL) {
	414	/*
	415	* We determined the object type for OSSL_STORE_INFO, which
	416	* makes an explicit difference between an EVP_PKEY with just
	417	* (domain) parameters and an EVP_PKEY with actual key
	418	* material.
	419	* The logic is that an EVP_PKEY with actual key material
	420	* always has the public half.
	421	*/
	422	if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
	423	store_info_new = OSSL_STORE_INFO_new_PKEY;
	424	else if (evp_keymgmt_util_has(pk,
	425	OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
	426	store_info_new = OSSL_STORE_INFO_new_PUBKEY;
	427	else
	428	store_info_new = OSSL_STORE_INFO_new_PARAMS;
	429	}
	430	*v = store_info_new(pk);
	431	}
	432
	433	if (*v == NULL)
	434	EVP_PKEY_free(pk);
	435	}
	436
	437	return 1;
	438	}
	439
	440	static int try_cert(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
b4250010	441	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	442	{
	443	if (data->object_type == OSSL_OBJECT_UNKNOWN
	444	\|\| data->object_type == OSSL_OBJECT_CERT) {
34b80d06 RL	445	/*
	446	* In most cases, we can try to interpret the serialized
	447	* data as a trusted cert (X509 + X509_AUX) and fall back
	448	* to reading it as a normal cert (just X509), but if
	449	* \|data_type\| (the PEM name) specifically declares it as a
	450	* trusted cert, then no fallback should be engaged.
	451	* \|ignore_trusted\| tells if the fallback can be used (1)
	452	* or not (0).
	453	*/
	454	int ignore_trusted = 1;
99be8ed3 MC	455	X509 *cert = X509_new_ex(libctx, propq);
	456
	457	if (cert == NULL)
	458	return 0;
34b80d06 RL	459
	460	/* If we have a data type, it should be a PEM name */
	461	if (data->data_type != NULL
	462	&& (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
	463	ignore_trusted = 0;
	464
99be8ed3 MC	465	if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
	466	data->octet_data_size) == NULL
	467	&& (!ignore_trusted
	468	\|\| d2i_X509(&cert, (const unsigned char **)&data->octet_data,
	469	data->octet_data_size) == NULL)) {
34b80d06 RL	470	X509_free(cert);
	471	cert = NULL;
	472	}
	473
99be8ed3 MC	474	if (cert != NULL) {
	475	/* We determined the object type */
	476	data->object_type = OSSL_OBJECT_CERT;
34b80d06	477	*v = OSSL_STORE_INFO_new_CERT(cert);
99be8ed3 MC	478	if (*v == NULL)
	479	X509_free(cert);
	480	}
34b80d06 RL	481	}
	482
	483	return 1;
	484	}
	485
	486	static int try_crl(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
b4250010	487	OSSL_LIB_CTX libctx, const char propq)
34b80d06 RL	488	{
	489	if (data->object_type == OSSL_OBJECT_UNKNOWN
	490	\|\| data->object_type == OSSL_OBJECT_CRL) {
	491	X509_CRL *crl;
	492
	493	crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
	494	data->octet_data_size);
1fbf7079	495
34b80d06 RL	496	if (crl != NULL)
	497	/* We determined the object type */
	498	data->object_type = OSSL_OBJECT_CRL;
	499
4669015d	500	if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
34b80d06 RL	501	X509_CRL_free(crl);
	502	crl = NULL;
	503	}
	504
	505	if (crl != NULL)
	506	*v = OSSL_STORE_INFO_new_CRL(crl);
	507	if (*v == NULL)
	508	X509_CRL_free(crl);
	509	}
	510
	511	return 1;
	512	}
	513
	514	static int try_pkcs12(struct extracted_param_data_st data, OSSL_STORE_INFO *v,
	515	OSSL_STORE_CTX *ctx,
b4250010	516	OSSL_LIB_CTX libctx, const char propq)
34b80d06	517	{
1fbf7079 RL	518	int ok = 1;
1fbf7079 RL	519
34b80d06 RL	520	/* There is no specific object type for PKCS12 */
	521	if (data->object_type == OSSL_OBJECT_UNKNOWN) {
	522	/* Initial parsing */
	523	PKCS12 *p12;
	524
1fbf7079 RL	525	p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
1fbf7079 RL	526	data->octet_data_size);
1fbf7079 RL	527
1fbf7079 RL	528	if (p12 != NULL) {
34b80d06 RL	529	char *pass = NULL;
	530	char tpass[PEM_BUFSIZE];
	531	size_t tpass_len;
	532	EVP_PKEY *pkey = NULL;
	533	X509 *cert = NULL;
	534	STACK_OF(X509) *chain = NULL;
	535
	536	data->object_type = OSSL_OBJECT_PKCS12;
	537
1fbf7079 RL	538	ok = 0; /* Assume decryption or parse error */
1fbf7079 RL	539
34b80d06 RL	540	if (PKCS12_verify_mac(p12, "", 0)
	541	\|\| PKCS12_verify_mac(p12, NULL, 0)) {
	542	pass = "";
	543	} else {
	544	static char prompt_info[] = "PKCS12 import pass phrase";
	545	OSSL_PARAM pw_params[] = {
	546	OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
	547	prompt_info,
	548	sizeof(prompt_info) - 1),
	549	OSSL_PARAM_END
	550	};
	551
	552	if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
	553	pw_params, 0, &ctx->pwdata)) {
	554	ERR_raise(ERR_LIB_OSSL_STORE,
	555	OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
	556	goto p12_end;
	557	}
	558	pass = tpass;
	559	if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
39a61e69 DDO	560	ERR_raise_data(ERR_LIB_OSSL_STORE,
	561	OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
	562	strlen(pass) == 0 ? "empty password" :
	563	"maybe wrong password");
34b80d06 RL	564	goto p12_end;
	565	}
	566	}
	567
	568	if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
	569	STACK_OF(OSSL_STORE_INFO) *infos = NULL;
	570	OSSL_STORE_INFO *osi_pkey = NULL;
	571	OSSL_STORE_INFO *osi_cert = NULL;
	572	OSSL_STORE_INFO *osi_ca = NULL;
1fbf7079 RL	573
1fbf7079 RL	574	ok = 1; /* Parsing went through correctly! */
34b80d06 RL	575
	576	if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
	577	if (pkey != NULL) {
	578	if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
	579	/* clearing pkey here avoids case distinctions */
	580	&& (pkey = NULL) == NULL
	581	&& sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
	582	osi_pkey = NULL;
	583	else
	584	ok = 0;
	585	}
	586	if (ok && cert != NULL) {
	587	if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
	588	/* clearing cert here avoids case distinctions */
	589	&& (cert = NULL) == NULL
	590	&& sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
	591	osi_cert = NULL;
	592	else
	593	ok = 0;
	594	}
	595	while (ok && sk_X509_num(chain) > 0) {
	596	X509 *ca = sk_X509_value(chain, 0);
	597
	598	if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
	599	&& sk_X509_shift(chain) != NULL
	600	&& sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
	601	osi_ca = NULL;
	602	else
	603	ok = 0;
	604	}
	605	}
	606	EVP_PKEY_free(pkey);
	607	X509_free(cert);
	608	sk_X509_pop_free(chain, X509_free);
	609	OSSL_STORE_INFO_free(osi_pkey);
	610	OSSL_STORE_INFO_free(osi_cert);
	611	OSSL_STORE_INFO_free(osi_ca);
	612	if (!ok) {
	613	sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
	614	infos = NULL;
	615	}
	616	ctx->cached_info = infos;
	617	}
	618	}
	619	p12_end:
	620	PKCS12_free(p12);
	621	*v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
	622	}
	623
1fbf7079	624	return ok;
34b80d06	625	}