decoder_pkey.c@ 98024

Last change on this file since 98024 was 95219, checked in by vboxsync, 3 years ago
libs/openssl: Switched to v3.0.3, bugref:10128
File size: 15.7 KB

Line
1	/*
2	* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <openssl/core_names.h>
11	#include <openssl/core_object.h>
12	#include <openssl/provider.h>
13	#include <openssl/evp.h>
14	#include <openssl/ui.h>
15	#include <openssl/decoder.h>
16	#include <openssl/safestack.h>
17	#include <openssl/trace.h>
18	#include "crypto/evp.h"
19	#include "crypto/decoder.h"
20	#include "encoder_local.h"
21
22	int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
23	const unsigned char *kstr,
24	size_t klen)
25	{
26	return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
27	}
28
29	int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
30	const UI_METHOD *ui_method,
31	void *ui_data)
32	{
33	return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
34	}
35
36	int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
37	pem_password_cb cb, void cbarg)
38	{
39	return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
40	}
41
42	int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
43	OSSL_PASSPHRASE_CALLBACK *cb,
44	void *cbarg)
45	{
46	return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
47	}
48
49	/*
50	* Support for OSSL_DECODER_CTX_new_for_pkey:
51	* The construct data, and collecting keymgmt information for it
52	*/
53
54	DEFINE_STACK_OF(EVP_KEYMGMT)
55
56	struct decoder_pkey_data_st {
57	OSSL_LIB_CTX *libctx;
58	char *propq;
59	int selection;
60
61	STACK_OF(EVP_KEYMGMT) *keymgmts;
62	char object_type; / recorded object data type, may be NULL */
63	void *object; / Where the result should end up */
64	};
65
66	static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst,
67	const OSSL_PARAM *params,
68	void *construct_data)
69	{
70	struct decoder_pkey_data_st *data = construct_data;
71	OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
72	void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
73	const OSSL_PROVIDER *decoder_prov = OSSL_DECODER_get0_provider(decoder);
74	EVP_KEYMGMT *keymgmt = NULL;
75	const OSSL_PROVIDER *keymgmt_prov = NULL;
76	int i, end;
77	/*
78	* \|object_ref\| points to a provider reference to an object, its exact
79	* contents entirely opaque to us, but may be passed to any provider
80	* function that expects this (such as OSSL_FUNC_keymgmt_load().
81	*
82	* This pointer is considered volatile, i.e. whatever it points at
83	* is assumed to be freed as soon as this function returns.
84	*/
85	void *object_ref = NULL;
86	size_t object_ref_sz = 0;
87	const OSSL_PARAM *p;
88
89	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
90	if (p != NULL) {
91	char *object_type = NULL;
92
93	if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
94	return 0;
95	OPENSSL_free(data->object_type);
96	data->object_type = object_type;
97	}
98
99	/*
100	* For stuff that should end up in an EVP_PKEY, we only accept an object
101	* reference for the moment. This enforces that the key data itself
102	* remains with the provider.
103	*/
104	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
105	if (p == NULL \|\| p->data_type != OSSL_PARAM_OCTET_STRING)
106	return 0;
107	object_ref = p->data;
108	object_ref_sz = p->data_size;
109
110	/*
111	* First, we try to find a keymgmt that comes from the same provider as
112	* the decoder that passed the params.
113	*/
114	end = sk_EVP_KEYMGMT_num(data->keymgmts);
115	for (i = 0; i < end; i++) {
116	keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
117	keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt);
118
119	if (keymgmt_prov == decoder_prov
120	&& evp_keymgmt_has_load(keymgmt)
121	&& EVP_KEYMGMT_is_a(keymgmt, data->object_type))
122	break;
123	}
124	if (i < end) {
125	/* To allow it to be freed further down */
126	if (!EVP_KEYMGMT_up_ref(keymgmt))
127	return 0;
128	} else if ((keymgmt = EVP_KEYMGMT_fetch(data->libctx,
129	data->object_type,
130	data->propq)) != NULL) {
131	keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt);
132	}
133
134	if (keymgmt != NULL) {
135	EVP_PKEY *pkey = NULL;
136	void *keydata = NULL;
137
138	/*
139	* If the EVP_KEYMGMT and the OSSL_DECODER are from the
140	* same provider, we assume that the KEYMGMT has a key loading
141	* function that can handle the provider reference we hold.
142	*
143	* Otherwise, we export from the decoder and import the
144	* result in the keymgmt.
145	*/
146	if (keymgmt_prov == decoder_prov) {
147	keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
148	} else {
149	struct evp_keymgmt_util_try_import_data_st import_data;
150
151	import_data.keymgmt = keymgmt;
152	import_data.keydata = NULL;
153	import_data.selection = data->selection;
154
155	/*
156	* No need to check for errors here, the value of
157	* \|import_data.keydata\| is as much an indicator.
158	*/
159	(void)decoder->export_object(decoderctx,
160	object_ref, object_ref_sz,
161	&evp_keymgmt_util_try_import,
162	&import_data);
163	keydata = import_data.keydata;
164	import_data.keydata = NULL;
165	}
166
167	if (keydata != NULL
168	&& (pkey = evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
169	evp_keymgmt_freedata(keymgmt, keydata);
170
171	*data->object = pkey;
172
173	/*
174	* evp_keymgmt_util_make_pkey() increments the reference count when
175	* assigning the EVP_PKEY, so we can free the keymgmt here.
176	*/
177	EVP_KEYMGMT_free(keymgmt);
178	}
179	/*
180	* We successfully looked through, \|*ctx->object\| determines if we
181	* actually found something.
182	*/
183	return (*data->object != NULL);
184	}
185
186	static void decoder_clean_pkey_construct_arg(void *construct_data)
187	{
188	struct decoder_pkey_data_st *data = construct_data;
189
190	if (data != NULL) {
191	sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
192	OPENSSL_free(data->propq);
193	OPENSSL_free(data->object_type);
194	OPENSSL_free(data);
195	}
196	}
197
198	static void collect_name(const char name, void arg)
199	{
200	STACK_OF(OPENSSL_CSTRING) *names = arg;
201
202	sk_OPENSSL_CSTRING_push(names, name);
203	}
204
205	static void collect_keymgmt(EVP_KEYMGMT keymgmt, void arg)
206	{
207	STACK_OF(EVP_KEYMGMT) *keymgmts = arg;
208
209	if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
210	return;
211	if (sk_EVP_KEYMGMT_push(keymgmts, keymgmt) <= 0) {
212	EVP_KEYMGMT_free(keymgmt); /* ref-- */
213	return;
214	}
215	}
216
217	struct collect_decoder_data_st {
218	STACK_OF(OPENSSL_CSTRING) *names;
219	OSSL_DECODER_CTX *ctx;
220
221	int total;
222	unsigned int error_occurred:1;
223	};
224
225	static void collect_decoder(OSSL_DECODER decoder, void arg)
226	{
227	struct collect_decoder_data_st *data = arg;
228	size_t i, end_i;
229	const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder);
230	void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
231
232	if (data->error_occurred)
233	return;
234
235	if (data->names == NULL) {
236	data->error_occurred = 1;
237	return;
238	}
239
240	/*
241	* Either the caller didn't give a selection, or if they did,
242	* the decoder must tell us if it supports that selection to
243	* be accepted. If the decoder doesn't have \|does_selection\|,
244	* it's seen as taking anything.
245	*/
246	if (decoder->does_selection != NULL
247	&& !decoder->does_selection(provctx, data->ctx->selection))
248	return;
249
250	OSSL_TRACE_BEGIN(DECODER) {
251	BIO_printf(trc_out,
252	"(ctx %p) Checking out decoder %p:\n"
253	" %s with %s\n",
254	(void )data->ctx, (void )decoder,
255	OSSL_DECODER_get0_name(decoder),
256	OSSL_DECODER_get0_properties(decoder));
257	} OSSL_TRACE_END(DECODER);
258
259	end_i = sk_OPENSSL_CSTRING_num(data->names);
260	for (i = 0; i < end_i; i++) {
261	const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
262
263	if (OSSL_DECODER_is_a(decoder, name)) {
264	void *decoderctx = NULL;
265	OSSL_DECODER_INSTANCE *di = NULL;
266
267	if ((decoderctx = decoder->newctx(provctx)) == NULL) {
268	data->error_occurred = 1;
269	return;
270	}
271	if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) {
272	decoder->freectx(decoderctx);
273	data->error_occurred = 1;
274	return;
275	}
276
277	OSSL_TRACE_BEGIN(DECODER) {
278	BIO_printf(trc_out,
279	"(ctx %p) Checking out decoder %p:\n"
280	" %s with %s\n",
281	(void )data->ctx, (void )decoder,
282	OSSL_DECODER_get0_name(decoder),
283	OSSL_DECODER_get0_properties(decoder));
284	} OSSL_TRACE_END(DECODER);
285
286	if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) {
287	ossl_decoder_instance_free(di);
288	data->error_occurred = 1;
289	return;
290	}
291	data->total++;
292
293	/* Success */
294	return;
295	}
296	}
297
298	/* Decoder not suitable - but not a fatal error */
299	data->error_occurred = 0;
300	}
301
302	int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
303	EVP_PKEY *pkey, const char keytype,
304	OSSL_LIB_CTX *libctx,
305	const char *propquery)
306	{
307	struct decoder_pkey_data_st *process_data = NULL;
308	STACK_OF(OPENSSL_CSTRING) *names = NULL;
309	const char *input_type = ctx->start_input_type;
310	const char *input_structure = ctx->input_structure;
311	int ok = 0;
312	int isecoid = 0;
313	int i, end;
314
315	if (keytype != NULL
316	&& (strcmp(keytype, "id-ecPublicKey") == 0
317	\|\| strcmp(keytype, "1.2.840.10045.2.1") == 0))
318	isecoid = 1;
319
320	OSSL_TRACE_BEGIN(DECODER) {
321	BIO_printf(trc_out,
322	"(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n",
323	(void *)ctx,
324	keytype != NULL ? keytype : "",
325	keytype != NULL ? " keys" : "keys of any type",
326	input_type != NULL ? " from " : "",
327	input_type != NULL ? input_type : "",
328	input_structure != NULL ? " with " : "",
329	input_structure != NULL ? input_structure : "");
330	} OSSL_TRACE_END(DECODER);
331
332	if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL
333	\|\| (propquery != NULL
334	&& (process_data->propq = OPENSSL_strdup(propquery)) == NULL)
335	\|\| (process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL
336	\|\| (names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
337	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
338	goto err;
339	}
340
341	process_data->object = (void **)pkey;
342	process_data->libctx = libctx;
343	process_data->selection = ctx->selection;
344
345	/* First, find all keymgmts to form goals */
346	EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt,
347	process_data->keymgmts);
348
349	/* Then, we collect all the keymgmt names */
350	end = sk_EVP_KEYMGMT_num(process_data->keymgmts);
351	for (i = 0; i < end; i++) {
352	EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(process_data->keymgmts, i);
353
354	/*
355	* If the key type is given by the caller, we only use the matching
356	* KEYMGMTs, otherwise we use them all.
357	* We have to special case SM2 here because of its abuse of the EC OID.
358	* The EC OID can be used to identify an EC key or an SM2 key - so if
359	* we have seen that OID we try both key types
360	*/
361	if (keytype == NULL
362	\|\| EVP_KEYMGMT_is_a(keymgmt, keytype)
363	\|\| (isecoid && EVP_KEYMGMT_is_a(keymgmt, "SM2"))) {
364	if (!EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names)) {
365	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR);
366	goto err;
367	}
368	}
369	}
370
371	OSSL_TRACE_BEGIN(DECODER) {
372	end = sk_OPENSSL_CSTRING_num(names);
373	BIO_printf(trc_out,
374	" Found %d keytypes (possibly with duplicates)",
375	end);
376	for (i = 0; i < end; i++)
377	BIO_printf(trc_out, "%s%s",
378	i == 0 ? ": " : ", ",
379	sk_OPENSSL_CSTRING_value(names, i));
380	BIO_printf(trc_out, "\n");
381	} OSSL_TRACE_END(DECODER);
382
383	/*
384	* Finally, find all decoders that have any keymgmt of the collected
385	* keymgmt names
386	*/
387	{
388	struct collect_decoder_data_st collect_decoder_data = { NULL, };
389
390	collect_decoder_data.names = names;
391	collect_decoder_data.ctx = ctx;
392	OSSL_DECODER_do_all_provided(libctx,
393	collect_decoder, &collect_decoder_data);
394	sk_OPENSSL_CSTRING_free(names);
395	names = NULL;
396
397	if (collect_decoder_data.error_occurred)
398	goto err;
399
400	OSSL_TRACE_BEGIN(DECODER) {
401	BIO_printf(trc_out,
402	"(ctx %p) Got %d decoders producing keys\n",
403	(void *)ctx, collect_decoder_data.total);
404	} OSSL_TRACE_END(DECODER);
405	}
406
407	if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
408	if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey)
409	\|\| !OSSL_DECODER_CTX_set_construct_data(ctx, process_data)
410	\|\| !OSSL_DECODER_CTX_set_cleanup(ctx,
411	decoder_clean_pkey_construct_arg))
412	goto err;
413
414	process_data = NULL; /* Avoid it being freed */
415	}
416
417	ok = 1;
418	err:
419	decoder_clean_pkey_construct_arg(process_data);
420	sk_OPENSSL_CSTRING_free(names);
421
422	return ok;
423	}
424
425	OSSL_DECODER_CTX *
426	OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey,
427	const char *input_type,
428	const char *input_structure,
429	const char *keytype, int selection,
430	OSSL_LIB_CTX libctx, const char propquery)
431	{
432	OSSL_DECODER_CTX *ctx = NULL;
433
434	if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
435	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
436	return NULL;
437	}
438
439	OSSL_TRACE_BEGIN(DECODER) {
440	BIO_printf(trc_out,
441	"(ctx %p) Looking for %s decoders with selection %d\n",
442	(void *)ctx, keytype, selection);
443	BIO_printf(trc_out, " input type: %s, input structure: %s\n",
444	input_type, input_structure);
445	} OSSL_TRACE_END(DECODER);
446
447	if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
448	&& OSSL_DECODER_CTX_set_input_structure(ctx, input_structure)
449	&& OSSL_DECODER_CTX_set_selection(ctx, selection)
450	&& ossl_decoder_ctx_setup_for_pkey(ctx, pkey, keytype,
451	libctx, propquery)
452	&& OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) {
453	OSSL_TRACE_BEGIN(DECODER) {
454	BIO_printf(trc_out, "(ctx %p) Got %d decoders\n",
455	(void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx));
456	} OSSL_TRACE_END(DECODER);
457	return ctx;
458	}
459
460	OSSL_DECODER_CTX_free(ctx);
461	return NULL;
462	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.7/crypto/encode_decode/decoder_pkey.c@ 98024

Download in other formats: