xref: /freebsd/crypto/openssl/crypto/encode_decode/encoder_pkey.c (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1 /*
2  * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/err.h>
11 #include <openssl/ui.h>
12 #include <openssl/params.h>
13 #include <openssl/encoder.h>
14 #include <openssl/core_names.h>
15 #include <openssl/provider.h>
16 #include <openssl/safestack.h>
17 #include <openssl/trace.h>
18 #include "internal/provider.h"
19 #include "internal/property.h"
20 #include "crypto/evp.h"
21 #include "encoder_local.h"
22 
23 DEFINE_STACK_OF(OSSL_ENCODER)
24 
25 int OSSL_ENCODER_CTX_set_cipher(OSSL_ENCODER_CTX *ctx,
26                                 const char *cipher_name,
27                                 const char *propquery)
28 {
29     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END };
30 
31     params[0] =
32         OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_CIPHER,
33                                          (void *)cipher_name, 0);
34     params[1] =
35         OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_PROPERTIES,
36                                          (void *)propquery, 0);
37 
38     return OSSL_ENCODER_CTX_set_params(ctx, params);
39 }
40 
41 int OSSL_ENCODER_CTX_set_passphrase(OSSL_ENCODER_CTX *ctx,
42                                     const unsigned char *kstr,
43                                     size_t klen)
44 {
45     return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
46 }
47 
48 int OSSL_ENCODER_CTX_set_passphrase_ui(OSSL_ENCODER_CTX *ctx,
49                                        const UI_METHOD *ui_method,
50                                        void *ui_data)
51 {
52     return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
53 }
54 
55 int OSSL_ENCODER_CTX_set_pem_password_cb(OSSL_ENCODER_CTX *ctx,
56                                          pem_password_cb *cb, void *cbarg)
57 {
58     return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
59 }
60 
61 int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx,
62                                        OSSL_PASSPHRASE_CALLBACK *cb,
63                                        void *cbarg)
64 {
65     return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
66 }
67 
68 /*
69  * Support for OSSL_ENCODER_CTX_new_for_type:
70  * finding a suitable encoder
71  */
72 
73 struct collected_encoder_st {
74     STACK_OF(OPENSSL_CSTRING) *names;
75     const char *output_structure;
76     const char *output_type;
77 
78     const OSSL_PROVIDER *keymgmt_prov;
79     OSSL_ENCODER_CTX *ctx;
80     unsigned int flag_find_same_provider:1;
81 
82     int error_occurred;
83 };
84 
85 static void collect_encoder(OSSL_ENCODER *encoder, void *arg)
86 {
87     struct collected_encoder_st *data = arg;
88     size_t i, end_i;
89 
90     if (data->error_occurred)
91         return;
92 
93     data->error_occurred = 1;     /* Assume the worst */
94 
95     if (data->names == NULL)
96         return;
97 
98     end_i = sk_OPENSSL_CSTRING_num(data->names);
99     for (i = 0; i < end_i; i++) {
100         const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
101         const OSSL_PROVIDER *prov = OSSL_ENCODER_get0_provider(encoder);
102         void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
103 
104         /*
105          * collect_encoder() is called in two passes, one where the encoders
106          * from the same provider as the keymgmt are looked up, and one where
107          * the other encoders are looked up.  |data->flag_find_same_provider|
108          * tells us which pass we're in.
109          */
110         if ((data->keymgmt_prov == prov) != data->flag_find_same_provider)
111             continue;
112 
113         if (!OSSL_ENCODER_is_a(encoder, name)
114             || (encoder->does_selection != NULL
115                 && !encoder->does_selection(provctx, data->ctx->selection))
116             || (data->keymgmt_prov != prov
117                 && encoder->import_object == NULL))
118             continue;
119 
120         /* Only add each encoder implementation once */
121         if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder))
122             break;
123     }
124 
125     data->error_occurred = 0;         /* All is good now */
126 }
127 
128 struct collected_names_st {
129     STACK_OF(OPENSSL_CSTRING) *names;
130     unsigned int error_occurred:1;
131 };
132 
133 static void collect_name(const char *name, void *arg)
134 {
135     struct collected_names_st *data = arg;
136 
137     if (data->error_occurred)
138         return;
139 
140     data->error_occurred = 1;         /* Assume the worst */
141 
142     if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
143         return;
144 
145     data->error_occurred = 0;         /* All is good now */
146 }
147 
148 /*
149  * Support for OSSL_ENCODER_to_bio:
150  * writing callback for the OSSL_PARAM (the implementation doesn't have
151  * intimate knowledge of the provider side object)
152  */
153 
154 struct construct_data_st {
155     const EVP_PKEY *pk;
156     int selection;
157 
158     OSSL_ENCODER_INSTANCE *encoder_inst;
159     const void *obj;
160     void *constructed_obj;
161 };
162 
163 static int encoder_import_cb(const OSSL_PARAM params[], void *arg)
164 {
165     struct construct_data_st *construct_data = arg;
166     OSSL_ENCODER_INSTANCE *encoder_inst = construct_data->encoder_inst;
167     OSSL_ENCODER *encoder = OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
168     void *encoderctx = OSSL_ENCODER_INSTANCE_get_encoder_ctx(encoder_inst);
169 
170     construct_data->constructed_obj =
171         encoder->import_object(encoderctx, construct_data->selection, params);
172 
173     return (construct_data->constructed_obj != NULL);
174 }
175 
176 static const void *
177 encoder_construct_pkey(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg)
178 {
179     struct construct_data_st *data = arg;
180 
181     if (data->obj == NULL) {
182         OSSL_ENCODER *encoder =
183             OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
184         const EVP_PKEY *pk = data->pk;
185         const OSSL_PROVIDER *k_prov = EVP_KEYMGMT_get0_provider(pk->keymgmt);
186         const OSSL_PROVIDER *e_prov = OSSL_ENCODER_get0_provider(encoder);
187 
188         if (k_prov != e_prov) {
189             int selection = data->selection;
190 
191             if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
192                 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
193             data->encoder_inst = encoder_inst;
194 
195             if (!evp_keymgmt_export(pk->keymgmt, pk->keydata, selection,
196                                     &encoder_import_cb, data))
197                 return NULL;
198             data->obj = data->constructed_obj;
199         } else {
200             data->obj = pk->keydata;
201         }
202     }
203 
204     return data->obj;
205 }
206 
207 static void encoder_destruct_pkey(void *arg)
208 {
209     struct construct_data_st *data = arg;
210 
211     if (data->encoder_inst != NULL) {
212         OSSL_ENCODER *encoder =
213             OSSL_ENCODER_INSTANCE_get_encoder(data->encoder_inst);
214 
215         encoder->free_object(data->constructed_obj);
216     }
217     data->constructed_obj = NULL;
218 }
219 
220 /*
221  * OSSL_ENCODER_CTX_new_for_pkey() returns a ctx with no encoder if
222  * it couldn't find a suitable encoder.  This allows a caller to detect if
223  * a suitable encoder was found, with OSSL_ENCODER_CTX_get_num_encoder(),
224  * and to use fallback methods if the result is NULL.
225  */
226 static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx,
227                                            const EVP_PKEY *pkey,
228                                            int selection,
229                                            const char *propquery)
230 {
231     struct construct_data_st *data = NULL;
232     const OSSL_PROVIDER *prov = NULL;
233     OSSL_LIB_CTX *libctx = NULL;
234     int ok = 0;
235 
236     if (!ossl_assert(ctx != NULL) || !ossl_assert(pkey != NULL)) {
237         ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
238         return 0;
239     }
240 
241     if (evp_pkey_is_provided(pkey)) {
242         prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
243         libctx = ossl_provider_libctx(prov);
244     }
245 
246     if (pkey->keymgmt != NULL) {
247         struct collected_encoder_st encoder_data;
248         struct collected_names_st keymgmt_data;
249 
250         if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL) {
251             ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
252             goto err;
253         }
254 
255         /*
256          * Select the first encoder implementations in two steps.
257          * First, collect the keymgmt names, then the encoders that match.
258          */
259         keymgmt_data.names = sk_OPENSSL_CSTRING_new_null();
260         if (keymgmt_data.names == NULL) {
261             ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
262             goto err;
263         }
264 
265         keymgmt_data.error_occurred = 0;
266         EVP_KEYMGMT_names_do_all(pkey->keymgmt, collect_name, &keymgmt_data);
267         if (keymgmt_data.error_occurred) {
268             sk_OPENSSL_CSTRING_free(keymgmt_data.names);
269             goto err;
270         }
271 
272         encoder_data.names = keymgmt_data.names;
273         encoder_data.output_type = ctx->output_type;
274         encoder_data.output_structure = ctx->output_structure;
275         encoder_data.error_occurred = 0;
276         encoder_data.keymgmt_prov = prov;
277         encoder_data.ctx = ctx;
278 
279         /*
280          * Place the encoders with the a different provider as the keymgmt
281          * last (the chain is processed in reverse order)
282          */
283         encoder_data.flag_find_same_provider = 0;
284         OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
285 
286         /*
287          * Place the encoders with the same provider as the keymgmt first
288          * (the chain is processed in reverse order)
289          */
290         encoder_data.flag_find_same_provider = 1;
291         OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
292 
293         sk_OPENSSL_CSTRING_free(keymgmt_data.names);
294         if (encoder_data.error_occurred) {
295             ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
296             goto err;
297         }
298     }
299 
300     if (data != NULL && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
301         if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_pkey)
302             || !OSSL_ENCODER_CTX_set_construct_data(ctx, data)
303             || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_pkey))
304             goto err;
305 
306         data->pk = pkey;
307         data->selection = selection;
308 
309         data = NULL;             /* Avoid it being freed */
310     }
311 
312     ok = 1;
313  err:
314     if (data != NULL) {
315         OSSL_ENCODER_CTX_set_construct_data(ctx, NULL);
316         OPENSSL_free(data);
317     }
318     return ok;
319 }
320 
321 OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey,
322                                                 int selection,
323                                                 const char *output_type,
324                                                 const char *output_struct,
325                                                 const char *propquery)
326 {
327     OSSL_ENCODER_CTX *ctx = NULL;
328     OSSL_LIB_CTX *libctx = NULL;
329 
330     if (pkey == NULL) {
331         ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
332         return NULL;
333     }
334 
335     if (!evp_pkey_is_assigned(pkey)) {
336         ERR_raise_data(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT,
337                        "The passed EVP_PKEY must be assigned a key");
338         return NULL;
339     }
340 
341     if ((ctx = OSSL_ENCODER_CTX_new()) == NULL) {
342         ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
343         return NULL;
344     }
345 
346     if (evp_pkey_is_provided(pkey)) {
347         const OSSL_PROVIDER *prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
348 
349         libctx = ossl_provider_libctx(prov);
350     }
351 
352     OSSL_TRACE_BEGIN(ENCODER) {
353         BIO_printf(trc_out,
354                    "(ctx %p) Looking for %s encoders with selection %d\n",
355                    (void *)ctx, EVP_PKEY_get0_type_name(pkey), selection);
356         BIO_printf(trc_out, "    output type: %s, output structure: %s\n",
357                    output_type, output_struct);
358     } OSSL_TRACE_END(ENCODER);
359 
360     if (OSSL_ENCODER_CTX_set_output_type(ctx, output_type)
361         && (output_struct == NULL
362             || OSSL_ENCODER_CTX_set_output_structure(ctx, output_struct))
363         && OSSL_ENCODER_CTX_set_selection(ctx, selection)
364         && ossl_encoder_ctx_setup_for_pkey(ctx, pkey, selection, propquery)
365         && OSSL_ENCODER_CTX_add_extra(ctx, libctx, propquery)) {
366         OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
367         int save_parameters = pkey->save_parameters;
368 
369         params[0] = OSSL_PARAM_construct_int(OSSL_ENCODER_PARAM_SAVE_PARAMETERS,
370                                              &save_parameters);
371         /* ignoring error as this is only auxiliary parameter */
372         (void)OSSL_ENCODER_CTX_set_params(ctx, params);
373 
374         OSSL_TRACE_BEGIN(ENCODER) {
375             BIO_printf(trc_out, "(ctx %p) Got %d encoders\n",
376                        (void *)ctx, OSSL_ENCODER_CTX_get_num_encoders(ctx));
377         } OSSL_TRACE_END(ENCODER);
378         return ctx;
379     }
380 
381     OSSL_ENCODER_CTX_free(ctx);
382     return NULL;
383 }
384