1 /* 2 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/core_object.h> 21 #include <openssl/crypto.h> 22 #include <openssl/params.h> 23 #include <openssl/pem.h> /* For public PVK functions */ 24 #include <openssl/x509.h> 25 #include <openssl/err.h> 26 #include "internal/passphrase.h" 27 #include "crypto/pem.h" /* For internal PVK and "blob" headers */ 28 #include "crypto/rsa.h" 29 #include "prov/bio.h" 30 #include "prov/implementations.h" 31 #include "endecoder_local.h" 32 33 struct msblob2key_ctx_st; /* Forward declaration */ 34 typedef void *b2i_of_void_fn(const unsigned char **in, unsigned int bitlen, 35 int ispub); 36 typedef void adjust_key_fn(void *, struct msblob2key_ctx_st *ctx); 37 typedef void free_key_fn(void *); 38 struct keytype_desc_st { 39 int type; /* EVP key type */ 40 const char *name; /* Keytype */ 41 const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */ 42 43 b2i_of_void_fn *read_private_key; 44 b2i_of_void_fn *read_public_key; 45 adjust_key_fn *adjust_key; 46 free_key_fn *free_key; 47 }; 48 49 static OSSL_FUNC_decoder_freectx_fn msblob2key_freectx; 50 static OSSL_FUNC_decoder_decode_fn msblob2key_decode; 51 static OSSL_FUNC_decoder_export_object_fn msblob2key_export_object; 52 53 /* 54 * Context used for DER to key decoding. 55 */ 56 struct msblob2key_ctx_st { 57 PROV_CTX *provctx; 58 const struct keytype_desc_st *desc; 59 /* The selection that is passed to msblob2key_decode() */ 60 int selection; 61 }; 62 63 static struct msblob2key_ctx_st * 64 msblob2key_newctx(void *provctx, const struct keytype_desc_st *desc) 65 { 66 struct msblob2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx)); 67 68 if (ctx != NULL) { 69 ctx->provctx = provctx; 70 ctx->desc = desc; 71 } 72 return ctx; 73 } 74 75 static void msblob2key_freectx(void *vctx) 76 { 77 struct msblob2key_ctx_st *ctx = vctx; 78 79 OPENSSL_free(ctx); 80 } 81 82 static int msblob2key_does_selection(void *provctx, int selection) 83 { 84 if (selection == 0) 85 return 1; 86 87 if ((selection & (OSSL_KEYMGMT_SELECT_PRIVATE_KEY 88 | OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) != 0) 89 return 1; 90 91 return 0; 92 } 93 94 static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, 95 OSSL_CALLBACK *data_cb, void *data_cbarg, 96 OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) 97 { 98 struct msblob2key_ctx_st *ctx = vctx; 99 BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); 100 const unsigned char *p; 101 unsigned char hdr_buf[16], *buf = NULL; 102 unsigned int bitlen, magic, length; 103 int isdss = -1; 104 int ispub = -1; 105 void *key = NULL; 106 int ok = 0; 107 108 if (in == NULL) 109 return 0; 110 111 if (BIO_read(in, hdr_buf, 16) != 16) { 112 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); 113 goto next; 114 } 115 ERR_set_mark(); 116 p = hdr_buf; 117 ok = ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) > 0; 118 ERR_pop_to_mark(); 119 if (!ok) 120 goto next; 121 122 ctx->selection = selection; 123 ok = 0; /* Assume that we fail */ 124 125 if ((isdss && ctx->desc->type != EVP_PKEY_DSA) 126 || (!isdss && ctx->desc->type != EVP_PKEY_RSA)) 127 goto next; 128 129 length = ossl_blob_length(bitlen, isdss, ispub); 130 if (length > BLOB_MAX_LENGTH) { 131 ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG); 132 goto next; 133 } 134 buf = OPENSSL_malloc(length); 135 if (buf == NULL) { 136 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 137 goto end; 138 } 139 p = buf; 140 if (BIO_read(in, buf, length) != (int)length) { 141 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); 142 goto next; 143 } 144 145 if ((selection == 0 146 || (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) 147 && !ispub 148 && ctx->desc->read_private_key != NULL) { 149 struct ossl_passphrase_data_st pwdata; 150 151 memset(&pwdata, 0, sizeof(pwdata)); 152 if (!ossl_pw_set_ossl_passphrase_cb(&pwdata, pw_cb, pw_cbarg)) 153 goto end; 154 p = buf; 155 key = ctx->desc->read_private_key(&p, bitlen, ispub); 156 if (selection != 0 && key == NULL) 157 goto next; 158 } 159 if (key == NULL && (selection == 0 160 || (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) 161 && ispub 162 && ctx->desc->read_public_key != NULL) { 163 p = buf; 164 key = ctx->desc->read_public_key(&p, bitlen, ispub); 165 if (selection != 0 && key == NULL) 166 goto next; 167 } 168 169 if (key != NULL && ctx->desc->adjust_key != NULL) 170 ctx->desc->adjust_key(key, ctx); 171 172 next: 173 /* 174 * Indicated that we successfully decoded something, or not at all. 175 * Ending up "empty handed" is not an error. 176 */ 177 ok = 1; 178 179 /* 180 * We free resources here so it's not held up during the callback, because 181 * we know the process is recursive and the allocated chunks of memory 182 * add up. 183 */ 184 OPENSSL_free(buf); 185 BIO_free(in); 186 buf = NULL; 187 in = NULL; 188 189 if (key != NULL) { 190 OSSL_PARAM params[4]; 191 int object_type = OSSL_OBJECT_PKEY; 192 193 params[0] = 194 OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type); 195 params[1] = 196 OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, 197 (char *)ctx->desc->name, 0); 198 /* The address of the key becomes the octet string */ 199 params[2] = 200 OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, 201 &key, sizeof(key)); 202 params[3] = OSSL_PARAM_construct_end(); 203 204 ok = data_cb(params, data_cbarg); 205 } 206 207 end: 208 BIO_free(in); 209 OPENSSL_free(buf); 210 ctx->desc->free_key(key); 211 212 return ok; 213 } 214 215 static int 216 msblob2key_export_object(void *vctx, 217 const void *reference, size_t reference_sz, 218 OSSL_CALLBACK *export_cb, void *export_cbarg) 219 { 220 struct msblob2key_ctx_st *ctx = vctx; 221 OSSL_FUNC_keymgmt_export_fn *export = 222 ossl_prov_get_keymgmt_export(ctx->desc->fns); 223 void *keydata; 224 225 if (reference_sz == sizeof(keydata) && export != NULL) { 226 int selection = ctx->selection; 227 228 if (selection == 0) 229 selection = OSSL_KEYMGMT_SELECT_ALL; 230 /* The contents of the reference is the address to our object */ 231 keydata = *(void **)reference; 232 233 return export(keydata, selection, export_cb, export_cbarg); 234 } 235 return 0; 236 } 237 238 /* ---------------------------------------------------------------------- */ 239 240 #define dsa_decode_private_key (b2i_of_void_fn *)ossl_b2i_DSA_after_header 241 #define dsa_decode_public_key (b2i_of_void_fn *)ossl_b2i_DSA_after_header 242 #define dsa_adjust NULL 243 #define dsa_free (void (*)(void *))DSA_free 244 245 /* ---------------------------------------------------------------------- */ 246 247 #define rsa_decode_private_key (b2i_of_void_fn *)ossl_b2i_RSA_after_header 248 #define rsa_decode_public_key (b2i_of_void_fn *)ossl_b2i_RSA_after_header 249 250 static void rsa_adjust(void *key, struct msblob2key_ctx_st *ctx) 251 { 252 ossl_rsa_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); 253 } 254 255 #define rsa_free (void (*)(void *))RSA_free 256 257 /* ---------------------------------------------------------------------- */ 258 259 #define IMPLEMENT_MSBLOB(KEYTYPE, keytype) \ 260 static const struct keytype_desc_st mstype##2##keytype##_desc = { \ 261 EVP_PKEY_##KEYTYPE, #KEYTYPE, \ 262 ossl_##keytype##_keymgmt_functions, \ 263 keytype##_decode_private_key, \ 264 keytype##_decode_public_key, \ 265 keytype##_adjust, \ 266 keytype##_free \ 267 }; \ 268 static OSSL_FUNC_decoder_newctx_fn msblob2##keytype##_newctx; \ 269 static void *msblob2##keytype##_newctx(void *provctx) \ 270 { \ 271 return msblob2key_newctx(provctx, &mstype##2##keytype##_desc); \ 272 } \ 273 const OSSL_DISPATCH \ 274 ossl_msblob_to_##keytype##_decoder_functions[] = { \ 275 { OSSL_FUNC_DECODER_NEWCTX, \ 276 (void (*)(void))msblob2##keytype##_newctx }, \ 277 { OSSL_FUNC_DECODER_FREECTX, \ 278 (void (*)(void))msblob2key_freectx }, \ 279 { OSSL_FUNC_DECODER_DOES_SELECTION, \ 280 (void (*)(void))msblob2key_does_selection }, \ 281 { OSSL_FUNC_DECODER_DECODE, \ 282 (void (*)(void))msblob2key_decode }, \ 283 { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ 284 (void (*)(void))msblob2key_export_object }, \ 285 { 0, NULL } \ 286 } 287 288 #ifndef OPENSSL_NO_DSA 289 IMPLEMENT_MSBLOB(DSA, dsa); 290 #endif 291 IMPLEMENT_MSBLOB(RSA, rsa); 292