1 /*
2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include <openssl/buffer.h>
19 #include <openssl/asn1.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <openssl/x509_acert.h>
23 #include <openssl/http.h>
24 #include <openssl/rsa.h>
25 #include <openssl/dsa.h>
26 #include <openssl/x509v3.h>
27 #include "internal/asn1.h"
28 #include "crypto/pkcs7.h"
29 #include "crypto/x509.h"
30 #include "crypto/x509_acert.h"
31 #include "crypto/rsa.h"
32
X509_verify(X509 * a,EVP_PKEY * r)33 int X509_verify(X509 *a, EVP_PKEY *r)
34 {
35 if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature) != 0)
36 return 0;
37
38 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
39 &a->signature, &a->cert_info,
40 a->distinguishing_id, r, a->libctx, a->propq);
41 }
42
X509_REQ_verify_ex(X509_REQ * a,EVP_PKEY * r,OSSL_LIB_CTX * libctx,const char * propq)43 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,
44 const char *propq)
45 {
46 if (X509_REQ_get_version(a) != X509_REQ_VERSION_1) {
47 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_VERSION);
48 return -1;
49 }
50
51 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg,
52 a->signature, &a->req_info, a->distinguishing_id,
53 r, libctx, propq);
54 }
55
X509_REQ_verify(X509_REQ * a,EVP_PKEY * r)56 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
57 {
58 return X509_REQ_verify_ex(a, r, NULL, NULL);
59 }
60
X509_ACERT_verify(X509_ACERT * a,EVP_PKEY * r)61 int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r)
62 {
63 if (X509_ALGOR_cmp(&a->sig_alg, &a->acinfo->signature) != 0)
64 return 0;
65
66 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &a->sig_alg,
67 &a->signature, a->acinfo,
68 NULL, r, NULL, NULL);
69 }
70
NETSCAPE_SPKI_verify(NETSCAPE_SPKI * a,EVP_PKEY * r)71 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
72 {
73 return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
74 &a->sig_algor, a->signature, a->spkac, r);
75 }
76
X509_sign(X509 * x,EVP_PKEY * pkey,const EVP_MD * md)77 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
78 {
79 if (x == NULL) {
80 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
81 return 0;
82 }
83 if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0
84 && !X509_set_version(x, X509_VERSION_3))
85 return 0;
86
87 /*
88 * Setting the modified flag before signing it. This makes the cached
89 * encoding to be ignored, so even if the certificate fields have changed,
90 * they are signed correctly.
91 * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions
92 * which exist below are the same.
93 */
94 x->cert_info.enc.modified = 1;
95 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
96 &x->sig_alg, &x->signature, &x->cert_info, NULL,
97 pkey, md, x->libctx, x->propq);
98 }
99
X509_sign_ctx(X509 * x,EVP_MD_CTX * ctx)100 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
101 {
102 if (x == NULL) {
103 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
104 return 0;
105 }
106 if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0
107 && !X509_set_version(x, X509_VERSION_3))
108 return 0;
109 x->cert_info.enc.modified = 1;
110 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
111 &x->cert_info.signature,
112 &x->sig_alg, &x->signature, &x->cert_info, ctx);
113 }
114
simple_get_asn1(const char * url,BIO * bio,BIO * rbio,int timeout,const ASN1_ITEM * it)115 static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
116 int timeout, const ASN1_ITEM *it)
117 {
118 #ifndef OPENSSL_NO_HTTP
119 size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ? OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN;
120 BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */,
121 bio, rbio, NULL /* cb */, NULL /* arg */,
122 1024 /* buf_size */, NULL /* headers */,
123 NULL /* expected_ct */, 1 /* expect_asn1 */,
124 max_resp_len, timeout);
125 ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL);
126
127 BIO_free(mem);
128 return res;
129 #else
130 return 0;
131 #endif
132 }
133
X509_load_http(const char * url,BIO * bio,BIO * rbio,int timeout)134 X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
135 {
136 return (X509 *)simple_get_asn1(url, bio, rbio, timeout,
137 ASN1_ITEM_rptr(X509));
138 }
139
X509_REQ_sign(X509_REQ * x,EVP_PKEY * pkey,const EVP_MD * md)140 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
141 {
142 if (x == NULL) {
143 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
144 return 0;
145 }
146 x->req_info.enc.modified = 1;
147 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
148 x->signature, &x->req_info, NULL,
149 pkey, md, x->libctx, x->propq);
150 }
151
X509_REQ_sign_ctx(X509_REQ * x,EVP_MD_CTX * ctx)152 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
153 {
154 if (x == NULL) {
155 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
156 return 0;
157 }
158 x->req_info.enc.modified = 1;
159 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
160 &x->sig_alg, NULL, x->signature, &x->req_info,
161 ctx);
162 }
163
X509_CRL_sign(X509_CRL * x,EVP_PKEY * pkey,const EVP_MD * md)164 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
165 {
166 if (x == NULL) {
167 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
168 return 0;
169 }
170 x->crl.enc.modified = 1;
171 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
172 &x->sig_alg, &x->signature, &x->crl, NULL,
173 pkey, md, x->libctx, x->propq);
174 }
175
X509_CRL_sign_ctx(X509_CRL * x,EVP_MD_CTX * ctx)176 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
177 {
178 if (x == NULL) {
179 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
180 return 0;
181 }
182 x->crl.enc.modified = 1;
183 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
184 &x->crl.sig_alg, &x->sig_alg, &x->signature,
185 &x->crl, ctx);
186 }
187
X509_CRL_load_http(const char * url,BIO * bio,BIO * rbio,int timeout)188 X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
189 {
190 return (X509_CRL *)simple_get_asn1(url, bio, rbio, timeout,
191 ASN1_ITEM_rptr(X509_CRL));
192 }
193
X509_ACERT_sign(X509_ACERT * x,EVP_PKEY * pkey,const EVP_MD * md)194 int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md)
195 {
196 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &x->sig_alg,
197 &x->acinfo->signature,
198 &x->signature, x->acinfo, NULL,
199 pkey, md, NULL, NULL);
200 }
201
X509_ACERT_sign_ctx(X509_ACERT * x,EVP_MD_CTX * ctx)202 int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx)
203 {
204 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_ACERT_INFO),
205 &x->sig_alg, &x->acinfo->signature, &x->signature,
206 x->acinfo, ctx);
207 }
208
NETSCAPE_SPKI_sign(NETSCAPE_SPKI * x,EVP_PKEY * pkey,const EVP_MD * md)209 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
210 {
211 return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
212 x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
213 }
214
215 #ifndef OPENSSL_NO_STDIO
d2i_X509_fp(FILE * fp,X509 ** x509)216 X509 *d2i_X509_fp(FILE *fp, X509 **x509)
217 {
218 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
219 }
220
i2d_X509_fp(FILE * fp,const X509 * x509)221 int i2d_X509_fp(FILE *fp, const X509 *x509)
222 {
223 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
224 }
225 #endif
226
d2i_X509_bio(BIO * bp,X509 ** x509)227 X509 *d2i_X509_bio(BIO *bp, X509 **x509)
228 {
229 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
230 }
231
i2d_X509_bio(BIO * bp,const X509 * x509)232 int i2d_X509_bio(BIO *bp, const X509 *x509)
233 {
234 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
235 }
236
237 #ifndef OPENSSL_NO_STDIO
d2i_X509_CRL_fp(FILE * fp,X509_CRL ** crl)238 X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
239 {
240 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
241 }
242
i2d_X509_CRL_fp(FILE * fp,const X509_CRL * crl)243 int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl)
244 {
245 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
246 }
247 #endif
248
d2i_X509_CRL_bio(BIO * bp,X509_CRL ** crl)249 X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
250 {
251 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
252 }
253
i2d_X509_CRL_bio(BIO * bp,const X509_CRL * crl)254 int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl)
255 {
256 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
257 }
258
259 #ifndef OPENSSL_NO_STDIO
d2i_PKCS7_fp(FILE * fp,PKCS7 ** p7)260 PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
261 {
262 PKCS7 *ret;
263 OSSL_LIB_CTX *libctx = NULL;
264 const char *propq = NULL;
265
266 if (p7 != NULL && *p7 != NULL) {
267 libctx = (*p7)->ctx.libctx;
268 propq = (*p7)->ctx.propq;
269 }
270
271 ret = ASN1_item_d2i_fp_ex(ASN1_ITEM_rptr(PKCS7), fp, p7, libctx, propq);
272 if (ret != NULL)
273 ossl_pkcs7_resolve_libctx(ret);
274 return ret;
275 }
276
i2d_PKCS7_fp(FILE * fp,const PKCS7 * p7)277 int i2d_PKCS7_fp(FILE *fp, const PKCS7 *p7)
278 {
279 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
280 }
281 #endif
282
d2i_PKCS7_bio(BIO * bp,PKCS7 ** p7)283 PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
284 {
285 PKCS7 *ret;
286 OSSL_LIB_CTX *libctx = NULL;
287 const char *propq = NULL;
288
289 if (p7 != NULL && *p7 != NULL) {
290 libctx = (*p7)->ctx.libctx;
291 propq = (*p7)->ctx.propq;
292 }
293
294 ret = ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(PKCS7), bp, p7, libctx, propq);
295 if (ret != NULL)
296 ossl_pkcs7_resolve_libctx(ret);
297 return ret;
298 }
299
i2d_PKCS7_bio(BIO * bp,const PKCS7 * p7)300 int i2d_PKCS7_bio(BIO *bp, const PKCS7 *p7)
301 {
302 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
303 }
304
305 #ifndef OPENSSL_NO_STDIO
d2i_X509_REQ_fp(FILE * fp,X509_REQ ** req)306 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
307 {
308 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
309 }
310
i2d_X509_REQ_fp(FILE * fp,const X509_REQ * req)311 int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req)
312 {
313 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
314 }
315 #endif
316
d2i_X509_REQ_bio(BIO * bp,X509_REQ ** req)317 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
318 {
319 OSSL_LIB_CTX *libctx = NULL;
320 const char *propq = NULL;
321
322 if (req != NULL && *req != NULL) {
323 libctx = (*req)->libctx;
324 propq = (*req)->propq;
325 }
326
327 return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(X509_REQ), bp, req, libctx, propq);
328 }
329
i2d_X509_REQ_bio(BIO * bp,const X509_REQ * req)330 int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req)
331 {
332 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
333 }
334
335 #ifndef OPENSSL_NO_STDIO
d2i_RSAPrivateKey_fp(FILE * fp,RSA ** rsa)336 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
337 {
338 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
339 }
340
i2d_RSAPrivateKey_fp(FILE * fp,const RSA * rsa)341 int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa)
342 {
343 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
344 }
345
d2i_RSAPublicKey_fp(FILE * fp,RSA ** rsa)346 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
347 {
348 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
349 }
350
d2i_RSA_PUBKEY_fp(FILE * fp,RSA ** rsa)351 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
352 {
353 return ASN1_d2i_fp((void *(*)(void))
354 RSA_new,
355 (D2I_OF(void))d2i_RSA_PUBKEY, fp,
356 (void **)rsa);
357 }
358
i2d_RSAPublicKey_fp(FILE * fp,const RSA * rsa)359 int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa)
360 {
361 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
362 }
363
i2d_RSA_PUBKEY_fp(FILE * fp,const RSA * rsa)364 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa)
365 {
366 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY, fp, rsa);
367 }
368 #endif
369
d2i_RSAPrivateKey_bio(BIO * bp,RSA ** rsa)370 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
371 {
372 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
373 }
374
i2d_RSAPrivateKey_bio(BIO * bp,const RSA * rsa)375 int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa)
376 {
377 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
378 }
379
d2i_RSAPublicKey_bio(BIO * bp,RSA ** rsa)380 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
381 {
382 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
383 }
384
d2i_RSA_PUBKEY_bio(BIO * bp,RSA ** rsa)385 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
386 {
387 return ASN1_d2i_bio_of(RSA, RSA_new, d2i_RSA_PUBKEY, bp, rsa);
388 }
389
i2d_RSAPublicKey_bio(BIO * bp,const RSA * rsa)390 int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa)
391 {
392 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
393 }
394
i2d_RSA_PUBKEY_bio(BIO * bp,const RSA * rsa)395 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa)
396 {
397 return ASN1_i2d_bio_of(RSA, i2d_RSA_PUBKEY, bp, rsa);
398 }
399
400 #ifndef OPENSSL_NO_DSA
401 #ifndef OPENSSL_NO_STDIO
d2i_DSAPrivateKey_fp(FILE * fp,DSA ** dsa)402 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
403 {
404 return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSAPrivateKey, fp, dsa);
405 }
406
i2d_DSAPrivateKey_fp(FILE * fp,const DSA * dsa)407 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa)
408 {
409 return ASN1_i2d_fp_of(DSA, i2d_DSAPrivateKey, fp, dsa);
410 }
411
d2i_DSA_PUBKEY_fp(FILE * fp,DSA ** dsa)412 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
413 {
414 return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSA_PUBKEY, fp, dsa);
415 }
416
i2d_DSA_PUBKEY_fp(FILE * fp,const DSA * dsa)417 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa)
418 {
419 return ASN1_i2d_fp_of(DSA, i2d_DSA_PUBKEY, fp, dsa);
420 }
421 #endif
422
d2i_DSAPrivateKey_bio(BIO * bp,DSA ** dsa)423 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
424 {
425 return ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSAPrivateKey, bp, dsa);
426 }
427
i2d_DSAPrivateKey_bio(BIO * bp,const DSA * dsa)428 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa)
429 {
430 return ASN1_i2d_bio_of(DSA, i2d_DSAPrivateKey, bp, dsa);
431 }
432
d2i_DSA_PUBKEY_bio(BIO * bp,DSA ** dsa)433 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
434 {
435 return ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSA_PUBKEY, bp, dsa);
436 }
437
i2d_DSA_PUBKEY_bio(BIO * bp,const DSA * dsa)438 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa)
439 {
440 return ASN1_i2d_bio_of(DSA, i2d_DSA_PUBKEY, bp, dsa);
441 }
442
443 #endif
444
445 #ifndef OPENSSL_NO_EC
446 #ifndef OPENSSL_NO_STDIO
d2i_EC_PUBKEY_fp(FILE * fp,EC_KEY ** eckey)447 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
448 {
449 return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, fp, eckey);
450 }
451
i2d_EC_PUBKEY_fp(FILE * fp,const EC_KEY * eckey)452 int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey)
453 {
454 return ASN1_i2d_fp_of(EC_KEY, i2d_EC_PUBKEY, fp, eckey);
455 }
456
d2i_ECPrivateKey_fp(FILE * fp,EC_KEY ** eckey)457 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
458 {
459 return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, fp, eckey);
460 }
461
i2d_ECPrivateKey_fp(FILE * fp,const EC_KEY * eckey)462 int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey)
463 {
464 return ASN1_i2d_fp_of(EC_KEY, i2d_ECPrivateKey, fp, eckey);
465 }
466 #endif
d2i_EC_PUBKEY_bio(BIO * bp,EC_KEY ** eckey)467 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
468 {
469 return ASN1_d2i_bio_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, bp, eckey);
470 }
471
i2d_EC_PUBKEY_bio(BIO * bp,const EC_KEY * ecdsa)472 int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *ecdsa)
473 {
474 return ASN1_i2d_bio_of(EC_KEY, i2d_EC_PUBKEY, bp, ecdsa);
475 }
476
d2i_ECPrivateKey_bio(BIO * bp,EC_KEY ** eckey)477 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
478 {
479 return ASN1_d2i_bio_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, bp, eckey);
480 }
481
i2d_ECPrivateKey_bio(BIO * bp,const EC_KEY * eckey)482 int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey)
483 {
484 return ASN1_i2d_bio_of(EC_KEY, i2d_ECPrivateKey, bp, eckey);
485 }
486 #endif
487
X509_pubkey_digest(const X509 * data,const EVP_MD * type,unsigned char * md,unsigned int * len)488 int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
489 unsigned char *md, unsigned int *len)
490 {
491 ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(data);
492
493 if (key == NULL)
494 return 0;
495 return EVP_Digest(key->data, key->length, md, len, type, NULL);
496 }
497
X509_digest(const X509 * cert,const EVP_MD * md,unsigned char * data,unsigned int * len)498 int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data,
499 unsigned int *len)
500 {
501 if (EVP_MD_is_a(md, SN_sha1) && (cert->ex_flags & EXFLAG_SET) != 0
502 && (cert->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) {
503 /* Asking for SHA1 and we already computed it. */
504 if (len != NULL)
505 *len = sizeof(cert->sha1_hash);
506 memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash));
507 return 1;
508 }
509 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
510 data, len, cert->libctx, cert->propq);
511 }
512
513 /* calculate cert digest using the same hash algorithm as in its signature */
X509_digest_sig(const X509 * cert,EVP_MD ** md_used,int * md_is_fallback)514 ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert,
515 EVP_MD **md_used, int *md_is_fallback)
516 {
517 unsigned int len;
518 unsigned char hash[EVP_MAX_MD_SIZE];
519 int mdnid, pknid;
520 EVP_MD *md = NULL;
521 const char *md_name;
522 ASN1_OCTET_STRING *new;
523
524 if (md_used != NULL)
525 *md_used = NULL;
526 if (md_is_fallback != NULL)
527 *md_is_fallback = 0;
528
529 if (cert == NULL) {
530 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
531 return NULL;
532 }
533
534 if (!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &mdnid, &pknid)) {
535 ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_SIGID_ALGS);
536 return NULL;
537 }
538
539 if (mdnid == NID_undef) {
540 if (pknid == EVP_PKEY_RSA_PSS) {
541 RSA_PSS_PARAMS *pss = ossl_rsa_pss_decode(&cert->sig_alg);
542 const EVP_MD *mgf1md, *mmd = NULL;
543 int saltlen, trailerfield;
544
545 if (pss == NULL
546 || !ossl_rsa_pss_get_param_unverified(pss, &mmd, &mgf1md,
547 &saltlen,
548 &trailerfield)
549 || mmd == NULL) {
550 RSA_PSS_PARAMS_free(pss);
551 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM);
552 return NULL;
553 }
554 RSA_PSS_PARAMS_free(pss);
555 /* Fetch explicitly and do not fallback */
556 if ((md = EVP_MD_fetch(cert->libctx, EVP_MD_get0_name(mmd),
557 cert->propq))
558 == NULL)
559 /* Error code from fetch is sufficient */
560 return NULL;
561 } else if (pknid != NID_undef) {
562 /* A known algorithm, but without a digest */
563 switch (pknid) {
564 case NID_ED25519: /* Follow CMS default given in RFC8419 */
565 md_name = "SHA512";
566 break;
567 case NID_ED448: /* Follow CMS default given in RFC8419 */
568 md_name = "SHAKE256";
569 break;
570 default: /* Fall back to SHA-256 */
571 md_name = "SHA256";
572 break;
573 }
574 if ((md = EVP_MD_fetch(cert->libctx, md_name,
575 cert->propq))
576 == NULL)
577 return NULL;
578 if (md_is_fallback != NULL)
579 *md_is_fallback = 1;
580 } else {
581 /* A completely unknown algorithm */
582 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM);
583 return NULL;
584 }
585 } else if ((md = EVP_MD_fetch(cert->libctx, OBJ_nid2sn(mdnid),
586 cert->propq))
587 == NULL
588 && (md = (EVP_MD *)EVP_get_digestbynid(mdnid)) == NULL) {
589 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM);
590 return NULL;
591 }
592 if (!X509_digest(cert, md, hash, &len)
593 || (new = ASN1_OCTET_STRING_new()) == NULL)
594 goto err;
595 if (ASN1_OCTET_STRING_set(new, hash, len)) {
596 if (md_used != NULL)
597 *md_used = md;
598 else
599 EVP_MD_free(md);
600 return new;
601 }
602 ASN1_OCTET_STRING_free(new);
603 err:
604 EVP_MD_free(md);
605 return NULL;
606 }
607
X509_CRL_digest(const X509_CRL * data,const EVP_MD * type,unsigned char * md,unsigned int * len)608 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
609 unsigned char *md, unsigned int *len)
610 {
611 if (type == NULL) {
612 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
613 return 0;
614 }
615 if (EVP_MD_is_a(type, SN_sha1)
616 && (data->flags & EXFLAG_SET) != 0
617 && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) {
618 /* Asking for SHA1; always computed in CRL d2i. */
619 if (len != NULL)
620 *len = sizeof(data->sha1_hash);
621 memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
622 return 1;
623 }
624 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data,
625 md, len, data->libctx, data->propq);
626 }
627
X509_REQ_digest(const X509_REQ * data,const EVP_MD * type,unsigned char * md,unsigned int * len)628 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
629 unsigned char *md, unsigned int *len)
630 {
631 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data,
632 md, len, data->libctx, data->propq);
633 }
634
X509_NAME_digest(const X509_NAME * data,const EVP_MD * type,unsigned char * md,unsigned int * len)635 int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
636 unsigned char *md, unsigned int *len)
637 {
638 return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data,
639 md, len);
640 }
641
PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL * data,const EVP_MD * type,unsigned char * md,unsigned int * len)642 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
643 const EVP_MD *type, unsigned char *md,
644 unsigned int *len)
645 {
646 return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
647 (char *)data, md, len);
648 }
649
650 #ifndef OPENSSL_NO_STDIO
d2i_PKCS8_fp(FILE * fp,X509_SIG ** p8)651 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
652 {
653 return ASN1_d2i_fp_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, fp, p8);
654 }
655
i2d_PKCS8_fp(FILE * fp,const X509_SIG * p8)656 int i2d_PKCS8_fp(FILE *fp, const X509_SIG *p8)
657 {
658 return ASN1_i2d_fp_of(X509_SIG, i2d_X509_SIG, fp, p8);
659 }
660 #endif
661
d2i_PKCS8_bio(BIO * bp,X509_SIG ** p8)662 X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
663 {
664 return ASN1_d2i_bio_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, bp, p8);
665 }
666
i2d_PKCS8_bio(BIO * bp,const X509_SIG * p8)667 int i2d_PKCS8_bio(BIO *bp, const X509_SIG *p8)
668 {
669 return ASN1_i2d_bio_of(X509_SIG, i2d_X509_SIG, bp, p8);
670 }
671
672 #ifndef OPENSSL_NO_STDIO
d2i_X509_PUBKEY_fp(FILE * fp,X509_PUBKEY ** xpk)673 X509_PUBKEY *d2i_X509_PUBKEY_fp(FILE *fp, X509_PUBKEY **xpk)
674 {
675 return ASN1_d2i_fp_of(X509_PUBKEY, X509_PUBKEY_new, d2i_X509_PUBKEY,
676 fp, xpk);
677 }
678
i2d_X509_PUBKEY_fp(FILE * fp,const X509_PUBKEY * xpk)679 int i2d_X509_PUBKEY_fp(FILE *fp, const X509_PUBKEY *xpk)
680 {
681 return ASN1_i2d_fp_of(X509_PUBKEY, i2d_X509_PUBKEY, fp, xpk);
682 }
683 #endif
684
d2i_X509_PUBKEY_bio(BIO * bp,X509_PUBKEY ** xpk)685 X509_PUBKEY *d2i_X509_PUBKEY_bio(BIO *bp, X509_PUBKEY **xpk)
686 {
687 return ASN1_d2i_bio_of(X509_PUBKEY, X509_PUBKEY_new, d2i_X509_PUBKEY,
688 bp, xpk);
689 }
690
i2d_X509_PUBKEY_bio(BIO * bp,const X509_PUBKEY * xpk)691 int i2d_X509_PUBKEY_bio(BIO *bp, const X509_PUBKEY *xpk)
692 {
693 return ASN1_i2d_bio_of(X509_PUBKEY, i2d_X509_PUBKEY, bp, xpk);
694 }
695
696 #ifndef OPENSSL_NO_STDIO
d2i_PKCS8_PRIV_KEY_INFO_fp(FILE * fp,PKCS8_PRIV_KEY_INFO ** p8inf)697 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
698 PKCS8_PRIV_KEY_INFO **p8inf)
699 {
700 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_new,
701 d2i_PKCS8_PRIV_KEY_INFO, fp, p8inf);
702 }
703
i2d_PKCS8_PRIV_KEY_INFO_fp(FILE * fp,const PKCS8_PRIV_KEY_INFO * p8inf)704 int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, const PKCS8_PRIV_KEY_INFO *p8inf)
705 {
706 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO, fp,
707 p8inf);
708 }
709
i2d_PKCS8PrivateKeyInfo_fp(FILE * fp,const EVP_PKEY * key)710 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key)
711 {
712 PKCS8_PRIV_KEY_INFO *p8inf;
713 int ret;
714
715 p8inf = EVP_PKEY2PKCS8(key);
716 if (p8inf == NULL)
717 return 0;
718 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
719 PKCS8_PRIV_KEY_INFO_free(p8inf);
720 return ret;
721 }
722
i2d_PrivateKey_fp(FILE * fp,const EVP_PKEY * pkey)723 int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey)
724 {
725 return ASN1_i2d_fp_of(EVP_PKEY, i2d_PrivateKey, fp, pkey);
726 }
727
d2i_PrivateKey_fp(FILE * fp,EVP_PKEY ** a)728 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
729 {
730 return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, fp, a);
731 }
732
d2i_PrivateKey_ex_fp(FILE * fp,EVP_PKEY ** a,OSSL_LIB_CTX * libctx,const char * propq)733 EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
734 const char *propq)
735 {
736 BIO *b;
737 void *ret;
738
739 if ((b = BIO_new(BIO_s_file())) == NULL) {
740 ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
741 return NULL;
742 }
743 BIO_set_fp(b, fp, BIO_NOCLOSE);
744 ret = d2i_PrivateKey_ex_bio(b, a, libctx, propq);
745 BIO_free(b);
746 return ret;
747 }
748
i2d_PUBKEY_fp(FILE * fp,const EVP_PKEY * pkey)749 int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey)
750 {
751 return ASN1_i2d_fp_of(EVP_PKEY, i2d_PUBKEY, fp, pkey);
752 }
753
d2i_PUBKEY_ex_fp(FILE * fp,EVP_PKEY ** a,OSSL_LIB_CTX * libctx,const char * propq)754 EVP_PKEY *d2i_PUBKEY_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
755 const char *propq)
756 {
757 BIO *b;
758 void *ret;
759
760 if ((b = BIO_new(BIO_s_file())) == NULL) {
761 ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
762 return NULL;
763 }
764 BIO_set_fp(b, fp, BIO_NOCLOSE);
765 ret = d2i_PUBKEY_ex_bio(b, a, libctx, propq);
766 BIO_free(b);
767 return ret;
768 }
769
d2i_PUBKEY_fp(FILE * fp,EVP_PKEY ** a)770 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
771 {
772 return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_PUBKEY, fp, a);
773 }
774
775 #endif
776
d2i_PKCS8_PRIV_KEY_INFO_bio(BIO * bp,PKCS8_PRIV_KEY_INFO ** p8inf)777 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
778 PKCS8_PRIV_KEY_INFO **p8inf)
779 {
780 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_new,
781 d2i_PKCS8_PRIV_KEY_INFO, bp, p8inf);
782 }
783
i2d_PKCS8_PRIV_KEY_INFO_bio(BIO * bp,const PKCS8_PRIV_KEY_INFO * p8inf)784 int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, const PKCS8_PRIV_KEY_INFO *p8inf)
785 {
786 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO, bp,
787 p8inf);
788 }
789
i2d_PKCS8PrivateKeyInfo_bio(BIO * bp,const EVP_PKEY * key)790 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key)
791 {
792 PKCS8_PRIV_KEY_INFO *p8inf;
793 int ret;
794
795 p8inf = EVP_PKEY2PKCS8(key);
796 if (p8inf == NULL)
797 return 0;
798 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
799 PKCS8_PRIV_KEY_INFO_free(p8inf);
800 return ret;
801 }
802
i2d_PrivateKey_bio(BIO * bp,const EVP_PKEY * pkey)803 int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey)
804 {
805 return ASN1_i2d_bio_of(EVP_PKEY, i2d_PrivateKey, bp, pkey);
806 }
807
d2i_PrivateKey_bio(BIO * bp,EVP_PKEY ** a)808 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
809 {
810 return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, bp, a);
811 }
812
d2i_PrivateKey_ex_bio(BIO * bp,EVP_PKEY ** a,OSSL_LIB_CTX * libctx,const char * propq)813 EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
814 const char *propq)
815 {
816 BUF_MEM *b = NULL;
817 const unsigned char *p;
818 void *ret = NULL;
819 int len;
820
821 len = asn1_d2i_read_bio(bp, &b);
822 if (len < 0)
823 goto err;
824
825 p = (unsigned char *)b->data;
826 ret = d2i_AutoPrivateKey_ex(a, &p, len, libctx, propq);
827 err:
828 BUF_MEM_free(b);
829 return ret;
830 }
831
i2d_PUBKEY_bio(BIO * bp,const EVP_PKEY * pkey)832 int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey)
833 {
834 return ASN1_i2d_bio_of(EVP_PKEY, i2d_PUBKEY, bp, pkey);
835 }
836
d2i_PUBKEY_ex_bio(BIO * bp,EVP_PKEY ** a,OSSL_LIB_CTX * libctx,const char * propq)837 EVP_PKEY *d2i_PUBKEY_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
838 const char *propq)
839 {
840 BUF_MEM *b = NULL;
841 const unsigned char *p;
842 void *ret = NULL;
843 int len;
844
845 len = asn1_d2i_read_bio(bp, &b);
846 if (len < 0)
847 goto err;
848
849 p = (unsigned char *)b->data;
850 ret = d2i_PUBKEY_ex(a, &p, len, libctx, propq);
851 err:
852 BUF_MEM_free(b);
853 return ret;
854 }
855
d2i_PUBKEY_bio(BIO * bp,EVP_PKEY ** a)856 EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
857 {
858 return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_PUBKEY, bp, a);
859 }
860
861 #ifndef OPENSSL_NO_STDIO
d2i_X509_ACERT_fp(FILE * fp,X509_ACERT ** acert)862 X509_ACERT *d2i_X509_ACERT_fp(FILE *fp, X509_ACERT **acert)
863 {
864 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_ACERT), fp, acert);
865 }
866
i2d_X509_ACERT_fp(FILE * fp,const X509_ACERT * acert)867 int i2d_X509_ACERT_fp(FILE *fp, const X509_ACERT *acert)
868 {
869 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_ACERT), fp, acert);
870 }
871 #endif
872
d2i_X509_ACERT_bio(BIO * bp,X509_ACERT ** acert)873 X509_ACERT *d2i_X509_ACERT_bio(BIO *bp, X509_ACERT **acert)
874 {
875 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_ACERT), bp, acert);
876 }
877
i2d_X509_ACERT_bio(BIO * bp,const X509_ACERT * acert)878 int i2d_X509_ACERT_bio(BIO *bp, const X509_ACERT *acert)
879 {
880 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_ACERT), bp, acert);
881 }
882