1 /*
2 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/e_os.h"
11 #include <string.h>
12
13 #include <openssl/core.h>
14 #include <openssl/core_names.h>
15 #include <openssl/core_object.h>
16 #include <openssl/err.h>
17 #include <openssl/pkcs12.h>
18 #include <openssl/provider.h>
19 #include <openssl/decoder.h>
20 #include <openssl/store.h>
21 #include "internal/provider.h"
22 #include "internal/passphrase.h"
23 #include "crypto/decoder.h"
24 #include "crypto/evp.h"
25 #include "crypto/x509.h"
26 #include "store_local.h"
27
28 #ifndef OSSL_OBJECT_PKCS12
29 /*
30 * The object abstraction doesn't know PKCS#12, but we want to indicate
31 * it anyway, so we create our own. Since the public macros use positive
32 * numbers, negative ones should be fine. They must never slip out from
33 * this translation unit anyway.
34 */
35 # define OSSL_OBJECT_PKCS12 -1
36 #endif
37
38 /*
39 * ossl_store_handle_load_result() is initially written to be a companion
40 * to our 'file:' scheme provider implementation, but has been made generic
41 * to serve others as well.
42 *
43 * This result handler takes any object abstraction (see provider-object(7))
44 * and does the best it can with it. If the object is passed by value (not
45 * by reference), the contents are currently expected to be DER encoded.
46 * If an object type is specified, that will be respected; otherwise, this
47 * handler will guess the contents, by trying the following in order:
48 *
49 * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
50 * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
51 * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
52 * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
53 *
54 * For the 'file:' scheme implementation, this is division of labor. Since
55 * the libcrypto <-> provider interface currently doesn't support certain
56 * structures as first class objects, they must be unpacked from DER here
57 * rather than in the provider. The current exception is asymmetric keys,
58 * which can reside within the provider boundary, most of all thanks to
59 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
60 * reference.
61 */
62
63 struct extracted_param_data_st {
64 int object_type;
65 const char *data_type;
66 const char *input_type;
67 const char *data_structure;
68 const char *utf8_data;
69 const void *octet_data;
70 size_t octet_data_size;
71 const void *ref;
72 size_t ref_size;
73 const char *desc;
74 };
75
76 static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
77 static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
78 OSSL_STORE_CTX *, const OSSL_PROVIDER *,
79 OSSL_LIB_CTX *, const char *);
80 static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
81 OSSL_LIB_CTX *, const char *);
82 static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
83 OSSL_LIB_CTX *, const char *);
84 static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
85 OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);
86
ossl_store_handle_load_result(const OSSL_PARAM params[],void * arg)87 int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
88 {
89 struct ossl_load_result_data_st *cbdata = arg;
90 OSSL_STORE_INFO **v = &cbdata->v;
91 OSSL_STORE_CTX *ctx = cbdata->ctx;
92 const OSSL_PROVIDER *provider =
93 OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader);
94 OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
95 const char *propq = ctx->properties;
96 const OSSL_PARAM *p;
97 struct extracted_param_data_st helper_data;
98
99 memset(&helper_data, 0, sizeof(helper_data));
100 helper_data.object_type = OSSL_OBJECT_UNKNOWN;
101
102 if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
103 && !OSSL_PARAM_get_int(p, &helper_data.object_type))
104 return 0;
105 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
106 if (p != NULL
107 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
108 return 0;
109 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
110 if (p != NULL
111 && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
112 &helper_data.octet_data_size)
113 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
114 return 0;
115 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE);
116 if (p != NULL
117 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure))
118 return 0;
119 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_INPUT_TYPE);
120 if (p != NULL
121 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.input_type))
122 return 0;
123 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
124 if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
125 &helper_data.ref_size))
126 return 0;
127 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
128 if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
129 return 0;
130
131 /*
132 * The helper functions return 0 on actual errors, otherwise 1, even if
133 * they didn't fill out |*v|.
134 */
135 ERR_set_mark();
136 if (*v == NULL && !try_name(&helper_data, v))
137 goto err;
138 ERR_pop_to_mark();
139 ERR_set_mark();
140 if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq))
141 goto err;
142 ERR_pop_to_mark();
143 ERR_set_mark();
144 if (*v == NULL && !try_cert(&helper_data, v, libctx, propq))
145 goto err;
146 ERR_pop_to_mark();
147 ERR_set_mark();
148 if (*v == NULL && !try_crl(&helper_data, v, libctx, propq))
149 goto err;
150 ERR_pop_to_mark();
151 ERR_set_mark();
152 if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq))
153 goto err;
154 ERR_pop_to_mark();
155
156 if (*v == NULL) {
157 const char *hint = "";
158
159 if (!OSSL_PROVIDER_available(libctx, "default"))
160 hint = ":maybe need to load the default provider?";
161 if (provider != NULL)
162 ERR_raise_data(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED, "provider=%s%s",
163 OSSL_PROVIDER_get0_name(provider), hint);
164 else if (hint[0] != '\0')
165 ERR_raise_data(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED, "%s", hint);
166 else
167 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED);
168 }
169
170 return (*v != NULL);
171 err:
172 ERR_clear_last_mark();
173 return 0;
174 }
175
try_name(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v)176 static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
177 {
178 if (data->object_type == OSSL_OBJECT_NAME) {
179 char *newname = NULL, *newdesc = NULL;
180
181 if (data->utf8_data == NULL)
182 return 0;
183 if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
184 || (data->desc != NULL
185 && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
186 || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
187 OPENSSL_free(newname);
188 OPENSSL_free(newdesc);
189 return 0;
190 }
191 OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
192 }
193 return 1;
194 }
195
196 /*
197 * For the rest of the object types, the provider code may not know what
198 * type of data it gave us, so we may need to figure that out on our own.
199 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
200 * only return 0 on error if the object type is known.
201 */
202
try_key_ref(struct extracted_param_data_st * data,OSSL_STORE_CTX * ctx,const OSSL_PROVIDER * provider,OSSL_LIB_CTX * libctx,const char * propq)203 static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
204 OSSL_STORE_CTX *ctx,
205 const OSSL_PROVIDER *provider,
206 OSSL_LIB_CTX *libctx, const char *propq)
207 {
208 EVP_PKEY *pk = NULL;
209 EVP_KEYMGMT *keymgmt = NULL;
210 void *keydata = NULL;
211 int try_fallback = 2;
212
213 /* If we have an object reference, we must have a data type */
214 if (data->data_type == NULL)
215 return 0;
216
217 keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
218 ERR_set_mark();
219 while (keymgmt != NULL && keydata == NULL && try_fallback-- > 0) {
220 /*
221 * There are two possible cases
222 *
223 * 1. The keymgmt is from the same provider as the loader,
224 * so we can use evp_keymgmt_load()
225 * 2. The keymgmt is from another provider, then we must
226 * do the export/import dance.
227 */
228 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
229 /* no point trying fallback here */
230 try_fallback = 0;
231 keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
232 } else {
233 struct evp_keymgmt_util_try_import_data_st import_data;
234 OSSL_FUNC_store_export_object_fn *export_object =
235 ctx->fetched_loader->p_export_object;
236
237 import_data.keymgmt = keymgmt;
238 import_data.keydata = NULL;
239 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
240
241 if (export_object != NULL) {
242 /*
243 * No need to check for errors here, the value of
244 * |import_data.keydata| is as much an indicator.
245 */
246 (void)export_object(ctx->loader_ctx,
247 data->ref, data->ref_size,
248 &evp_keymgmt_util_try_import,
249 &import_data);
250 }
251
252 keydata = import_data.keydata;
253 }
254
255 if (keydata == NULL && try_fallback > 0) {
256 EVP_KEYMGMT_free(keymgmt);
257 keymgmt = evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)provider,
258 data->data_type, propq);
259 if (keymgmt != NULL) {
260 ERR_pop_to_mark();
261 ERR_set_mark();
262 }
263 }
264 }
265 if (keydata != NULL) {
266 ERR_pop_to_mark();
267 pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
268 } else {
269 ERR_clear_last_mark();
270 }
271 EVP_KEYMGMT_free(keymgmt);
272
273 return pk;
274 }
275
try_key_value(struct extracted_param_data_st * data,OSSL_STORE_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg,OSSL_LIB_CTX * libctx,const char * propq,int * harderr)276 static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
277 OSSL_STORE_CTX *ctx,
278 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
279 OSSL_LIB_CTX *libctx, const char *propq,
280 int *harderr)
281 {
282 EVP_PKEY *pk = NULL;
283 OSSL_DECODER_CTX *decoderctx = NULL;
284 const unsigned char *pdata = data->octet_data;
285 size_t pdatalen = data->octet_data_size;
286 int selection = 0;
287
288 switch (ctx->expected_type) {
289 case 0:
290 break;
291 case OSSL_STORE_INFO_PARAMS:
292 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
293 break;
294 case OSSL_STORE_INFO_PUBKEY:
295 selection =
296 OSSL_KEYMGMT_SELECT_PUBLIC_KEY
297 | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
298 break;
299 case OSSL_STORE_INFO_PKEY:
300 selection = OSSL_KEYMGMT_SELECT_ALL;
301 break;
302 default:
303 return NULL;
304 }
305
306 decoderctx =
307 OSSL_DECODER_CTX_new_for_pkey(&pk, data->input_type, data->data_structure,
308 data->data_type, selection, libctx,
309 propq);
310 (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
311
312 /* No error if this couldn't be decoded */
313 (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
314
315 /* Save the hard error state. */
316 *harderr = ossl_decoder_ctx_get_harderr(decoderctx);
317 OSSL_DECODER_CTX_free(decoderctx);
318
319 return pk;
320 }
321
322 typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
323
try_key_value_legacy(struct extracted_param_data_st * data,store_info_new_fn ** store_info_new,OSSL_STORE_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg,OSSL_LIB_CTX * libctx,const char * propq)324 static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
325 store_info_new_fn **store_info_new,
326 OSSL_STORE_CTX *ctx,
327 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
328 OSSL_LIB_CTX *libctx, const char *propq)
329 {
330 EVP_PKEY *pk = NULL;
331 const unsigned char *der = data->octet_data, *derp;
332 long der_len = (long)data->octet_data_size;
333
334 /* Try PUBKEY first, that's a real easy target */
335 if (ctx->expected_type == 0
336 || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
337 derp = der;
338 pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
339
340 if (pk != NULL)
341 *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
342 }
343
344 /* Try private keys next */
345 if (pk == NULL
346 && (ctx->expected_type == 0
347 || ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
348 unsigned char *new_der = NULL;
349 X509_SIG *p8 = NULL;
350 PKCS8_PRIV_KEY_INFO *p8info = NULL;
351
352 /* See if it's an encrypted PKCS#8 and decrypt it. */
353 derp = der;
354 p8 = d2i_X509_SIG(NULL, &derp, der_len);
355
356 if (p8 != NULL) {
357 char pbuf[PEM_BUFSIZE];
358 size_t plen = 0;
359
360 if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
361 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
362 } else {
363 const X509_ALGOR *alg = NULL;
364 const ASN1_OCTET_STRING *oct = NULL;
365 int len = 0;
366
367 X509_SIG_get0(p8, &alg, &oct);
368
369 /*
370 * No need to check the returned value, |new_der|
371 * will be NULL on error anyway.
372 */
373 PKCS12_pbe_crypt(alg, pbuf, plen,
374 oct->data, oct->length,
375 &new_der, &len, 0);
376 der_len = len;
377 der = new_der;
378 }
379 X509_SIG_free(p8);
380 }
381
382 /*
383 * If the encrypted PKCS#8 couldn't be decrypted,
384 * |der| is NULL
385 */
386 if (der != NULL) {
387 /* Try to unpack an unencrypted PKCS#8, that's easy */
388 derp = der;
389 p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
390
391 if (p8info != NULL) {
392 pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
393 PKCS8_PRIV_KEY_INFO_free(p8info);
394 }
395 }
396
397 if (pk != NULL)
398 *store_info_new = OSSL_STORE_INFO_new_PKEY;
399
400 OPENSSL_free(new_der);
401 }
402
403 return pk;
404 }
405
try_key(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_STORE_CTX * ctx,const OSSL_PROVIDER * provider,OSSL_LIB_CTX * libctx,const char * propq)406 static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
407 OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
408 OSSL_LIB_CTX *libctx, const char *propq)
409 {
410 store_info_new_fn *store_info_new = NULL;
411 int harderr = 0;
412
413 if (data->object_type == OSSL_OBJECT_UNKNOWN
414 || data->object_type == OSSL_OBJECT_PKEY) {
415 EVP_PKEY *pk = NULL;
416
417 /* Prefer key by reference than key by value */
418 if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
419 pk = try_key_ref(data, ctx, provider, libctx, propq);
420
421 /*
422 * If for some reason we couldn't get a key, it's an error.
423 * It indicates that while decoders could make a key reference,
424 * the keymgmt somehow couldn't handle it, or doesn't have a
425 * OSSL_FUNC_keymgmt_load function.
426 */
427 if (pk == NULL)
428 return 0;
429 } else if (data->octet_data != NULL) {
430 OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
431 void *cbarg = &ctx->pwdata;
432
433 pk = try_key_value(data, ctx, cb, cbarg, libctx, propq, &harderr);
434
435 /*
436 * Desperate last maneuver, in case the decoders don't support
437 * the data we have, then we try on our own to at least get an
438 * engine provided legacy key.
439 * This is the same as der2key_decode() does, but in a limited
440 * way and within the walls of libcrypto.
441 */
442 if (pk == NULL && harderr == 0)
443 pk = try_key_value_legacy(data, &store_info_new, ctx,
444 cb, cbarg, libctx, propq);
445 }
446
447 if (pk != NULL) {
448 data->object_type = OSSL_OBJECT_PKEY;
449
450 if (store_info_new == NULL) {
451 /*
452 * We determined the object type for OSSL_STORE_INFO, which
453 * makes an explicit difference between an EVP_PKEY with just
454 * (domain) parameters and an EVP_PKEY with actual key
455 * material.
456 * The logic is that an EVP_PKEY with actual key material
457 * always has the public half.
458 */
459 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
460 store_info_new = OSSL_STORE_INFO_new_PKEY;
461 else if (evp_keymgmt_util_has(pk,
462 OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
463 store_info_new = OSSL_STORE_INFO_new_PUBKEY;
464 else
465 store_info_new = OSSL_STORE_INFO_new_PARAMS;
466 }
467 *v = store_info_new(pk);
468 }
469
470 if (*v == NULL)
471 EVP_PKEY_free(pk);
472 }
473
474 return harderr == 0;
475 }
476
try_cert(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_LIB_CTX * libctx,const char * propq)477 static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
478 OSSL_LIB_CTX *libctx, const char *propq)
479 {
480 if (data->object_type == OSSL_OBJECT_UNKNOWN
481 || data->object_type == OSSL_OBJECT_CERT) {
482 /*
483 * In most cases, we can try to interpret the serialized
484 * data as a trusted cert (X509 + X509_AUX) and fall back
485 * to reading it as a normal cert (just X509), but if
486 * |data_type| (the PEM name) specifically declares it as a
487 * trusted cert, then no fallback should be engaged.
488 * |ignore_trusted| tells if the fallback can be used (1)
489 * or not (0).
490 */
491 int ignore_trusted = 1;
492 X509 *cert = X509_new_ex(libctx, propq);
493
494 if (cert == NULL)
495 return 0;
496
497 /* If we have a data type, it should be a PEM name */
498 if (data->data_type != NULL
499 && (OPENSSL_strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
500 ignore_trusted = 0;
501
502 if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
503 data->octet_data_size) == NULL
504 && (!ignore_trusted
505 || d2i_X509(&cert, (const unsigned char **)&data->octet_data,
506 data->octet_data_size) == NULL)) {
507 X509_free(cert);
508 cert = NULL;
509 }
510
511 if (cert != NULL) {
512 /* We determined the object type */
513 data->object_type = OSSL_OBJECT_CERT;
514 *v = OSSL_STORE_INFO_new_CERT(cert);
515 if (*v == NULL)
516 X509_free(cert);
517 }
518 }
519
520 return 1;
521 }
522
try_crl(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_LIB_CTX * libctx,const char * propq)523 static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
524 OSSL_LIB_CTX *libctx, const char *propq)
525 {
526 if (data->object_type == OSSL_OBJECT_UNKNOWN
527 || data->object_type == OSSL_OBJECT_CRL) {
528 X509_CRL *crl;
529
530 crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
531 data->octet_data_size);
532
533 if (crl != NULL)
534 /* We determined the object type */
535 data->object_type = OSSL_OBJECT_CRL;
536
537 if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
538 X509_CRL_free(crl);
539 crl = NULL;
540 }
541
542 if (crl != NULL)
543 *v = OSSL_STORE_INFO_new_CRL(crl);
544 if (*v == NULL)
545 X509_CRL_free(crl);
546 }
547
548 return 1;
549 }
550
try_pkcs12(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_STORE_CTX * ctx,OSSL_LIB_CTX * libctx,const char * propq)551 static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
552 OSSL_STORE_CTX *ctx,
553 OSSL_LIB_CTX *libctx, const char *propq)
554 {
555 int ok = 1;
556
557 /* There is no specific object type for PKCS12 */
558 if (data->object_type == OSSL_OBJECT_UNKNOWN) {
559 /* Initial parsing */
560 PKCS12 *p12;
561
562 p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
563 data->octet_data_size);
564
565 if (p12 != NULL) {
566 char *pass = NULL;
567 char tpass[PEM_BUFSIZE + 1];
568 size_t tpass_len;
569 EVP_PKEY *pkey = NULL;
570 X509 *cert = NULL;
571 STACK_OF(X509) *chain = NULL;
572
573 data->object_type = OSSL_OBJECT_PKCS12;
574
575 ok = 0; /* Assume decryption or parse error */
576
577 if (!PKCS12_mac_present(p12)
578 || PKCS12_verify_mac(p12, NULL, 0)) {
579 pass = NULL;
580 } else if (PKCS12_verify_mac(p12, "", 0)) {
581 pass = "";
582 } else {
583 static char prompt_info[] = "PKCS12 import pass phrase";
584 OSSL_PARAM pw_params[] = {
585 OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
586 prompt_info,
587 sizeof(prompt_info) - 1),
588 OSSL_PARAM_END
589 };
590
591 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1,
592 &tpass_len,
593 pw_params, 0, &ctx->pwdata)) {
594 ERR_raise(ERR_LIB_OSSL_STORE,
595 OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
596 goto p12_end;
597 }
598 pass = tpass;
599 /*
600 * ossl_pw_get_passphrase() does not NUL terminate but
601 * we must do it for PKCS12_parse()
602 */
603 pass[tpass_len] = '\0';
604 if (!PKCS12_verify_mac(p12, pass, tpass_len)) {
605 ERR_raise_data(ERR_LIB_OSSL_STORE,
606 OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
607 tpass_len == 0 ? "empty password" :
608 "maybe wrong password");
609 goto p12_end;
610 }
611 }
612
613 if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
614 STACK_OF(OSSL_STORE_INFO) *infos = NULL;
615 OSSL_STORE_INFO *osi_pkey = NULL;
616 OSSL_STORE_INFO *osi_cert = NULL;
617 OSSL_STORE_INFO *osi_ca = NULL;
618
619 ok = 1; /* Parsing went through correctly! */
620
621 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
622 if (pkey != NULL) {
623 if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
624 /* clearing pkey here avoids case distinctions */
625 && (pkey = NULL) == NULL
626 && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
627 osi_pkey = NULL;
628 else
629 ok = 0;
630 }
631 if (ok && cert != NULL) {
632 if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
633 /* clearing cert here avoids case distinctions */
634 && (cert = NULL) == NULL
635 && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
636 osi_cert = NULL;
637 else
638 ok = 0;
639 }
640 while (ok && sk_X509_num(chain) > 0) {
641 X509 *ca = sk_X509_value(chain, 0);
642
643 if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
644 && sk_X509_shift(chain) != NULL
645 && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
646 osi_ca = NULL;
647 else
648 ok = 0;
649 }
650 }
651 EVP_PKEY_free(pkey);
652 X509_free(cert);
653 OSSL_STACK_OF_X509_free(chain);
654 OSSL_STORE_INFO_free(osi_pkey);
655 OSSL_STORE_INFO_free(osi_cert);
656 OSSL_STORE_INFO_free(osi_ca);
657 if (!ok) {
658 sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
659 infos = NULL;
660 }
661 ctx->cached_info = infos;
662 }
663 p12_end:
664 OPENSSL_cleanse(tpass, sizeof(tpass));
665 PKCS12_free(p12);
666 }
667 *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
668 }
669
670 return ok;
671 }
672