1 /* 2 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/core_object.h> 21 #include <openssl/crypto.h> 22 #include <openssl/params.h> 23 #include <openssl/err.h> 24 #include <openssl/pem.h> /* For public PVK functions */ 25 #include <openssl/x509.h> 26 #include "internal/passphrase.h" 27 #include "crypto/pem.h" /* For internal PVK and "blob" headers */ 28 #include "crypto/rsa.h" 29 #include "prov/bio.h" 30 #include "prov/implementations.h" 31 #include "endecoder_local.h" 32 33 struct pvk2key_ctx_st; /* Forward declaration */ 34 typedef int check_key_fn(void *, struct pvk2key_ctx_st *ctx); 35 typedef void adjust_key_fn(void *, struct pvk2key_ctx_st *ctx); 36 typedef void *b2i_PVK_of_bio_pw_fn(BIO *in, pem_password_cb *cb, void *u, 37 OSSL_LIB_CTX *libctx, const char *propq); 38 typedef void free_key_fn(void *); 39 struct keytype_desc_st { 40 int type; /* EVP key type */ 41 const char *name; /* Keytype */ 42 const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */ 43 44 b2i_PVK_of_bio_pw_fn *read_private_key; 45 adjust_key_fn *adjust_key; 46 free_key_fn *free_key; 47 }; 48 49 static OSSL_FUNC_decoder_freectx_fn pvk2key_freectx; 50 static OSSL_FUNC_decoder_decode_fn pvk2key_decode; 51 static OSSL_FUNC_decoder_export_object_fn pvk2key_export_object; 52 53 /* 54 * Context used for DER to key decoding. 55 */ 56 struct pvk2key_ctx_st { 57 PROV_CTX *provctx; 58 const struct keytype_desc_st *desc; 59 /* The selection that is passed to der2key_decode() */ 60 int selection; 61 }; 62 63 static struct pvk2key_ctx_st * 64 pvk2key_newctx(void *provctx, const struct keytype_desc_st *desc) 65 { 66 struct pvk2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx)); 67 68 if (ctx != NULL) { 69 ctx->provctx = provctx; 70 ctx->desc = desc; 71 } 72 return ctx; 73 } 74 75 static void pvk2key_freectx(void *vctx) 76 { 77 struct pvk2key_ctx_st *ctx = vctx; 78 79 OPENSSL_free(ctx); 80 } 81 82 static int pvk2key_does_selection(void *provctx, int selection) 83 { 84 if (selection == 0) 85 return 1; 86 87 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) 88 return 1; 89 90 return 0; 91 } 92 93 static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, 94 OSSL_CALLBACK *data_cb, void *data_cbarg, 95 OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) 96 { 97 struct pvk2key_ctx_st *ctx = vctx; 98 BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); 99 void *key = NULL; 100 int ok = 0; 101 102 if (in == NULL) 103 return 0; 104 105 ctx->selection = selection; 106 107 if ((selection == 0 108 || (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) 109 && ctx->desc->read_private_key != NULL) { 110 struct ossl_passphrase_data_st pwdata; 111 int err, lib, reason; 112 113 memset(&pwdata, 0, sizeof(pwdata)); 114 if (!ossl_pw_set_ossl_passphrase_cb(&pwdata, pw_cb, pw_cbarg)) 115 goto end; 116 117 key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata, 118 PROV_LIBCTX_OF(ctx->provctx), NULL); 119 120 /* 121 * Because the PVK API doesn't have a separate decrypt call, we need 122 * to check the error queue for certain well known errors that are 123 * considered fatal and which we pass through, while the rest gets 124 * thrown away. 125 */ 126 err = ERR_peek_last_error(); 127 lib = ERR_GET_LIB(err); 128 reason = ERR_GET_REASON(err); 129 if (lib == ERR_LIB_PEM 130 && (reason == PEM_R_BAD_PASSWORD_READ 131 || reason == PEM_R_BAD_DECRYPT)) { 132 ERR_clear_last_mark(); 133 goto end; 134 } 135 136 if (selection != 0 && key == NULL) 137 goto next; 138 } 139 140 if (key != NULL && ctx->desc->adjust_key != NULL) 141 ctx->desc->adjust_key(key, ctx); 142 143 next: 144 /* 145 * Indicated that we successfully decoded something, or not at all. 146 * Ending up "empty handed" is not an error. 147 */ 148 ok = 1; 149 150 /* 151 * We free resources here so it's not held up during the callback, because 152 * we know the process is recursive and the allocated chunks of memory 153 * add up. 154 */ 155 BIO_free(in); 156 in = NULL; 157 158 if (key != NULL) { 159 OSSL_PARAM params[4]; 160 int object_type = OSSL_OBJECT_PKEY; 161 162 params[0] = 163 OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type); 164 params[1] = 165 OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, 166 (char *)ctx->desc->name, 0); 167 /* The address of the key becomes the octet string */ 168 params[2] = 169 OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, 170 &key, sizeof(key)); 171 params[3] = OSSL_PARAM_construct_end(); 172 173 ok = data_cb(params, data_cbarg); 174 } 175 176 end: 177 BIO_free(in); 178 ctx->desc->free_key(key); 179 180 return ok; 181 } 182 183 static int pvk2key_export_object(void *vctx, 184 const void *reference, size_t reference_sz, 185 OSSL_CALLBACK *export_cb, void *export_cbarg) 186 { 187 struct pvk2key_ctx_st *ctx = vctx; 188 OSSL_FUNC_keymgmt_export_fn *export = 189 ossl_prov_get_keymgmt_export(ctx->desc->fns); 190 void *keydata; 191 192 if (reference_sz == sizeof(keydata) && export != NULL) { 193 int selection = ctx->selection; 194 195 if (selection == 0) 196 selection = OSSL_KEYMGMT_SELECT_ALL; 197 /* The contents of the reference is the address to our object */ 198 keydata = *(void **)reference; 199 200 return export(keydata, selection, export_cb, export_cbarg); 201 } 202 return 0; 203 } 204 205 /* ---------------------------------------------------------------------- */ 206 207 #define dsa_private_key_bio (b2i_PVK_of_bio_pw_fn *)b2i_DSA_PVK_bio_ex 208 #define dsa_adjust NULL 209 #define dsa_free (void (*)(void *))DSA_free 210 211 /* ---------------------------------------------------------------------- */ 212 213 #define rsa_private_key_bio (b2i_PVK_of_bio_pw_fn *)b2i_RSA_PVK_bio_ex 214 215 static void rsa_adjust(void *key, struct pvk2key_ctx_st *ctx) 216 { 217 ossl_rsa_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); 218 } 219 220 #define rsa_free (void (*)(void *))RSA_free 221 222 /* ---------------------------------------------------------------------- */ 223 224 #define IMPLEMENT_MS(KEYTYPE, keytype) \ 225 static const struct keytype_desc_st \ 226 pvk2##keytype##_desc = { \ 227 EVP_PKEY_##KEYTYPE, #KEYTYPE, \ 228 ossl_##keytype##_keymgmt_functions, \ 229 keytype##_private_key_bio, \ 230 keytype##_adjust, \ 231 keytype##_free \ 232 }; \ 233 static OSSL_FUNC_decoder_newctx_fn pvk2##keytype##_newctx; \ 234 static void *pvk2##keytype##_newctx(void *provctx) \ 235 { \ 236 return pvk2key_newctx(provctx, &pvk2##keytype##_desc); \ 237 } \ 238 const OSSL_DISPATCH \ 239 ossl_##pvk_to_##keytype##_decoder_functions[] = { \ 240 { OSSL_FUNC_DECODER_NEWCTX, \ 241 (void (*)(void))pvk2##keytype##_newctx }, \ 242 { OSSL_FUNC_DECODER_FREECTX, \ 243 (void (*)(void))pvk2key_freectx }, \ 244 { OSSL_FUNC_DECODER_DOES_SELECTION, \ 245 (void (*)(void))pvk2key_does_selection }, \ 246 { OSSL_FUNC_DECODER_DECODE, \ 247 (void (*)(void))pvk2key_decode }, \ 248 { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ 249 (void (*)(void))pvk2key_export_object }, \ 250 { 0, NULL } \ 251 } 252 253 #ifndef OPENSSL_NO_DSA 254 IMPLEMENT_MS(DSA, dsa); 255 #endif 256 IMPLEMENT_MS(RSA, rsa); 257