1 /* 2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <string.h> 17 18 #include <openssl/core_dispatch.h> 19 #include <openssl/core_names.h> 20 #include <openssl/core_object.h> 21 #include <openssl/crypto.h> 22 #include <openssl/params.h> 23 #include <openssl/err.h> 24 #include <openssl/pem.h> /* For public PVK functions */ 25 #include <openssl/x509.h> 26 #include "internal/passphrase.h" 27 #include "crypto/pem.h" /* For internal PVK and "blob" headers */ 28 #include "crypto/rsa.h" 29 #include "prov/bio.h" 30 #include "prov/implementations.h" 31 #include "endecoder_local.h" 32 33 struct pvk2key_ctx_st; /* Forward declaration */ 34 typedef int check_key_fn(void *, struct pvk2key_ctx_st *ctx); 35 typedef void adjust_key_fn(void *, struct pvk2key_ctx_st *ctx); 36 typedef void *b2i_PVK_of_bio_pw_fn(BIO *in, pem_password_cb *cb, void *u, 37 OSSL_LIB_CTX *libctx, const char *propq); 38 typedef void free_key_fn(void *); 39 struct keytype_desc_st { 40 int type; /* EVP key type */ 41 const char *name; /* Keytype */ 42 const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */ 43 44 b2i_PVK_of_bio_pw_fn *read_private_key; 45 adjust_key_fn *adjust_key; 46 free_key_fn *free_key; 47 }; 48 49 static OSSL_FUNC_decoder_freectx_fn pvk2key_freectx; 50 static OSSL_FUNC_decoder_decode_fn pvk2key_decode; 51 static OSSL_FUNC_decoder_export_object_fn pvk2key_export_object; 52 53 /* 54 * Context used for DER to key decoding. 55 */ 56 struct pvk2key_ctx_st { 57 PROV_CTX *provctx; 58 const struct keytype_desc_st *desc; 59 /* The selection that is passed to der2key_decode() */ 60 int selection; 61 }; 62 63 static struct pvk2key_ctx_st * 64 pvk2key_newctx(void *provctx, const struct keytype_desc_st *desc) 65 { 66 struct pvk2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx)); 67 68 if (ctx != NULL) { 69 ctx->provctx = provctx; 70 ctx->desc = desc; 71 } 72 return ctx; 73 } 74 75 static void pvk2key_freectx(void *vctx) 76 { 77 struct pvk2key_ctx_st *ctx = vctx; 78 79 OPENSSL_free(ctx); 80 } 81 82 static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, 83 OSSL_CALLBACK *data_cb, void *data_cbarg, 84 OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) 85 { 86 struct pvk2key_ctx_st *ctx = vctx; 87 BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); 88 void *key = NULL; 89 int ok = 0; 90 91 if (in == NULL) 92 return 0; 93 94 ctx->selection = selection; 95 96 if ((selection == 0 97 || (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) 98 && ctx->desc->read_private_key != NULL) { 99 struct ossl_passphrase_data_st pwdata; 100 int err, lib, reason; 101 102 memset(&pwdata, 0, sizeof(pwdata)); 103 if (!ossl_pw_set_ossl_passphrase_cb(&pwdata, pw_cb, pw_cbarg)) 104 goto end; 105 106 key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata, 107 PROV_LIBCTX_OF(ctx->provctx), NULL); 108 109 /* 110 * Because the PVK API doesn't have a separate decrypt call, we need 111 * to check the error queue for certain well known errors that are 112 * considered fatal and which we pass through, while the rest gets 113 * thrown away. 114 */ 115 err = ERR_peek_last_error(); 116 lib = ERR_GET_LIB(err); 117 reason = ERR_GET_REASON(err); 118 if (lib == ERR_LIB_PEM 119 && (reason == PEM_R_BAD_PASSWORD_READ 120 || reason == PEM_R_BAD_DECRYPT)) { 121 ERR_clear_last_mark(); 122 goto end; 123 } 124 125 if (selection != 0 && key == NULL) 126 goto next; 127 } 128 129 if (key != NULL && ctx->desc->adjust_key != NULL) 130 ctx->desc->adjust_key(key, ctx); 131 132 next: 133 /* 134 * Indicated that we successfully decoded something, or not at all. 135 * Ending up "empty handed" is not an error. 136 */ 137 ok = 1; 138 139 /* 140 * We free resources here so it's not held up during the callback, because 141 * we know the process is recursive and the allocated chunks of memory 142 * add up. 143 */ 144 BIO_free(in); 145 in = NULL; 146 147 if (key != NULL) { 148 OSSL_PARAM params[4]; 149 int object_type = OSSL_OBJECT_PKEY; 150 151 params[0] = 152 OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type); 153 params[1] = 154 OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, 155 (char *)ctx->desc->name, 0); 156 /* The address of the key becomes the octet string */ 157 params[2] = 158 OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, 159 &key, sizeof(key)); 160 params[3] = OSSL_PARAM_construct_end(); 161 162 ok = data_cb(params, data_cbarg); 163 } 164 165 end: 166 BIO_free(in); 167 ctx->desc->free_key(key); 168 169 return ok; 170 } 171 172 static int pvk2key_export_object(void *vctx, 173 const void *reference, size_t reference_sz, 174 OSSL_CALLBACK *export_cb, void *export_cbarg) 175 { 176 struct pvk2key_ctx_st *ctx = vctx; 177 OSSL_FUNC_keymgmt_export_fn *export = 178 ossl_prov_get_keymgmt_export(ctx->desc->fns); 179 void *keydata; 180 181 if (reference_sz == sizeof(keydata) && export != NULL) { 182 /* The contents of the reference is the address to our object */ 183 keydata = *(void **)reference; 184 185 return export(keydata, ctx->selection, export_cb, export_cbarg); 186 } 187 return 0; 188 } 189 190 /* ---------------------------------------------------------------------- */ 191 192 #define dsa_private_key_bio (b2i_PVK_of_bio_pw_fn *)b2i_DSA_PVK_bio_ex 193 #define dsa_adjust NULL 194 #define dsa_free (void (*)(void *))DSA_free 195 196 /* ---------------------------------------------------------------------- */ 197 198 #define rsa_private_key_bio (b2i_PVK_of_bio_pw_fn *)b2i_RSA_PVK_bio_ex 199 200 static void rsa_adjust(void *key, struct pvk2key_ctx_st *ctx) 201 { 202 ossl_rsa_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); 203 } 204 205 #define rsa_free (void (*)(void *))RSA_free 206 207 /* ---------------------------------------------------------------------- */ 208 209 #define IMPLEMENT_MS(KEYTYPE, keytype) \ 210 static const struct keytype_desc_st \ 211 pvk2##keytype##_desc = { \ 212 EVP_PKEY_##KEYTYPE, #KEYTYPE, \ 213 ossl_##keytype##_keymgmt_functions, \ 214 keytype##_private_key_bio, \ 215 keytype##_adjust, \ 216 keytype##_free \ 217 }; \ 218 static OSSL_FUNC_decoder_newctx_fn pvk2##keytype##_newctx; \ 219 static void *pvk2##keytype##_newctx(void *provctx) \ 220 { \ 221 return pvk2key_newctx(provctx, &pvk2##keytype##_desc); \ 222 } \ 223 const OSSL_DISPATCH \ 224 ossl_##pvk_to_##keytype##_decoder_functions[] = { \ 225 { OSSL_FUNC_DECODER_NEWCTX, \ 226 (void (*)(void))pvk2##keytype##_newctx }, \ 227 { OSSL_FUNC_DECODER_FREECTX, \ 228 (void (*)(void))pvk2key_freectx }, \ 229 { OSSL_FUNC_DECODER_DECODE, \ 230 (void (*)(void))pvk2key_decode }, \ 231 { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ 232 (void (*)(void))pvk2key_export_object }, \ 233 { 0, NULL } \ 234 } 235 236 #ifndef OPENSSL_NO_DSA 237 IMPLEMENT_MS(DSA, dsa); 238 #endif 239 IMPLEMENT_MS(RSA, rsa); 240