]>
Commit | Line | Data |
---|---|---|
072a9fde RL |
1 | /* |
2 | * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/core_names.h> | |
14c8a3d1 | 11 | #include <openssl/core_object.h> |
072a9fde | 12 | #include <openssl/evp.h> |
7524b7b7 | 13 | #include <openssl/ui.h> |
ece9304c | 14 | #include <openssl/decoder.h> |
072a9fde RL |
15 | #include <openssl/safestack.h> |
16 | #include "crypto/evp.h" | |
63f187cf | 17 | #include "crypto/decoder.h" |
ece9304c | 18 | #include "encoder_local.h" |
072a9fde | 19 | |
ece9304c RL |
20 | int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, |
21 | const unsigned char *kstr, | |
22 | size_t klen) | |
7524b7b7 | 23 | { |
a517edec | 24 | return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen); |
7524b7b7 RL |
25 | } |
26 | ||
ece9304c RL |
27 | int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx, |
28 | const UI_METHOD *ui_method, | |
29 | void *ui_data) | |
7524b7b7 | 30 | { |
a517edec | 31 | return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data); |
7524b7b7 RL |
32 | } |
33 | ||
ece9304c RL |
34 | int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx, |
35 | pem_password_cb *cb, void *cbarg) | |
7524b7b7 | 36 | { |
a517edec | 37 | return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg); |
7524b7b7 RL |
38 | } |
39 | ||
4fd39782 RL |
40 | int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx, |
41 | OSSL_PASSPHRASE_CALLBACK *cb, | |
42 | void *cbarg) | |
43 | { | |
44 | return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg); | |
45 | } | |
46 | ||
072a9fde | 47 | /* |
ece9304c | 48 | * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY: |
4701f0a9 | 49 | * The construct data, and collecting keymgmt information for it |
072a9fde RL |
50 | */ |
51 | ||
52 | DEFINE_STACK_OF(EVP_KEYMGMT) | |
53 | ||
ece9304c | 54 | struct decoder_EVP_PKEY_data_st { |
072a9fde RL |
55 | char *object_type; /* recorded object data type, may be NULL */ |
56 | void **object; /* Where the result should end up */ | |
57 | STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */ | |
58 | }; | |
59 | ||
ece9304c RL |
60 | static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst, |
61 | const OSSL_PARAM *params, | |
62 | void *construct_data) | |
072a9fde | 63 | { |
ece9304c RL |
64 | struct decoder_EVP_PKEY_data_st *data = construct_data; |
65 | OSSL_DECODER *decoder = | |
66 | OSSL_DECODER_INSTANCE_decoder(decoder_inst); | |
bd7a6f16 | 67 | void *decoderctx = OSSL_DECODER_INSTANCE_decoder_ctx(decoder_inst); |
072a9fde RL |
68 | size_t i, end_i; |
69 | /* | |
70 | * |object_ref| points to a provider reference to an object, its exact | |
71 | * contents entirely opaque to us, but may be passed to any provider | |
72 | * function that expects this (such as OSSL_FUNC_keymgmt_load(). | |
73 | * | |
74 | * This pointer is considered volatile, i.e. whatever it points at | |
75 | * is assumed to be freed as soon as this function returns. | |
76 | */ | |
77 | void *object_ref = NULL; | |
78 | size_t object_ref_sz = 0; | |
79 | const OSSL_PARAM *p; | |
80 | ||
14c8a3d1 | 81 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); |
072a9fde RL |
82 | if (p != NULL) { |
83 | char *object_type = NULL; | |
84 | ||
85 | if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0)) | |
86 | return 0; | |
87 | OPENSSL_free(data->object_type); | |
88 | data->object_type = object_type; | |
89 | } | |
90 | ||
91 | /* | |
92 | * For stuff that should end up in an EVP_PKEY, we only accept an object | |
93 | * reference for the moment. This enforces that the key data itself | |
94 | * remains with the provider. | |
95 | */ | |
14c8a3d1 | 96 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); |
072a9fde RL |
97 | if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING) |
98 | return 0; | |
99 | object_ref = p->data; | |
100 | object_ref_sz = p->data_size; | |
101 | ||
102 | /* We may have reached one of the goals, let's find out! */ | |
103 | end_i = sk_EVP_KEYMGMT_num(data->keymgmts); | |
104 | for (i = 0; end_i; i++) { | |
105 | EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i); | |
106 | ||
107 | /* | |
108 | * There are two ways to find a matching KEYMGMT: | |
109 | * | |
110 | * 1. If the object data type (recorded in |data->object_type|) | |
111 | * is defined, by checking it using EVP_KEYMGMT_is_a(). | |
112 | * 2. If the object data type is NOT defined, by comparing the | |
ece9304c RL |
113 | * EVP_KEYMGMT and OSSL_DECODER method numbers. Since |
114 | * EVP_KEYMGMT and OSSL_DECODE operate with the same | |
072a9fde RL |
115 | * namemap, we know that the method numbers must match. |
116 | * | |
ece9304c RL |
117 | * This allows individual decoders to specify variants of keys, |
118 | * such as a DER to RSA decoder finding a RSA-PSS key, without | |
119 | * having to decode the exact same DER blob into the exact same | |
072a9fde | 120 | * internal structure twice. This is, of course, entirely at the |
ece9304c | 121 | * discretion of the decoder implementations. |
072a9fde RL |
122 | */ |
123 | if (data->object_type != NULL | |
124 | ? EVP_KEYMGMT_is_a(keymgmt, data->object_type) | |
ece9304c | 125 | : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) { |
072a9fde RL |
126 | EVP_PKEY *pkey = NULL; |
127 | void *keydata = NULL; | |
128 | const OSSL_PROVIDER *keymgmt_prov = | |
129 | EVP_KEYMGMT_provider(keymgmt); | |
ece9304c RL |
130 | const OSSL_PROVIDER *decoder_prov = |
131 | OSSL_DECODER_provider(decoder); | |
072a9fde RL |
132 | |
133 | /* | |
ece9304c | 134 | * If the EVP_KEYMGMT and the OSSL_DECODER are from the |
072a9fde RL |
135 | * same provider, we assume that the KEYMGMT has a key loading |
136 | * function that can handle the provider reference we hold. | |
137 | * | |
ece9304c | 138 | * Otherwise, we export from the decoder and import the |
072a9fde RL |
139 | * result in the keymgmt. |
140 | */ | |
ece9304c | 141 | if (keymgmt_prov == decoder_prov) { |
072a9fde RL |
142 | keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz); |
143 | } else { | |
144 | struct evp_keymgmt_util_try_import_data_st import_data; | |
145 | ||
146 | import_data.keymgmt = keymgmt; | |
147 | import_data.keydata = NULL; | |
4c525cb5 | 148 | import_data.selection = OSSL_KEYMGMT_SELECT_ALL; |
072a9fde RL |
149 | |
150 | /* | |
151 | * No need to check for errors here, the value of | |
152 | * |import_data.keydata| is as much an indicator. | |
153 | */ | |
bd7a6f16 RL |
154 | (void)decoder->export_object(decoderctx, |
155 | object_ref, object_ref_sz, | |
ece9304c RL |
156 | &evp_keymgmt_util_try_import, |
157 | &import_data); | |
072a9fde RL |
158 | keydata = import_data.keydata; |
159 | import_data.keydata = NULL; | |
160 | } | |
161 | ||
162 | if (keydata != NULL | |
163 | && (pkey = | |
164 | evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL) | |
165 | evp_keymgmt_freedata(keymgmt, keydata); | |
166 | ||
167 | *data->object = pkey; | |
168 | ||
169 | break; | |
170 | } | |
171 | } | |
172 | /* | |
173 | * We successfully looked through, |*ctx->object| determines if we | |
174 | * actually found something. | |
175 | */ | |
176 | return (*data->object != NULL); | |
177 | } | |
178 | ||
ece9304c | 179 | static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data) |
072a9fde | 180 | { |
ece9304c | 181 | struct decoder_EVP_PKEY_data_st *data = construct_data; |
072a9fde | 182 | |
3c033c5b RL |
183 | if (data != NULL) { |
184 | sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free); | |
185 | OPENSSL_free(data->object_type); | |
186 | OPENSSL_free(data); | |
187 | } | |
072a9fde RL |
188 | } |
189 | ||
072a9fde | 190 | struct collected_data_st { |
ece9304c | 191 | struct decoder_EVP_PKEY_data_st *process_data; |
072a9fde | 192 | STACK_OF(OPENSSL_CSTRING) *names; |
ece9304c | 193 | OSSL_DECODER_CTX *ctx; |
072a9fde RL |
194 | |
195 | unsigned int error_occured:1; | |
196 | }; | |
197 | ||
198 | static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) | |
199 | { | |
200 | struct collected_data_st *data = arg; | |
201 | ||
202 | if (data->error_occured) | |
203 | return; | |
204 | ||
205 | data->error_occured = 1; /* Assume the worst */ | |
206 | ||
207 | if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */) | |
208 | return; | |
209 | if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) { | |
210 | EVP_KEYMGMT_free(keymgmt); /* ref-- */ | |
211 | return; | |
212 | } | |
213 | ||
214 | data->error_occured = 0; /* All is good now */ | |
215 | } | |
216 | ||
217 | static void collect_name(const char *name, void *arg) | |
218 | { | |
219 | struct collected_data_st *data = arg; | |
220 | ||
221 | if (data->error_occured) | |
222 | return; | |
223 | ||
224 | data->error_occured = 1; /* Assume the worst */ | |
225 | ||
226 | if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0) | |
227 | return; | |
228 | ||
229 | data->error_occured = 0; /* All is good now */ | |
230 | } | |
231 | ||
ece9304c | 232 | static void collect_decoder(OSSL_DECODER *decoder, void *arg) |
fb890008 RL |
233 | { |
234 | struct collected_data_st *data = arg; | |
235 | size_t i, end_i; | |
236 | ||
237 | if (data->error_occured) | |
238 | return; | |
239 | ||
240 | data->error_occured = 1; /* Assume the worst */ | |
90e0e0d8 SL |
241 | if (data->names == NULL) |
242 | return; | |
fb890008 RL |
243 | |
244 | end_i = sk_OPENSSL_CSTRING_num(data->names); | |
245 | for (i = 0; i < end_i; i++) { | |
246 | const char *name = sk_OPENSSL_CSTRING_value(data->names, i); | |
247 | ||
ece9304c | 248 | if (!OSSL_DECODER_is_a(decoder, name)) |
fb890008 | 249 | continue; |
ece9304c | 250 | (void)OSSL_DECODER_CTX_add_decoder(data->ctx, decoder); |
fb890008 RL |
251 | } |
252 | ||
253 | data->error_occured = 0; /* All is good now */ | |
254 | } | |
255 | ||
63f187cf RL |
256 | int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx, |
257 | EVP_PKEY **pkey, | |
258 | OPENSSL_CTX *libctx, | |
259 | const char *propquery) | |
072a9fde | 260 | { |
072a9fde RL |
261 | struct collected_data_st *data = NULL; |
262 | size_t i, end_i; | |
63f187cf | 263 | int ok = 0; |
072a9fde | 264 | |
63f187cf | 265 | if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL |
072a9fde RL |
266 | || (data->process_data = |
267 | OPENSSL_zalloc(sizeof(*data->process_data))) == NULL | |
268 | || (data->process_data->keymgmts | |
269 | = sk_EVP_KEYMGMT_new_null()) == NULL | |
270 | || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) { | |
ece9304c | 271 | ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); |
072a9fde RL |
272 | goto err; |
273 | } | |
274 | data->process_data->object = (void **)pkey; | |
fb890008 | 275 | data->ctx = ctx; |
072a9fde RL |
276 | |
277 | /* First, find all keymgmts to form goals */ | |
278 | EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data); | |
279 | ||
280 | if (data->error_occured) | |
281 | goto err; | |
282 | ||
fb890008 | 283 | /* Then, we collect all the keymgmt names */ |
072a9fde RL |
284 | end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts); |
285 | for (i = 0; i < end_i; i++) { | |
286 | EVP_KEYMGMT *keymgmt = | |
287 | sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i); | |
072a9fde RL |
288 | |
289 | EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data); | |
290 | ||
fb890008 RL |
291 | if (data->error_occured) |
292 | goto err; | |
293 | } | |
072a9fde | 294 | |
fb890008 | 295 | /* |
ece9304c | 296 | * Finally, find all decoders that have any keymgmt of the collected |
fb890008 RL |
297 | * keymgmt names |
298 | */ | |
ece9304c | 299 | OSSL_DECODER_do_all_provided(libctx, collect_decoder, data); |
072a9fde | 300 | |
fb890008 RL |
301 | if (data->error_occured) |
302 | goto err; | |
072a9fde | 303 | |
ece9304c RL |
304 | /* If we found no decoders to match the keymgmts, we err */ |
305 | if (OSSL_DECODER_CTX_num_decoders(ctx) == 0) | |
072a9fde | 306 | goto err; |
072a9fde | 307 | |
ece9304c RL |
308 | if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY) |
309 | || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data) | |
310 | || !OSSL_DECODER_CTX_set_cleanup(ctx, | |
311 | decoder_clean_EVP_PKEY_construct_arg)) | |
072a9fde RL |
312 | goto err; |
313 | ||
314 | data->process_data = NULL; | |
63f187cf | 315 | ok = 1; |
072a9fde | 316 | err: |
75348bb2 SL |
317 | if (data != NULL) { |
318 | decoder_clean_EVP_PKEY_construct_arg(data->process_data); | |
319 | sk_OPENSSL_CSTRING_free(data->names); | |
320 | OPENSSL_free(data); | |
321 | } | |
63f187cf RL |
322 | return ok; |
323 | } | |
324 | ||
325 | OSSL_DECODER_CTX *OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey, | |
326 | const char *input_type, | |
327 | OPENSSL_CTX *libctx, | |
328 | const char *propquery) | |
329 | { | |
330 | OSSL_DECODER_CTX *ctx = NULL; | |
331 | ||
332 | if ((ctx = OSSL_DECODER_CTX_new()) == NULL) { | |
333 | ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); | |
334 | return NULL; | |
335 | } | |
336 | if (OSSL_DECODER_CTX_set_input_type(ctx, input_type) | |
337 | && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, libctx, propquery) | |
338 | && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) | |
339 | return ctx; | |
340 | ||
341 | OSSL_DECODER_CTX_free(ctx); | |
342 | return NULL; | |
072a9fde | 343 | } |