2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include "crypto/asn1.h"
15 #include "crypto/evp.h"
16 #include "crypto/x509.h"
17 #include <openssl/rsa.h>
18 #include <openssl/dsa.h>
20 struct X509_pubkey_st
{
22 ASN1_BIT_STRING
*public_key
;
26 static int x509_pubkey_decode(EVP_PKEY
**pk
, X509_PUBKEY
*key
);
28 /* Minor tweak to operation: free up EVP_PKEY */
29 static int pubkey_cb(int operation
, ASN1_VALUE
**pval
, const ASN1_ITEM
*it
,
32 if (operation
== ASN1_OP_FREE_POST
) {
33 X509_PUBKEY
*pubkey
= (X509_PUBKEY
*)*pval
;
34 EVP_PKEY_free(pubkey
->pkey
);
35 } else if (operation
== ASN1_OP_D2I_POST
) {
36 /* Attempt to decode public key and cache in pubkey structure. */
37 X509_PUBKEY
*pubkey
= (X509_PUBKEY
*)*pval
;
38 EVP_PKEY_free(pubkey
->pkey
);
41 * Opportunistically decode the key but remove any non fatal errors
42 * from the queue. Subsequent explicit attempts to decode/use the key
43 * will return an appropriate error.
46 if (x509_pubkey_decode(&pubkey
->pkey
, pubkey
) == -1)
53 ASN1_SEQUENCE_cb(X509_PUBKEY
, pubkey_cb
) = {
54 ASN1_SIMPLE(X509_PUBKEY
, algor
, X509_ALGOR
),
55 ASN1_SIMPLE(X509_PUBKEY
, public_key
, ASN1_BIT_STRING
)
56 } ASN1_SEQUENCE_END_cb(X509_PUBKEY
, X509_PUBKEY
)
58 IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY
)
59 IMPLEMENT_ASN1_DUP_FUNCTION(X509_PUBKEY
)
61 /* TODO should better be called X509_PUBKEY_set1 */
62 int X509_PUBKEY_set(X509_PUBKEY
**x
, EVP_PKEY
*pkey
)
64 X509_PUBKEY
*pk
= NULL
;
69 if ((pk
= X509_PUBKEY_new()) == NULL
)
72 if (pkey
!= NULL
&& pkey
->ameth
) {
73 if (pkey
->ameth
->pub_encode
) {
74 if (!pkey
->ameth
->pub_encode(pk
, pkey
)) {
75 X509err(X509_F_X509_PUBKEY_SET
,
76 X509_R_PUBLIC_KEY_ENCODE_ERROR
);
80 X509err(X509_F_X509_PUBKEY_SET
, X509_R_METHOD_NOT_SUPPORTED
);
84 X509err(X509_F_X509_PUBKEY_SET
, X509_R_UNSUPPORTED_ALGORITHM
);
91 return EVP_PKEY_up_ref(pkey
);
99 * Attempt to decode a public key.
100 * Returns 1 on success, 0 for a decode failure and -1 for a fatal
101 * error e.g. malloc failure.
105 static int x509_pubkey_decode(EVP_PKEY
**ppkey
, X509_PUBKEY
*key
)
107 EVP_PKEY
*pkey
= EVP_PKEY_new();
110 X509err(X509_F_X509_PUBKEY_DECODE
, ERR_R_MALLOC_FAILURE
);
114 if (!EVP_PKEY_set_type(pkey
, OBJ_obj2nid(key
->algor
->algorithm
))) {
115 X509err(X509_F_X509_PUBKEY_DECODE
, X509_R_UNSUPPORTED_ALGORITHM
);
119 if (pkey
->ameth
->pub_decode
) {
121 * Treat any failure of pub_decode as a decode error. In
122 * future we could have different return codes for decode
123 * errors and fatal errors such as malloc failure.
125 if (!pkey
->ameth
->pub_decode(pkey
, key
)) {
126 X509err(X509_F_X509_PUBKEY_DECODE
, X509_R_PUBLIC_KEY_DECODE_ERROR
);
130 X509err(X509_F_X509_PUBKEY_DECODE
, X509_R_METHOD_NOT_SUPPORTED
);
142 EVP_PKEY
*X509_PUBKEY_get0(X509_PUBKEY
*key
)
144 EVP_PKEY
*ret
= NULL
;
146 if (key
== NULL
|| key
->public_key
== NULL
)
149 if (key
->pkey
!= NULL
)
153 * When the key ASN.1 is initially parsed an attempt is made to
154 * decode the public key and cache the EVP_PKEY structure. If this
155 * operation fails the cached value will be NULL. Parsing continues
156 * to allow parsing of unknown key types or unsupported forms.
157 * We repeat the decode operation so the appropriate errors are left
160 x509_pubkey_decode(&ret
, key
);
161 /* If decode doesn't fail something bad happened */
163 X509err(X509_F_X509_PUBKEY_GET0
, ERR_R_INTERNAL_ERROR
);
170 EVP_PKEY
*X509_PUBKEY_get(X509_PUBKEY
*key
)
172 EVP_PKEY
*ret
= X509_PUBKEY_get0(key
);
174 EVP_PKEY_up_ref(ret
);
179 * Now two pseudo ASN1 routines that take an EVP_PKEY structure and encode or
180 * decode as X509_PUBKEY
183 EVP_PKEY
*d2i_PUBKEY(EVP_PKEY
**a
, const unsigned char **pp
, long length
)
187 const unsigned char *q
;
190 xpk
= d2i_X509_PUBKEY(NULL
, &q
, length
);
193 pktmp
= X509_PUBKEY_get(xpk
);
194 X509_PUBKEY_free(xpk
);
205 int i2d_PUBKEY(const EVP_PKEY
*a
, unsigned char **pp
)
207 X509_PUBKEY
*xpk
= NULL
;
212 if ((xpk
= X509_PUBKEY_new()) == NULL
)
214 if (a
->ameth
!= NULL
&& a
->ameth
->pub_encode
!= NULL
215 && !a
->ameth
->pub_encode(xpk
, a
))
217 xpk
->pkey
= (EVP_PKEY
*)a
;
218 ret
= i2d_X509_PUBKEY(xpk
, pp
);
221 X509_PUBKEY_free(xpk
);
226 * The following are equivalents but which return RSA and DSA keys
228 #ifndef OPENSSL_NO_RSA
229 RSA
*d2i_RSA_PUBKEY(RSA
**a
, const unsigned char **pp
, long length
)
233 const unsigned char *q
;
236 pkey
= d2i_PUBKEY(NULL
, &q
, length
);
239 key
= EVP_PKEY_get1_RSA(pkey
);
251 int i2d_RSA_PUBKEY(const RSA
*a
, unsigned char **pp
)
257 pktmp
= EVP_PKEY_new();
259 ASN1err(ASN1_F_I2D_RSA_PUBKEY
, ERR_R_MALLOC_FAILURE
);
262 (void)EVP_PKEY_assign_RSA(pktmp
, (RSA
*)a
);
263 ret
= i2d_PUBKEY(pktmp
, pp
);
264 pktmp
->pkey
.ptr
= NULL
;
265 EVP_PKEY_free(pktmp
);
270 #ifndef OPENSSL_NO_DSA
271 DSA
*d2i_DSA_PUBKEY(DSA
**a
, const unsigned char **pp
, long length
)
275 const unsigned char *q
;
278 pkey
= d2i_PUBKEY(NULL
, &q
, length
);
281 key
= EVP_PKEY_get1_DSA(pkey
);
293 int i2d_DSA_PUBKEY(const DSA
*a
, unsigned char **pp
)
299 pktmp
= EVP_PKEY_new();
301 ASN1err(ASN1_F_I2D_DSA_PUBKEY
, ERR_R_MALLOC_FAILURE
);
304 (void)EVP_PKEY_assign_DSA(pktmp
, (DSA
*)a
);
305 ret
= i2d_PUBKEY(pktmp
, pp
);
306 pktmp
->pkey
.ptr
= NULL
;
307 EVP_PKEY_free(pktmp
);
312 #ifndef OPENSSL_NO_EC
313 EC_KEY
*d2i_EC_PUBKEY(EC_KEY
**a
, const unsigned char **pp
, long length
)
317 const unsigned char *q
;
320 pkey
= d2i_PUBKEY(NULL
, &q
, length
);
323 key
= EVP_PKEY_get1_EC_KEY(pkey
);
335 int i2d_EC_PUBKEY(const EC_KEY
*a
, unsigned char **pp
)
342 if ((pktmp
= EVP_PKEY_new()) == NULL
) {
343 ASN1err(ASN1_F_I2D_EC_PUBKEY
, ERR_R_MALLOC_FAILURE
);
346 (void)EVP_PKEY_assign_EC_KEY(pktmp
, (EC_KEY
*)a
);
347 ret
= i2d_PUBKEY(pktmp
, pp
);
348 pktmp
->pkey
.ptr
= NULL
;
349 EVP_PKEY_free(pktmp
);
354 int X509_PUBKEY_set0_param(X509_PUBKEY
*pub
, ASN1_OBJECT
*aobj
,
355 int ptype
, void *pval
,
356 unsigned char *penc
, int penclen
)
358 if (!X509_ALGOR_set0(pub
->algor
, aobj
, ptype
, pval
))
361 OPENSSL_free(pub
->public_key
->data
);
362 pub
->public_key
->data
= penc
;
363 pub
->public_key
->length
= penclen
;
364 /* Set number of unused bits to zero */
365 pub
->public_key
->flags
&= ~(ASN1_STRING_FLAG_BITS_LEFT
| 0x07);
366 pub
->public_key
->flags
|= ASN1_STRING_FLAG_BITS_LEFT
;
371 int X509_PUBKEY_get0_param(ASN1_OBJECT
**ppkalg
,
372 const unsigned char **pk
, int *ppklen
,
373 X509_ALGOR
**pa
, X509_PUBKEY
*pub
)
376 *ppkalg
= pub
->algor
->algorithm
;
378 *pk
= pub
->public_key
->data
;
379 *ppklen
= pub
->public_key
->length
;
386 ASN1_BIT_STRING
*X509_get0_pubkey_bitstr(const X509
*x
)
390 return x
->cert_info
.key
->public_key
;