]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/evp/keymgmt_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add EVP functionality to create domain params and keys by user data
[thirdparty/openssl.git] / crypto / evp / keymgmt_lib.c
1 /*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/cryptlib.h"
11 #include "internal/nelem.h"
12 #include "crypto/evp.h"
13 #include "crypto/asn1.h"
14 #include "internal/provider.h"
15 #include "evp_local.h"
16
17 static OSSL_PARAM *paramdefs_to_params(const OSSL_PARAM *paramdefs)
18 {
19 size_t cnt;
20 const OSSL_PARAM *p;
21 OSSL_PARAM *params = NULL, *q;
22
23 for (cnt = 1, p = paramdefs; p->key != NULL; p++, cnt++)
24 continue;
25
26 params = OPENSSL_zalloc(cnt * sizeof(*params));
27 if (params == NULL)
28 return NULL;
29
30 for (p = paramdefs, q = params; ; p++, q++) {
31 *q = *p;
32 if (p->key == NULL)
33 break;
34
35 q->data = NULL; /* In case the provider used it */
36 q->return_size = 0;
37 }
38
39 return params;
40 }
41
42 static OSSL_PARAM *reduce_params(OSSL_PARAM *params)
43 {
44 OSSL_PARAM *curr, *next;
45 size_t cnt;
46
47 for (cnt = 0, curr = next = params; next->key != NULL; next++) {
48 if (next->return_size == 0)
49 continue;
50 if (curr != next)
51 *curr = *next;
52 curr++;
53 cnt++;
54 }
55 *curr = *next; /* Terminating record */
56 cnt++;
57
58 curr = OPENSSL_realloc(params, cnt * sizeof(*params));
59 if (curr == NULL)
60 return params;
61 return curr;
62 }
63
64 typedef union align_block_un {
65 OSSL_UNION_ALIGN;
66 } ALIGN_BLOCK;
67
68 #define ALIGN_SIZE sizeof(ALIGN_BLOCK)
69
70 static void *allocate_params_space(OSSL_PARAM *params)
71 {
72 unsigned char *data = NULL;
73 size_t space;
74 OSSL_PARAM *p;
75
76 for (space = 0, p = params; p->key != NULL; p++)
77 space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
78
79 if (space == 0)
80 return NULL;
81
82 data = OPENSSL_zalloc(space);
83 if (data == NULL)
84 return NULL;
85
86 for (space = 0, p = params; p->key != NULL; p++) {
87 p->data = data + space;
88 space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
89 }
90
91 return data;
92 }
93
94 void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
95 int want_domainparams)
96 {
97 void *provdata = NULL;
98 size_t i, j;
99
100 /*
101 * If there is an underlying legacy key and it has changed, invalidate
102 * the cache of provider keys.
103 */
104 if (pk->pkey.ptr != NULL) {
105 /*
106 * If there is no dirty counter, this key can't be used with
107 * providers.
108 */
109 if (pk->ameth->dirty_cnt == NULL)
110 return NULL;
111
112 if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
113 evp_keymgmt_clear_pkey_cache(pk);
114 }
115
116 /*
117 * See if we have exported to this provider already.
118 * If we have, return immediately.
119 */
120 for (i = 0;
121 i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
122 i++) {
123 if (keymgmt == pk->pkeys[i].keymgmt
124 && want_domainparams == pk->pkeys[i].domainparams)
125 return pk->pkeys[i].provdata;
126 }
127
128 if (pk->pkey.ptr != NULL) {
129 /* There is a legacy key, try to export that one to the provider */
130
131 /* If the legacy key doesn't have an export function, give up */
132 if (pk->ameth->export_to == NULL)
133 return NULL;
134
135 /* Otherwise, simply use it. */
136 provdata = pk->ameth->export_to(pk, keymgmt, want_domainparams);
137
138 /* Synchronize the dirty count, but only if we exported successfully */
139 if (provdata != NULL)
140 pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
141
142 } else {
143 /*
144 * Here, there is no legacy key, so we look at the already cached
145 * provider keys, and import from the first that supports it
146 * (i.e. use its export function), and export the imported data to
147 * the new provider.
148 */
149
150 void *(*importfn)(void *provctx, const OSSL_PARAM params[]) =
151 want_domainparams ? keymgmt->importdomparams : keymgmt->importkey;
152
153 /*
154 * If the given keymgmt doesn't have an import function, give up
155 */
156 if (importfn == NULL)
157 return NULL;
158
159 for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
160 if (pk->pkeys[j].keymgmt->exportkey != NULL) {
161 const OSSL_PARAM *paramdefs = NULL;
162 OSSL_PARAM *params = NULL;
163 void *data = NULL;
164 void *provctx =
165 ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
166 int (*exportfn)(void *provctx, OSSL_PARAM params[]) = NULL;
167
168 if (pk->pkeys[j].domainparams != want_domainparams)
169 continue;
170
171 exportfn = want_domainparams
172 ? pk->pkeys[j].keymgmt->exportdomparams
173 : pk->pkeys[j].keymgmt->exportkey;
174
175 paramdefs = pk->pkeys[j].keymgmt->exportkey_types();
176 /*
177 * All params have 'data' set to NULL. In that case,
178 * the exportkey call should just fill in 'return_size'
179 * in all applicable params.
180 */
181 params = paramdefs_to_params(paramdefs);
182 /* Get 'return_size' filled */
183 exportfn(pk->pkeys[j].provdata, params);
184
185 /*
186 * Reduce the params by removing any entry that got return
187 * size zero, then allocate space and assign 'data' to point
188 * into the data block
189 */
190 params = reduce_params(params);
191 if ((data = allocate_params_space(params)) == NULL)
192 goto cont;
193
194 /*
195 * Call the exportkey function a second time, to get
196 * the data filled.
197 * If something goes wrong, go to the next cached key.
198 */
199 if (!exportfn(pk->pkeys[j].provdata, params))
200 goto cont;
201
202 /*
203 * We should have all the data at this point, so import
204 * into the new provider and hope to get a key back.
205 */
206 provdata = importfn(provctx, params);
207
208 cont:
209 OPENSSL_free(params);
210 OPENSSL_free(data);
211
212 if (provdata != NULL)
213 break;
214 }
215 }
216 }
217
218 /*
219 * TODO(3.0) Right now, we assume we have ample space. We will
220 * have to think about a cache aging scheme, though, if |i| indexes
221 * outside the array.
222 */
223 j = ossl_assert(i < OSSL_NELEM(pk->pkeys));
224
225 if (provdata != NULL) {
226 EVP_KEYMGMT_up_ref(keymgmt);
227 pk->pkeys[i].keymgmt = keymgmt;
228 pk->pkeys[i].provdata = provdata;
229 pk->pkeys[i].domainparams = want_domainparams;
230 }
231
232 return provdata;
233 }
234
235 void evp_keymgmt_clear_pkey_cache(EVP_PKEY *pk)
236 {
237 size_t i;
238
239 if (pk != NULL) {
240 for (i = 0;
241 i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
242 i++) {
243 EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt;
244 void *provdata = pk->pkeys[i].provdata;
245
246 pk->pkeys[i].keymgmt = NULL;
247 pk->pkeys[i].provdata = NULL;
248 if (pk->pkeys[i].domainparams)
249 keymgmt->freedomparams(provdata);
250 else
251 keymgmt->freekey(provdata);
252 EVP_KEYMGMT_free(keymgmt);
253 }
254 }
255 }
256
257 void *evp_keymgmt_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
258 const OSSL_PARAM params[], int domainparams)
259 {
260 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
261 void *provdata = domainparams
262 ? keymgmt->importdomparams(provctx, params)
263 : keymgmt->importkey(provctx, params);
264
265 evp_keymgmt_clear_pkey_cache(target);
266 if (provdata != NULL) {
267 EVP_KEYMGMT_up_ref(keymgmt);
268 target->pkeys[0].keymgmt = keymgmt;
269 target->pkeys[0].provdata = provdata;
270 target->pkeys[0].domainparams = domainparams;
271 }
272
273 return provdata;
274 }
275
276 /* internal functions */
277 /* TODO(3.0) decide if these should be public or internal */
278 void *evp_keymgmt_importdomparams(const EVP_KEYMGMT *keymgmt,
279 const OSSL_PARAM params[])
280 {
281 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
282
283 return keymgmt->importdomparams(provctx, params);
284 }
285
286 void *evp_keymgmt_gendomparams(const EVP_KEYMGMT *keymgmt,
287 const OSSL_PARAM params[])
288 {
289 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
290
291 return keymgmt->gendomparams(provctx, params);
292 }
293
294 void evp_keymgmt_freedomparams(const EVP_KEYMGMT *keymgmt,
295 void *provdomparams)
296 {
297 keymgmt->freedomparams(provdomparams);
298 }
299
300 int evp_keymgmt_exportdomparams(const EVP_KEYMGMT *keymgmt,
301 void *provdomparams, OSSL_PARAM params[])
302 {
303 return keymgmt->exportdomparams(provdomparams, params);
304 }
305
306 const OSSL_PARAM *evp_keymgmt_importdomparam_types(const EVP_KEYMGMT *keymgmt)
307 {
308 return keymgmt->importdomparam_types();
309 }
310
311 const OSSL_PARAM *evp_keymgmt_exportdomparam_types(const EVP_KEYMGMT *keymgmt)
312 {
313 return keymgmt->exportdomparam_types();
314 }
315
316
317 void *evp_keymgmt_importkey(const EVP_KEYMGMT *keymgmt,
318 const OSSL_PARAM params[])
319 {
320 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
321
322 return keymgmt->importkey(provctx, params);
323 }
324
325 void *evp_keymgmt_genkey(const EVP_KEYMGMT *keymgmt, void *domparams,
326 const OSSL_PARAM params[])
327 {
328 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
329
330 return keymgmt->genkey(provctx, domparams, params);
331 }
332
333 void *evp_keymgmt_loadkey(const EVP_KEYMGMT *keymgmt,
334 void *id, size_t idlen)
335 {
336 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
337
338 return keymgmt->loadkey(provctx, id, idlen);
339 }
340
341 void evp_keymgmt_freekey(const EVP_KEYMGMT *keymgmt, void *provkey)
342 {
343 keymgmt->freekey(provkey);
344 }
345
346 int evp_keymgmt_exportkey(const EVP_KEYMGMT *keymgmt, void *provkey,
347 OSSL_PARAM params[])
348 {
349 return keymgmt->exportkey(provkey, params);
350 }
351
352 const OSSL_PARAM *evp_keymgmt_importkey_types(const EVP_KEYMGMT *keymgmt)
353 {
354 return keymgmt->importkey_types();
355 }
356
357 const OSSL_PARAM *evp_keymgmt_exportkey_types(const EVP_KEYMGMT *keymgmt)
358 {
359 return keymgmt->exportkey_types();
360 }
A mirror of the official openssl repository