1 | /* $Id: key-file.cpp 86648 2020-10-20 13:59:45Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - Cryptographic Keys, File I/O.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2020 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #include "internal/iprt.h"
|
---|
32 | #include <iprt/crypto/key.h>
|
---|
33 |
|
---|
34 | #include <iprt/alloca.h>
|
---|
35 | #include <iprt/asm.h>
|
---|
36 | #include <iprt/assert.h>
|
---|
37 | #include <iprt/ctype.h>
|
---|
38 | #include <iprt/err.h>
|
---|
39 | #include <iprt/mem.h>
|
---|
40 | #include <iprt/memsafer.h>
|
---|
41 | #include <iprt/path.h>
|
---|
42 | #include <iprt/string.h>
|
---|
43 | #include <iprt/crypto/rsa.h>
|
---|
44 | #include <iprt/crypto/pkix.h>
|
---|
45 | #include <iprt/crypto/x509.h>
|
---|
46 |
|
---|
47 | #include "internal/magics.h"
|
---|
48 | #include "key-internal.h"
|
---|
49 |
|
---|
50 | #ifdef IPRT_WITH_OPENSSL
|
---|
51 | # include "internal/iprt-openssl.h"
|
---|
52 | # include "internal/openssl-pre.h"
|
---|
53 | # include <openssl/evp.h>
|
---|
54 | # include "internal/openssl-post.h"
|
---|
55 | # ifndef OPENSSL_VERSION_NUMBER
|
---|
56 | # error "Missing OPENSSL_VERSION_NUMBER!"
|
---|
57 | # endif
|
---|
58 | #endif
|
---|
59 |
|
---|
60 |
|
---|
61 | /*********************************************************************************************************************************
|
---|
62 | * Header Files *
|
---|
63 | *********************************************************************************************************************************/
|
---|
64 | /** RSA public key marker words. */
|
---|
65 | static RTCRPEMMARKERWORD const g_aWords_RsaPublicKey[] =
|
---|
66 | { { RT_STR_TUPLE("RSA") }, { RT_STR_TUPLE("PUBLIC") }, { RT_STR_TUPLE("KEY") } };
|
---|
67 | /** Generic public key marker words. */
|
---|
68 | static RTCRPEMMARKERWORD const g_aWords_PublicKey[] =
|
---|
69 | { { RT_STR_TUPLE("PUBLIC") }, { RT_STR_TUPLE("KEY") } };
|
---|
70 |
|
---|
71 | /** Public key markers. */
|
---|
72 | RT_DECL_DATA_CONST(RTCRPEMMARKER const) g_aRTCrKeyPublicMarkers[] =
|
---|
73 | {
|
---|
74 | { g_aWords_RsaPublicKey, RT_ELEMENTS(g_aWords_RsaPublicKey) },
|
---|
75 | { g_aWords_PublicKey, RT_ELEMENTS(g_aWords_PublicKey) },
|
---|
76 | };
|
---|
77 | /** Number of entries in g_aRTCrKeyPublicMarkers. */
|
---|
78 | RT_DECL_DATA_CONST(uint32_t const) g_cRTCrKeyPublicMarkers = RT_ELEMENTS(g_aRTCrKeyPublicMarkers);
|
---|
79 |
|
---|
80 |
|
---|
81 | /** RSA private key marker words. */
|
---|
82 | static RTCRPEMMARKERWORD const g_aWords_RsaPrivateKey[] =
|
---|
83 | { { RT_STR_TUPLE("RSA") }, { RT_STR_TUPLE("PRIVATE") }, { RT_STR_TUPLE("KEY") } };
|
---|
84 | /** Generic encrypted private key marker words. */
|
---|
85 | static RTCRPEMMARKERWORD const g_aWords_EncryptedPrivateKey[] =
|
---|
86 | { { RT_STR_TUPLE("ENCRYPTED") }, { RT_STR_TUPLE("PRIVATE") }, { RT_STR_TUPLE("KEY") } };
|
---|
87 | /** Generic private key marker words. */
|
---|
88 | static RTCRPEMMARKERWORD const g_aWords_PrivateKey[] =
|
---|
89 | { { RT_STR_TUPLE("PRIVATE") }, { RT_STR_TUPLE("KEY") } };
|
---|
90 |
|
---|
91 | /** Private key markers. */
|
---|
92 | RT_DECL_DATA_CONST(RTCRPEMMARKER const) g_aRTCrKeyPrivateMarkers[] =
|
---|
93 | {
|
---|
94 | { g_aWords_RsaPrivateKey, RT_ELEMENTS(g_aWords_RsaPrivateKey) },
|
---|
95 | { g_aWords_EncryptedPrivateKey, RT_ELEMENTS(g_aWords_EncryptedPrivateKey) },
|
---|
96 | { g_aWords_PrivateKey, RT_ELEMENTS(g_aWords_PrivateKey) },
|
---|
97 | };
|
---|
98 | /** Number of entries in g_aRTCrKeyPrivateMarkers. */
|
---|
99 | RT_DECL_DATA_CONST(uint32_t const) g_cRTCrKeyPrivateMarkers = RT_ELEMENTS(g_aRTCrKeyPrivateMarkers);
|
---|
100 |
|
---|
101 |
|
---|
102 | /** Private and public key markers. */
|
---|
103 | RT_DECL_DATA_CONST(RTCRPEMMARKER const) g_aRTCrKeyAllMarkers[] =
|
---|
104 | {
|
---|
105 | { g_aWords_RsaPublicKey, RT_ELEMENTS(g_aWords_RsaPublicKey) },
|
---|
106 | { g_aWords_PublicKey, RT_ELEMENTS(g_aWords_PublicKey) },
|
---|
107 | { g_aWords_RsaPrivateKey, RT_ELEMENTS(g_aWords_RsaPrivateKey) },
|
---|
108 | { g_aWords_EncryptedPrivateKey, RT_ELEMENTS(g_aWords_EncryptedPrivateKey) },
|
---|
109 | { g_aWords_PrivateKey, RT_ELEMENTS(g_aWords_PrivateKey) },
|
---|
110 | };
|
---|
111 | /** Number of entries in g_aRTCrKeyAllMarkers. */
|
---|
112 | RT_DECL_DATA_CONST(uint32_t const) g_cRTCrKeyAllMarkers = RT_ELEMENTS(g_aRTCrKeyAllMarkers);
|
---|
113 |
|
---|
114 |
|
---|
115 | /**
|
---|
116 | * Decrypts a PEM message.
|
---|
117 | *
|
---|
118 | * @returns IPRT status code
|
---|
119 | * @param pszDekInfo The decryption info. See RFC-1421 section 4.6.1.3
|
---|
120 | * as well as RFC-1423).
|
---|
121 | * @param pszPassword The password to use to decrypt the key text.
|
---|
122 | * @param pbEncrypted The encrypted key text.
|
---|
123 | * @param cbEncrypted The size of the encrypted text.
|
---|
124 | * @param ppbDecrypted Where to return the decrypted message. Free using RTMemSaferFree.
|
---|
125 | * @param pcbDecrypted Where to return the length of the decrypted message.
|
---|
126 | * @param pcbDecryptedAlloced Where to return the allocation size.
|
---|
127 | * @param pErrInfo Where to return additional error information.
|
---|
128 | */
|
---|
129 | static int rtCrKeyDecryptPemMessage(const char *pszDekInfo, const char *pszPassword, uint8_t *pbEncrypted, size_t cbEncrypted,
|
---|
130 | uint8_t **ppbDecrypted, size_t *pcbDecrypted, size_t *pcbDecryptedAlloced, PRTERRINFO pErrInfo)
|
---|
131 | {
|
---|
132 | /*
|
---|
133 | * Initialize return values.
|
---|
134 | */
|
---|
135 | *ppbDecrypted = NULL;
|
---|
136 | *pcbDecrypted = 0;
|
---|
137 | *pcbDecryptedAlloced = 0;
|
---|
138 |
|
---|
139 | /*
|
---|
140 | * Parse the DEK-Info.
|
---|
141 | */
|
---|
142 | if (!pszDekInfo)
|
---|
143 | return VERR_CR_KEY_NO_DEK_INFO;
|
---|
144 |
|
---|
145 | /* Find the end of the algorithm */
|
---|
146 | const char *pszParams = strchr(pszDekInfo, ',');
|
---|
147 | if (!pszParams)
|
---|
148 | pszParams = strchr(pszDekInfo, '\0');
|
---|
149 | size_t cchAlgo = pszParams - pszDekInfo;
|
---|
150 | while (cchAlgo > 0 && RT_C_IS_SPACE(pszDekInfo[cchAlgo - 1]))
|
---|
151 | cchAlgo--;
|
---|
152 |
|
---|
153 | /* Copy it out and zero terminating it. */
|
---|
154 | char szAlgo[256];
|
---|
155 | if (cchAlgo >= sizeof(szAlgo))
|
---|
156 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_DEK_INFO_TOO_LONG, "Algorithms list is too long (%s)", pszDekInfo);
|
---|
157 | memcpy(szAlgo, pszDekInfo, cchAlgo);
|
---|
158 | szAlgo[cchAlgo] = '\0';
|
---|
159 |
|
---|
160 | /* Parameters. */
|
---|
161 | pszParams = RTStrStripL(*pszParams == ',' ? pszParams + 1 : pszParams);
|
---|
162 | size_t const cchParams = strlen(pszParams);
|
---|
163 |
|
---|
164 | /*
|
---|
165 | * Do we support the cihper?
|
---|
166 | */
|
---|
167 | #ifdef IPRT_WITH_OPENSSL /** @todo abstract encryption & decryption. */
|
---|
168 | const EVP_CIPHER *pCipher = EVP_get_cipherbyname(szAlgo);
|
---|
169 | if (!pCipher)
|
---|
170 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_UNSUPPORTED_CIPHER, "Unknown key cipher: %s (params: %s)", szAlgo, pszParams);
|
---|
171 |
|
---|
172 | /* Decode the initialization vector if one is required. */
|
---|
173 | uint8_t *pbInitVector = NULL;
|
---|
174 | int const cbInitVector = EVP_CIPHER_iv_length(pCipher);
|
---|
175 | if (cbInitVector > 0)
|
---|
176 | {
|
---|
177 | if (*pszParams == '\0')
|
---|
178 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_MISSING_CIPHER_PARAMS,
|
---|
179 | "Cipher '%s' expected %u bytes initialization vector, none found", cbInitVector, szAlgo);
|
---|
180 | if ((size_t)cbInitVector > cchParams / 2)
|
---|
181 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_TOO_SHORT_CIPHER_IV,
|
---|
182 | "Too short initialization vector for '%s', expected %u chars found only %u: %s",
|
---|
183 | szAlgo, cbInitVector * 2, cchParams, pszParams);
|
---|
184 | pbInitVector = (uint8_t *)alloca(cbInitVector);
|
---|
185 | int rc = RTStrConvertHexBytes(pszParams, pbInitVector, cbInitVector, 0 /*fFlags*/);
|
---|
186 | if ( RT_FAILURE(rc)
|
---|
187 | && rc != VERR_BUFFER_OVERFLOW /* openssl ignores this condition */)
|
---|
188 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_MALFORMED_CIPHER_IV,
|
---|
189 | "Malformed initialization vector for '%s': %s (rc=%Rrc)", szAlgo, pszParams, rc);
|
---|
190 | }
|
---|
191 | else if (*pszParams != '\0')
|
---|
192 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_UNEXPECTED_CIPHER_PARAMS,
|
---|
193 | "Cipher '%s' expected no parameters, found: %s", szAlgo, pszParams);
|
---|
194 |
|
---|
195 | /*
|
---|
196 | * Do we have a password? If so try decrypt the key.
|
---|
197 | */
|
---|
198 | if (!pszPassword)
|
---|
199 | return VERR_CR_KEY_ENCRYPTED;
|
---|
200 |
|
---|
201 | unsigned char abKey[EVP_MAX_KEY_LENGTH * 2];
|
---|
202 | int cbKey = EVP_BytesToKey(pCipher, EVP_md5(), pbInitVector, (unsigned char const *)pszPassword, (int)strlen(pszPassword),
|
---|
203 | 1, abKey, NULL);
|
---|
204 | if (!cbKey)
|
---|
205 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_PASSWORD_ENCODING, "EVP_BytesToKey failed to encode password");
|
---|
206 |
|
---|
207 | EVP_CIPHER_CTX *pCipherCtx = EVP_CIPHER_CTX_new();
|
---|
208 | if (!pCipherCtx)
|
---|
209 | return VERR_NO_MEMORY;
|
---|
210 |
|
---|
211 | int rc;
|
---|
212 | if (EVP_DecryptInit_ex(pCipherCtx, pCipher, NULL /*pEngine*/, abKey, pbInitVector))
|
---|
213 | {
|
---|
214 | size_t cbDecryptedAlloced = cbEncrypted;
|
---|
215 | int cbDecrypted = (int)cbDecryptedAlloced;
|
---|
216 | uint8_t *pbDecrypted = (uint8_t *)RTMemSaferAllocZ(cbDecryptedAlloced);
|
---|
217 | if (pbDecrypted)
|
---|
218 | {
|
---|
219 | if (EVP_DecryptUpdate(pCipherCtx, pbDecrypted, &cbDecrypted, pbEncrypted, (int)cbEncrypted))
|
---|
220 | {
|
---|
221 | int cbFinal = (int)cbDecryptedAlloced - cbDecrypted;
|
---|
222 | if (EVP_DecryptFinal_ex(pCipherCtx, &pbDecrypted[cbDecrypted], &cbFinal))
|
---|
223 | {
|
---|
224 | cbDecrypted += cbFinal;
|
---|
225 | Assert((size_t)cbDecrypted <= cbDecryptedAlloced);
|
---|
226 |
|
---|
227 | /*
|
---|
228 | * Done! Just set the return values.
|
---|
229 | */
|
---|
230 | *pcbDecrypted = cbDecrypted;
|
---|
231 | *pcbDecryptedAlloced = cbDecryptedAlloced;
|
---|
232 | *ppbDecrypted = pbDecrypted;
|
---|
233 | pbDecrypted = NULL;
|
---|
234 | rc = VINF_CR_KEY_WAS_DECRYPTED;
|
---|
235 | }
|
---|
236 | else
|
---|
237 | rc = RTErrInfoSetF(pErrInfo, VERR_CR_KEY_DECRYPTION_FAILED,
|
---|
238 | "Incorrect password? EVP_DecryptFinal_ex failed for %s", pszDekInfo);
|
---|
239 | }
|
---|
240 | else
|
---|
241 | rc = RTErrInfoSetF(pErrInfo, VERR_CR_KEY_DECRYPTION_FAILED,
|
---|
242 | "Incorrect password? EVP_DecryptUpdate failed for %s", pszDekInfo);
|
---|
243 | if (pbDecrypted)
|
---|
244 | RTMemSaferFree(pbDecrypted, cbDecryptedAlloced);
|
---|
245 | }
|
---|
246 | else
|
---|
247 | rc = VERR_NO_MEMORY;
|
---|
248 | }
|
---|
249 | else
|
---|
250 | rc = RTErrInfoSetF(pErrInfo, VERR_CR_KEY_OSSL_DECRYPT_INIT_ERROR, "EVP_DecryptInit_ex failed for %s", pszDekInfo);
|
---|
251 | EVP_CIPHER_CTX_free(pCipherCtx);
|
---|
252 | return rc;
|
---|
253 | #else
|
---|
254 | RT_NOREF(pbEncrypted, cbEncrypted, pszPassword, pErrInfo, cchParams);
|
---|
255 | return VERR_CR_KEY_DECRYPTION_NOT_SUPPORTED;
|
---|
256 | #endif
|
---|
257 | }
|
---|
258 |
|
---|
259 |
|
---|
260 | RTDECL(int) RTCrKeyCreateFromPemSection(PRTCRKEY phKey, PCRTCRPEMSECTION pSection, uint32_t fFlags, const char *pszPassword,
|
---|
261 | PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
262 | {
|
---|
263 | AssertReturn(!(fFlags & (~RTCRKEYFROM_F_VALID_MASK | RTCRKEYFROM_F_ONLY_PEM)), VERR_INVALID_FLAGS);
|
---|
264 |
|
---|
265 | AssertPtrReturn(phKey, VERR_INVALID_POINTER);
|
---|
266 | *phKey = NIL_RTCRKEY;
|
---|
267 | AssertPtrReturn(pSection, VERR_INVALID_POINTER);
|
---|
268 | NOREF(pszPassword);
|
---|
269 |
|
---|
270 | /*
|
---|
271 | * If the source is PEM section, try identify the format from the markers.
|
---|
272 | */
|
---|
273 | enum
|
---|
274 | {
|
---|
275 | kKeyFormat_Unknown = 0,
|
---|
276 | kKeyFormat_RsaPrivateKey,
|
---|
277 | kKeyFormat_RsaEncryptedPrivateKey,
|
---|
278 | kKeyFormat_RsaPublicKey,
|
---|
279 | kKeyFormat_SubjectPublicKeyInfo,
|
---|
280 | kKeyFormat_PrivateKeyInfo,
|
---|
281 | kKeyFormat_EncryptedPrivateKeyInfo
|
---|
282 | } enmFormat = kKeyFormat_Unknown;
|
---|
283 | const char *pszDekInfo = NULL;
|
---|
284 | PCRTCRPEMMARKER pMarker = pSection->pMarker;
|
---|
285 | if (pMarker)
|
---|
286 | {
|
---|
287 | if ( pMarker->cWords == 3
|
---|
288 | && strcmp(pMarker->paWords[0].pszWord, "RSA") == 0
|
---|
289 | && strcmp(pMarker->paWords[2].pszWord, "KEY") == 0)
|
---|
290 | {
|
---|
291 | if (strcmp(pMarker->paWords[1].pszWord, "PUBLIC") == 0)
|
---|
292 | enmFormat = kKeyFormat_RsaPublicKey;
|
---|
293 | else if (strcmp(pMarker->paWords[1].pszWord, "PRIVATE") == 0)
|
---|
294 | {
|
---|
295 | enmFormat = kKeyFormat_RsaPrivateKey;
|
---|
296 |
|
---|
297 | /* RSA PRIVATE KEY encryption is advertised thru PEM header fields.
|
---|
298 | We need the DEK field to decrypt the message (see RFC-1421 4.6.1.3). */
|
---|
299 | for (PCRTCRPEMFIELD pField = pSection->pFieldHead; pField; pField = pField->pNext)
|
---|
300 | {
|
---|
301 | if ( pField->cchName == sizeof("Proc-Type") - 1
|
---|
302 | && pField->cchValue >= sizeof("4,ENCRYPTED") - 1
|
---|
303 | && memcmp(pField->szName, RT_STR_TUPLE("Proc-Type")) == 0)
|
---|
304 | {
|
---|
305 | const char *pszValue = pField->pszValue;
|
---|
306 | if (*pszValue == '4')
|
---|
307 | {
|
---|
308 | do
|
---|
309 | pszValue++;
|
---|
310 | while (RT_C_IS_SPACE(*pszValue) || RT_C_IS_PUNCT(*pszValue));
|
---|
311 | if (strcmp(pszValue, "ENCRYPTED") == 0)
|
---|
312 | enmFormat = kKeyFormat_RsaEncryptedPrivateKey;
|
---|
313 | }
|
---|
314 | }
|
---|
315 | else if ( pField->cchName == sizeof("DEK-Info") - 1
|
---|
316 | && pField->cchValue > 0
|
---|
317 | && !pszDekInfo)
|
---|
318 | pszDekInfo = pField->pszValue;
|
---|
319 | }
|
---|
320 | }
|
---|
321 | else
|
---|
322 | AssertFailed();
|
---|
323 | }
|
---|
324 | else if ( pMarker->cWords == 2
|
---|
325 | && strcmp(pMarker->paWords[1].pszWord, "KEY") == 0)
|
---|
326 | {
|
---|
327 | if (strcmp(pMarker->paWords[0].pszWord, "PUBLIC") == 0)
|
---|
328 | enmFormat = kKeyFormat_SubjectPublicKeyInfo;
|
---|
329 | else if (strcmp(pMarker->paWords[0].pszWord, "PRIVATE") == 0)
|
---|
330 | enmFormat = kKeyFormat_PrivateKeyInfo;
|
---|
331 | else
|
---|
332 | AssertFailed();
|
---|
333 | }
|
---|
334 | else if ( pMarker->cWords == 3
|
---|
335 | && strcmp(pMarker->paWords[0].pszWord, "ENCRYPTED") == 0
|
---|
336 | && strcmp(pMarker->paWords[1].pszWord, "PRIVATE") == 0
|
---|
337 | && strcmp(pMarker->paWords[2].pszWord, "KEY") == 0)
|
---|
338 | enmFormat = kKeyFormat_EncryptedPrivateKeyInfo;
|
---|
339 | else
|
---|
340 | AssertFailed();
|
---|
341 | }
|
---|
342 |
|
---|
343 | /*
|
---|
344 | * Try guess the format from the binary data if needed.
|
---|
345 | */
|
---|
346 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
347 | if ( enmFormat == kKeyFormat_Unknown
|
---|
348 | && pSection->cbData > 10)
|
---|
349 | {
|
---|
350 | RTAsn1CursorInitPrimary(&PrimaryCursor, pSection->pbData, (uint32_t)pSection->cbData,
|
---|
351 | pErrInfo, &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, "probing/0");
|
---|
352 |
|
---|
353 | /*
|
---|
354 | * First the must be a sequence.
|
---|
355 | */
|
---|
356 | RTASN1CORE Tag;
|
---|
357 | int rc = RTAsn1CursorReadHdr(&PrimaryCursor.Cursor, &Tag, "#1");
|
---|
358 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_SEQUENCE)
|
---|
359 | {
|
---|
360 | RTASN1CURSOR Cursor2;
|
---|
361 | RTAsn1CursorInitSubFromCore(&PrimaryCursor.Cursor, &Tag, &Cursor2, "probing/1");
|
---|
362 | rc = RTAsn1CursorReadHdr(&Cursor2, &Tag, "#2");
|
---|
363 |
|
---|
364 | /*
|
---|
365 | * SEQUENCE SubjectPublicKeyInfo.Algorithm?
|
---|
366 | */
|
---|
367 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_SEQUENCE)
|
---|
368 | {
|
---|
369 | RTASN1CURSOR Cursor3;
|
---|
370 | RTAsn1CursorInitSubFromCore(&Cursor2, &Tag, &Cursor3, "probing/2");
|
---|
371 | rc = RTAsn1CursorReadHdr(&Cursor3, &Tag, "#3");
|
---|
372 |
|
---|
373 | /* SEQUENCE SubjectPublicKeyInfo.Algorithm.Algorithm? */
|
---|
374 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_OID)
|
---|
375 | enmFormat = kKeyFormat_SubjectPublicKeyInfo;
|
---|
376 | }
|
---|
377 | /*
|
---|
378 | * INTEGER PrivateKeyInfo.Version?
|
---|
379 | * INTEGER RsaPublicKey.Modulus?
|
---|
380 | * INTEGER RsaPrivateKey.Version?
|
---|
381 | */
|
---|
382 | else if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_INTEGER)
|
---|
383 | {
|
---|
384 | rc = RTAsn1CursorReadHdr(RTAsn1CursorSkip(&Cursor2, Tag.cb), &Tag, "#4");
|
---|
385 |
|
---|
386 | /* OBJECT PrivateKeyInfo.privateKeyAlgorithm? */
|
---|
387 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_OID)
|
---|
388 | enmFormat = kKeyFormat_PrivateKeyInfo;
|
---|
389 | /* INTEGER RsaPublicKey.PublicExponent?
|
---|
390 | INTEGER RsaPrivateKey.Modulus? */
|
---|
391 | else if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_INTEGER)
|
---|
392 | {
|
---|
393 | /* RsaPublicKey.PublicExponent is at the end. */
|
---|
394 | if (RTAsn1CursorIsEnd(&Cursor2))
|
---|
395 | enmFormat = kKeyFormat_RsaPublicKey;
|
---|
396 | else
|
---|
397 | {
|
---|
398 | /* Check for INTEGER RsaPrivateKey.PublicExponent nad PrivateExponent before concluding. */
|
---|
399 | rc = RTAsn1CursorReadHdr(RTAsn1CursorSkip(&Cursor2, Tag.cb), &Tag, "#5");
|
---|
400 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_INTEGER)
|
---|
401 | {
|
---|
402 | rc = RTAsn1CursorReadHdr(RTAsn1CursorSkip(&Cursor2, Tag.cb), &Tag, "#6");
|
---|
403 | if (RT_SUCCESS(rc) && Tag.uTag == ASN1_TAG_INTEGER)
|
---|
404 | enmFormat = kKeyFormat_RsaPrivateKey;
|
---|
405 | }
|
---|
406 | }
|
---|
407 | }
|
---|
408 | }
|
---|
409 | }
|
---|
410 | }
|
---|
411 |
|
---|
412 | if (enmFormat == kKeyFormat_Unknown)
|
---|
413 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_UNKNOWN_TYPE,
|
---|
414 | "Unable to identify the key format (%.*Rhxs)", RT_MIN(16, pSection->cbData), pSection->pbData);
|
---|
415 |
|
---|
416 | /*
|
---|
417 | * Do the reading.
|
---|
418 | */
|
---|
419 | int rc;
|
---|
420 | switch (enmFormat)
|
---|
421 | {
|
---|
422 | case kKeyFormat_RsaPublicKey:
|
---|
423 | rc = rtCrKeyCreateRsaPublic(phKey, pSection->pbData, (uint32_t)pSection->cbData, pErrInfo, pszErrorTag);
|
---|
424 | break;
|
---|
425 |
|
---|
426 | case kKeyFormat_RsaPrivateKey:
|
---|
427 | rc = rtCrKeyCreateRsaPrivate(phKey, pSection->pbData, (uint32_t)pSection->cbData, pErrInfo, pszErrorTag);
|
---|
428 | break;
|
---|
429 |
|
---|
430 | case kKeyFormat_RsaEncryptedPrivateKey:
|
---|
431 | {
|
---|
432 | uint8_t *pbDecrypted = NULL;
|
---|
433 | size_t cbDecrypted = 0;
|
---|
434 | size_t cbDecryptedAlloced = 0;
|
---|
435 | rc = rtCrKeyDecryptPemMessage(pszDekInfo, pszPassword, pSection->pbData, pSection->cbData,
|
---|
436 | &pbDecrypted, &cbDecrypted, &cbDecryptedAlloced, pErrInfo);
|
---|
437 | if (RT_SUCCESS(rc))
|
---|
438 | {
|
---|
439 | int rc2 = rtCrKeyCreateRsaPrivate(phKey, pbDecrypted, (uint32_t)cbDecrypted, pErrInfo, pszErrorTag);
|
---|
440 | if (rc2 != VINF_SUCCESS)
|
---|
441 | rc = rc2;
|
---|
442 | RTMemSaferFree(pbDecrypted, cbDecryptedAlloced);
|
---|
443 | }
|
---|
444 | break;
|
---|
445 | }
|
---|
446 |
|
---|
447 | case kKeyFormat_SubjectPublicKeyInfo:
|
---|
448 | {
|
---|
449 | RTAsn1CursorInitPrimary(&PrimaryCursor, pSection->pbData, (uint32_t)pSection->cbData,
|
---|
450 | pErrInfo, &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, pszErrorTag);
|
---|
451 | RTCRX509SUBJECTPUBLICKEYINFO SubjectPubKeyInfo;
|
---|
452 | RT_ZERO(SubjectPubKeyInfo);
|
---|
453 | rc = RTCrX509SubjectPublicKeyInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &SubjectPubKeyInfo, "SubjectPubKeyInfo");
|
---|
454 | if (RT_SUCCESS(rc))
|
---|
455 | {
|
---|
456 | rc = RTCrKeyCreateFromSubjectPublicKeyInfo(phKey, &SubjectPubKeyInfo, pErrInfo, pszErrorTag);
|
---|
457 | RTCrX509SubjectPublicKeyInfo_Delete(&SubjectPubKeyInfo);
|
---|
458 | }
|
---|
459 | break;
|
---|
460 | }
|
---|
461 |
|
---|
462 | case kKeyFormat_PrivateKeyInfo:
|
---|
463 | rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
|
---|
464 | "Support for PKCS#8 PrivateKeyInfo is not yet implemented");
|
---|
465 | break;
|
---|
466 |
|
---|
467 | case kKeyFormat_EncryptedPrivateKeyInfo:
|
---|
468 | rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
|
---|
469 | "Support for encrypted PKCS#8 PrivateKeyInfo is not yet implemented");
|
---|
470 | break;
|
---|
471 |
|
---|
472 | default:
|
---|
473 | AssertFailedStmt(rc = VERR_INTERNAL_ERROR_4);
|
---|
474 | }
|
---|
475 | return rc;
|
---|
476 | }
|
---|
477 |
|
---|
478 |
|
---|
479 | RTDECL(int) RTCrKeyCreateFromBuffer(PRTCRKEY phKey, uint32_t fFlags, void const *pvSrc, size_t cbSrc, const char *pszPassword,
|
---|
480 | PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
481 | {
|
---|
482 | AssertReturn(!(fFlags & ~RTCRKEYFROM_F_VALID_MASK), VERR_INVALID_FLAGS);
|
---|
483 | PCRTCRPEMSECTION pSectionHead;
|
---|
484 | int rc = RTCrPemParseContent(pvSrc, cbSrc, fFlags, g_aRTCrKeyAllMarkers, g_cRTCrKeyAllMarkers, &pSectionHead, pErrInfo);
|
---|
485 | if (RT_SUCCESS(rc))
|
---|
486 | {
|
---|
487 | if (pSectionHead)
|
---|
488 | {
|
---|
489 | rc = RTCrKeyCreateFromPemSection(phKey, pSectionHead, fFlags & ~RTCRKEYFROM_F_ONLY_PEM, pszPassword,
|
---|
490 | pErrInfo, pszErrorTag);
|
---|
491 | RTCrPemFreeSections(pSectionHead);
|
---|
492 | }
|
---|
493 | else
|
---|
494 | rc = rc != VINF_SUCCESS ? -rc : VERR_INTERNAL_ERROR_2;
|
---|
495 | }
|
---|
496 | return rc;
|
---|
497 | }
|
---|
498 |
|
---|
499 |
|
---|
500 | RTDECL(int) RTCrKeyCreateFromFile(PRTCRKEY phKey, uint32_t fFlags, const char *pszFilename,
|
---|
501 | const char *pszPassword, PRTERRINFO pErrInfo)
|
---|
502 | {
|
---|
503 | AssertReturn(!(fFlags & ~RTCRKEYFROM_F_VALID_MASK), VERR_INVALID_FLAGS);
|
---|
504 | PCRTCRPEMSECTION pSectionHead;
|
---|
505 | int rc = RTCrPemReadFile(pszFilename, fFlags, g_aRTCrKeyAllMarkers, g_cRTCrKeyAllMarkers, &pSectionHead, pErrInfo);
|
---|
506 | if (RT_SUCCESS(rc))
|
---|
507 | {
|
---|
508 | if (pSectionHead)
|
---|
509 | {
|
---|
510 | rc = RTCrKeyCreateFromPemSection(phKey, pSectionHead, fFlags & ~RTCRKEYFROM_F_ONLY_PEM, pszPassword,
|
---|
511 | pErrInfo, RTPathFilename(pszFilename));
|
---|
512 | RTCrPemFreeSections(pSectionHead);
|
---|
513 | }
|
---|
514 | else
|
---|
515 | rc = rc != VINF_SUCCESS ? -rc : VERR_INTERNAL_ERROR_2;
|
---|
516 | }
|
---|
517 | return rc;
|
---|
518 | }
|
---|
519 |
|
---|