OSSL_LIB_CTX *libctx, const char *propquery)
{
OSSL_DECODER_CTX *ctx = NULL;
+ OSSL_PARAM decoder_params[] = {
+ OSSL_PARAM_END,
+ OSSL_PARAM_END
+ };
DECODER_CACHE *cache
= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX);
DECODER_CACHE_ENTRY cacheent, *res, *newcache = NULL;
ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB);
return NULL;
}
+ if (propquery != NULL)
+ decoder_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_DECODER_PARAM_PROPERTIES,
+ (char *)propquery, 0);
/* It is safe to cast away the const here */
cacheent.input_type = (char *)input_type;
&& OSSL_DECODER_CTX_set_input_structure(ctx, input_structure)
&& OSSL_DECODER_CTX_set_selection(ctx, selection)
&& ossl_decoder_ctx_setup_for_pkey(ctx, keytype, libctx, propquery)
- && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) {
+ && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)
+ && (propquery == NULL
+ || OSSL_DECODER_CTX_set_params(ctx, decoder_params))) {
OSSL_TRACE_BEGIN(DECODER) {
BIO_printf(trc_out, "(ctx %p) Got %d decoders\n",
(void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx));
} static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL)
X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp,
- long len, OSSL_LIB_CTX *libctx)
+ long len, OSSL_LIB_CTX *libctx,
+ const char *propq)
{
X509_PUBKEY *xpub = OPENSSL_zalloc(sizeof(*xpub));
return NULL;
return (X509_PUBKEY *)ASN1_item_d2i_ex((ASN1_VALUE **)&xpub, pp, len,
ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL),
- libctx, NULL);
+ libctx, propq);
}
void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub)
ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY *pubkey);
X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp,
- long len, OSSL_LIB_CTX *libctx);
+ long len, OSSL_LIB_CTX *libctx,
+ const char *propq);
void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
*/
struct der2key_ctx_st {
PROV_CTX *provctx;
+ char propq[OSSL_MAX_PROPQUERY_SIZE];
const struct keytype_desc_st *desc;
/* The selection that is passed to der2key_decode() */
int selection;
if ((p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len)) != NULL
&& PKCS8_pkey_get0(NULL, NULL, NULL, &alg, p8inf)
&& OBJ_obj2nid(alg->algorithm) == ctx->desc->evp_type)
- key = key_from_pkcs8(p8inf, PROV_LIBCTX_OF(ctx->provctx), NULL);
+ key = key_from_pkcs8(p8inf, PROV_LIBCTX_OF(ctx->provctx), ctx->propq);
PKCS8_PRIV_KEY_INFO_free(p8inf);
return key;
static OSSL_FUNC_decoder_freectx_fn der2key_freectx;
static OSSL_FUNC_decoder_decode_fn der2key_decode;
static OSSL_FUNC_decoder_export_object_fn der2key_export_object;
+static OSSL_FUNC_decoder_settable_ctx_params_fn der2key_settable_ctx_params;
+static OSSL_FUNC_decoder_set_ctx_params_fn der2key_set_ctx_params;
static struct der2key_ctx_st *
der2key_newctx(void *provctx, const struct keytype_desc_st *desc)
return ctx;
}
+static const OSSL_PARAM *der2key_settable_ctx_params(ossl_unused void *provctx)
+{
+ static const OSSL_PARAM settables[] = {
+ OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return settables;
+}
+
+static int der2key_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ struct der2key_ctx_st *ctx = vctx;
+ const OSSL_PARAM *p;
+ char *str = ctx->propq;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES);
+ if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq)))
+ return 0;
+
+ return 1;
+}
+
static void der2key_freectx(void *vctx)
{
struct der2key_ctx_st *ctx = vctx;
(void (*)(void))der2key_decode }, \
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
(void (*)(void))der2key_export_object }, \
+ { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, \
+ (void (*)(void))der2key_settable_ctx_params }, \
+ { OSSL_FUNC_DECODER_SET_CTX_PARAMS, \
+ (void (*)(void))der2key_set_ctx_params }, \
OSSL_DISPATCH_END \
}
static OSSL_FUNC_decoder_newctx_fn epki2pki_newctx;
static OSSL_FUNC_decoder_freectx_fn epki2pki_freectx;
static OSSL_FUNC_decoder_decode_fn epki2pki_decode;
+static OSSL_FUNC_decoder_settable_ctx_params_fn epki2pki_settable_ctx_params;
+static OSSL_FUNC_decoder_set_ctx_params_fn epki2pki_set_ctx_params;
/*
* Context used for EncryptedPrivateKeyInfo to PrivateKeyInfo decoding.
*/
struct epki2pki_ctx_st {
PROV_CTX *provctx;
+ char propq[OSSL_MAX_PROPQUERY_SIZE];
};
static void *epki2pki_newctx(void *provctx)
OPENSSL_free(ctx);
}
+static const OSSL_PARAM *epki2pki_settable_ctx_params(ossl_unused void *provctx)
+{
+ static const OSSL_PARAM settables[] = {
+ OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return settables;
+}
+
+static int epki2pki_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ struct epki2pki_ctx_st *ctx = vctx;
+ const OSSL_PARAM *p;
+ char *str = ctx->propq;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES);
+ if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq)))
+ return 0;
+
+ return 1;
+}
+
/*
* The selection parameter in epki2pki_decode() is not used by this function
* because it's not relevant just to decode EncryptedPrivateKeyInfo to
if (!PKCS12_pbe_crypt_ex(alg, pbuf, plen,
oct->data, oct->length,
&new_der, &new_der_len, 0,
- PROV_LIBCTX_OF(ctx->provctx), NULL)) {
+ PROV_LIBCTX_OF(ctx->provctx),
+ ctx->propq)) {
ok = 0;
} else {
OPENSSL_free(der);
{ OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))epki2pki_newctx },
{ OSSL_FUNC_DECODER_FREECTX, (void (*)(void))epki2pki_freectx },
{ OSSL_FUNC_DECODER_DECODE, (void (*)(void))epki2pki_decode },
+ { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS,
+ (void (*)(void))epki2pki_settable_ctx_params },
+ { OSSL_FUNC_DECODER_SET_CTX_PARAMS,
+ (void (*)(void))epki2pki_set_ctx_params },
OSSL_DISPATCH_END
};
#include <openssl/pem.h> /* For public PVK functions */
#include <openssl/x509.h>
#include "internal/passphrase.h"
+#include "internal/sizes.h"
#include "crypto/pem.h" /* For internal PVK and "blob" headers */
#include "crypto/rsa.h"
#include "prov/bio.h"
static OSSL_FUNC_decoder_freectx_fn pvk2key_freectx;
static OSSL_FUNC_decoder_decode_fn pvk2key_decode;
static OSSL_FUNC_decoder_export_object_fn pvk2key_export_object;
+static OSSL_FUNC_decoder_settable_ctx_params_fn pvk2key_settable_ctx_params;
+static OSSL_FUNC_decoder_set_ctx_params_fn pvk2key_set_ctx_params;
/*
* Context used for DER to key decoding.
*/
struct pvk2key_ctx_st {
PROV_CTX *provctx;
+ char propq[OSSL_MAX_PROPQUERY_SIZE];
const struct keytype_desc_st *desc;
/* The selection that is passed to der2key_decode() */
int selection;
OPENSSL_free(ctx);
}
+static const OSSL_PARAM *pvk2key_settable_ctx_params(ossl_unused void *provctx)
+{
+ static const OSSL_PARAM settables[] = {
+ OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END,
+ };
+ return settables;
+}
+
+static int pvk2key_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ struct pvk2key_ctx_st *ctx = vctx;
+ const OSSL_PARAM *p;
+ char *str = ctx->propq;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES);
+ if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq)))
+ return 0;
+
+ return 1;
+}
+
static int pvk2key_does_selection(void *provctx, int selection)
{
if (selection == 0)
goto end;
key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata,
- PROV_LIBCTX_OF(ctx->provctx), NULL);
+ PROV_LIBCTX_OF(ctx->provctx),
+ ctx->propq);
/*
* Because the PVK API doesn't have a separate decrypt call, we need
(void (*)(void))pvk2key_decode }, \
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
(void (*)(void))pvk2key_export_object }, \
+ { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, \
+ (void (*)(void))pvk2key_settable_ctx_params }, \
+ { OSSL_FUNC_DECODER_SET_CTX_PARAMS, \
+ (void (*)(void))pvk2key_set_ctx_params }, \
OSSL_DISPATCH_END \
}
static OSSL_FUNC_decoder_newctx_fn spki2typespki_newctx;
static OSSL_FUNC_decoder_freectx_fn spki2typespki_freectx;
static OSSL_FUNC_decoder_decode_fn spki2typespki_decode;
+static OSSL_FUNC_decoder_settable_ctx_params_fn spki2typespki_settable_ctx_params;
+static OSSL_FUNC_decoder_set_ctx_params_fn spki2typespki_set_ctx_params;
/*
* Context used for SubjectPublicKeyInfo to Type specific SubjectPublicKeyInfo
*/
struct spki2typespki_ctx_st {
PROV_CTX *provctx;
+ char propq[OSSL_MAX_PROPQUERY_SIZE];
};
static void *spki2typespki_newctx(void *provctx)
OPENSSL_free(ctx);
}
+static const OSSL_PARAM *spki2typespki_settable_ctx_params(ossl_unused void *provctx)
+{
+ static const OSSL_PARAM settables[] = {
+ OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return settables;
+}
+
+static int spki2typespki_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ struct spki2typespki_ctx_st *ctx = vctx;
+ const OSSL_PARAM *p;
+ char *str = ctx->propq;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES);
+ if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq)))
+ return 0;
+
+ return 1;
+}
+
static int spki2typespki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
OSSL_CALLBACK *data_cb, void *data_cbarg,
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
return 1;
derp = der;
xpub = ossl_d2i_X509_PUBKEY_INTERNAL((const unsigned char **)&derp, len,
- PROV_LIBCTX_OF(ctx->provctx));
-
+ PROV_LIBCTX_OF(ctx->provctx),
+ ctx->propq);
if (xpub == NULL) {
/* We return "empty handed". This is not an error. */
{ OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))spki2typespki_newctx },
{ OSSL_FUNC_DECODER_FREECTX, (void (*)(void))spki2typespki_freectx },
{ OSSL_FUNC_DECODER_DECODE, (void (*)(void))spki2typespki_decode },
+ { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS,
+ (void (*)(void))spki2typespki_settable_ctx_params },
+ { OSSL_FUNC_DECODER_SET_CTX_PARAMS,
+ (void (*)(void))spki2typespki_set_ctx_params },
OSSL_DISPATCH_END
};
DEPEND[endecoder_legacy_test]=../libcrypto.a libtestutil.a
ENDIF
+ PROGRAMS{noinst}=decoder_propq_test
+ SOURCE[decoder_propq_test]=decoder_propq_test.c
+ INCLUDE[decoder_propq_test]=.. ../include ../apps/include
+ DEPEND[decoder_propq_test]=../libcrypto.a libtestutil.a
+
PROGRAMS{noinst}=namemap_internal_test
SOURCE[namemap_internal_test]=namemap_internal_test.c
INCLUDE[namemap_internal_test]=.. ../include ../apps/include
--- /dev/null
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include "testutil.h"
+
+static OSSL_LIB_CTX *libctx = NULL;
+static OSSL_PROVIDER *nullprov = NULL;
+static OSSL_PROVIDER *libprov = NULL;
+static const char *filename = NULL;
+static pem_password_cb passcb;
+
+typedef enum OPTION_choice {
+ OPT_ERR = -1,
+ OPT_EOF = 0,
+ OPT_CONFIG_FILE,
+ OPT_PROVIDER_NAME,
+ OPT_TEST_ENUM
+} OPTION_CHOICE;
+
+const OPTIONS *test_get_options(void)
+{
+ static const OPTIONS test_options[] = {
+ OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file\n"),
+ { "config", OPT_CONFIG_FILE, '<',
+ "The configuration file to use for the libctx" },
+ { "provider", OPT_PROVIDER_NAME, 's',
+ "The provider to load (The default value is 'default')" },
+ { OPT_HELP_STR, 1, '-', "file\tFile to decode.\n" },
+ { NULL }
+ };
+ return test_options;
+}
+
+static int passcb(char *buf, int size, int rwflag, void *userdata)
+{
+ strcpy(buf, "pass");
+ return strlen(buf);
+}
+
+static int test_decode_nonfipsalg(void)
+{
+ int ret = 0;
+ EVP_PKEY *privkey = NULL;
+ BIO *bio = NULL;
+
+ /*
+ * Apply the "fips=true" property to all fetches for the libctx.
+ * We do this to test that we are using the propq override
+ */
+ EVP_default_properties_enable_fips(libctx, 1);
+
+ if (!TEST_ptr(bio = BIO_new_file(filename, "r")))
+ goto err;
+
+ /*
+ * If NULL is passed as the propq here it uses the global property "fips=true",
+ * Which we expect to fail if the decode uses a non FIPS algorithm
+ */
+ if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, NULL)))
+ goto err;
+
+ /*
+ * Pass if we override the libctx global prop query to optionally use fips=true
+ * This assumes that the libctx contains the default provider
+ */
+ if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, "?fips=true")))
+ goto err;
+
+ ret = 1;
+err:
+ BIO_free(bio);
+ EVP_PKEY_free(privkey);
+ return ret;
+}
+
+int setup_tests(void)
+{
+ const char *prov_name = "default";
+ char *config_file = NULL;
+ OPTION_CHOICE o;
+
+ while ((o = opt_next()) != OPT_EOF) {
+ switch (o) {
+ case OPT_PROVIDER_NAME:
+ prov_name = opt_arg();
+ break;
+ case OPT_CONFIG_FILE:
+ config_file = opt_arg();
+ break;
+ case OPT_TEST_CASES:
+ break;
+ default:
+ case OPT_ERR:
+ return 0;
+ }
+ }
+
+ filename = test_get_argument(0);
+ if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
+ return 0;
+
+ ADD_TEST(test_decode_nonfipsalg);
+ return 1;
+}
+
+void cleanup_tests(void)
+{
+ OSSL_PROVIDER_unload(libprov);
+ OSSL_LIB_CTX_free(libctx);
+ OSSL_PROVIDER_unload(nullprov);
+}
my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem");
-plan tests => ($no_fips ? 0 : 1) + 2; # FIPS install test + test
+plan tests => ($no_fips ? 0 : 3) + 2; # FIPS install test + test
my $conf = srctop_file("test", "default.cnf");
ok(run(test(["endecode_test", "-rsa", $rsa_key,
"-pss", $pss_key,
"-config", $conf,
"-provider", "fips"])));
-}
+ my $no_des = disabled("des");
+SKIP: {
+ skip "DES disabled", 2 if disabled("des");
+ ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem',
+ '-passout', 'pass:pass' ])),
+ "rsa encrypt using a non fips algorithm");
+
+ my $conf2 = srctop_file("test", "default-and-fips.cnf");
+ ok(run(test(['decoder_propq_test', '-config', $conf2,
+ '-provider', 'fips', 'epki.pem'])));
+}
+}