Changeset 100528 in vbox for trunk/src/VBox/Runtime

Timestamp:

Jul 11, 2023 10:52:34 PM (17 months ago)

Author:

vboxsync

Message:

IPRT/PKCS8: Added the ability to load PKCS\#8 EncryptedPrivateKey format. bugref:10299

Location:

trunk/src/VBox/Runtime

Files:

• common/crypto/key-file.cpp (modified) (6 diffs)
• common/crypto/pkcs8-template.h (modified) (2 diffs)
• testcase/tstRTCrPkix-1.cpp (modified) (3 diffs)

trunk/src/VBox/Runtime/common/crypto/key-file.cpp

@@ -39 +39 @@
 *   Header Files                                                                                                                 *
 *********************************************************************************************************************************/
+#define LOG_GROUP RTLOGGROUP_CRYPTO
 #include "internal/iprt.h"
 #include <iprt/crypto/key.h>
@@ -47 +48 @@
 #include <iprt/ctype.h>
 #include <iprt/err.h>
+#include <iprt/log.h>
 #include <iprt/mem.h>
 #include <iprt/memsafer.h>
@@ -62 +64 @@
 # include "internal/iprt-openssl.h"
 # include "internal/openssl-pre.h"
+# include <openssl/err.h>
 # include <openssl/evp.h>
+# include <openssl/pkcs12.h>
 # include "internal/openssl-post.h"
 # ifndef OPENSSL_VERSION_NUMBER
@@ -114 +118 @@
 RT_DECL_DATA_CONST(RTCRPEMMARKER const) g_aRTCrKeyAllMarkers[] =
 {
-    { g_aWords_RsaPublicKey,  RT_ELEMENTS(g_aWords_RsaPublicKey) },
-    { g_aWords_PublicKey,     RT_ELEMENTS(g_aWords_PublicKey) },
-    { g_aWords_RsaPrivateKey, RT_ELEMENTS(g_aWords_RsaPrivateKey) },
-    { g_aWords_PrivateKey,    RT_ELEMENTS(g_aWords_PrivateKey) },
+    { g_aWords_RsaPublicKey,        RT_ELEMENTS(g_aWords_RsaPublicKey) },
+    { g_aWords_PublicKey,           RT_ELEMENTS(g_aWords_PublicKey) },
+    { g_aWords_RsaPrivateKey,       RT_ELEMENTS(g_aWords_RsaPrivateKey) },
+    { g_aWords_EncryptedPrivateKey, RT_ELEMENTS(g_aWords_EncryptedPrivateKey) },
+    { g_aWords_PrivateKey,          RT_ELEMENTS(g_aWords_PrivateKey) },
 };
 /** Number of entries in g_aRTCrKeyAllMarkers. */
 RT_DECL_DATA_CONST(uint32_t const) g_cRTCrKeyAllMarkers = RT_ELEMENTS(g_aRTCrKeyAllMarkers);
+
+
+/**
+ * Creates a key from a raw PKCS\#8 PrivateKeyInfo structure.
+ *
+ * This is common code to both kKeyFormat_PrivateKeyInfo and
+ * kKeyFormat_EncryptedPrivateKeyInfo.
+ *
+ * @returns IPRT status code.
+ * @param   phKey           Where to return the key handle on success.
+ * @param   pPrimaryCursor  Cursor structure to use.
+ * @param   pbRaw           The raw PrivateKeyInfo bytes.
+ * @param   cbRaw           Size of the raw PrivateKeyInfo structure.
+ * @param   pErrInfo        Where to return additional error information.
+ * @param   pszErrorTag     What to tag the decoding with.
+ */
+static int rtCrKeyCreateFromPrivateKeyInfo(PRTCRKEY phKey, PRTASN1CURSORPRIMARY pPrimaryCursor,
+                                           uint8_t const *pbRaw, size_t cbRaw, PRTERRINFO pErrInfo, const char *pszErrorTag)
+
+{
+    RTCRPKCS8PRIVATEKEYINFO PrivateKeyInfo;
+    RT_ZERO(PrivateKeyInfo);
+    RTAsn1CursorInitPrimary(pPrimaryCursor, pbRaw, (uint32_t)cbRaw, pErrInfo, &g_RTAsn1DefaultAllocator,
+                            RTASN1CURSOR_FLAGS_DER, pszErrorTag);
+    int rc = RTCrPkcs8PrivateKeyInfo_DecodeAsn1(&pPrimaryCursor->Cursor, 0, &PrivateKeyInfo,
+                                                pszErrorTag ? pszErrorTag : "PrivateKeyInfo");
+    if (RT_SUCCESS(rc))
+    {
+        /*
+         * Load the private key according to it's algorithm.
+         * We currently only support RSA (pkcs1-RsaEncryption).
+         */
+        if (RTAsn1ObjId_CompareWithString(&PrivateKeyInfo.PrivateKeyAlgorithm.Algorithm, RTCRX509ALGORITHMIDENTIFIERID_RSA) == 0)
+            rc = rtCrKeyCreateRsaPrivate(phKey, PrivateKeyInfo.PrivateKey.Asn1Core.uData.pv,
+                                         PrivateKeyInfo.PrivateKey.Asn1Core.cb, pErrInfo, pszErrorTag);
+        else
+            rc = RTERRINFO_LOG_SET(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
+                                   "Support for PKCS#8 PrivateKeyInfo for non-RSA keys is not yet implemented");
+        RTCrPkcs8PrivateKeyInfo_Delete(&PrivateKeyInfo);
+    }
+    return rc;
+}
+
+
+/**
+ * Decrypts a PEM message.
+ *
+ * @returns IPRT status code
+ * @param   pEncryptedKey       The encrypted private key information.
+ * @param   pszPassword         The password to use to decrypt the key text.
+ * @param   ppbDecrypted        Where to return the decrypted message. Free using RTMemSaferFree.
+ * @param   pcbDecrypted        Where to return the length of the decrypted message.
+ * @param   pcbDecryptedAlloced Where to return the allocation size.
+ * @param   pErrInfo            Where to return additional error information.
+ */
+static int rtCrKeyDecryptPkcs8Info(PRTCRPKCS8ENCRYPTEDPRIVATEKEYINFO pEncryptedKey, const char *pszPassword,
+                                   uint8_t **ppbDecrypted, size_t *pcbDecrypted, size_t *pcbDecryptedAlloced, PRTERRINFO pErrInfo)
+{
+    /*
+     * Initialize return values.
+     */
+    *ppbDecrypted        = NULL;
+    *pcbDecrypted        = 0;
+    *pcbDecryptedAlloced = 0;
+
+    /*
+     * This operation requires a password.
+     */
+    if (!pszPassword)
+        return VERR_CR_KEY_ENCRYPTED;
+
+#ifdef IPRT_WITH_OPENSSL /** @todo abstract encryption & decryption. */
+
+    /*
+     * Query the EncryptionAlgorithm bytes so we can construction a X509_ALGOR
+     * for use in PKCS12_pbe_crypt.
+     */
+    void          *pvAlgoFree = NULL;
+    const uint8_t *pbAlgoRaw  = NULL;
+    uint32_t       cbAlgoRaw  = 0;
+    int rc = RTAsn1EncodeQueryRawBits(&pEncryptedKey->EncryptionAlgorithm.SeqCore.Asn1Core,
+                                      &pbAlgoRaw, &cbAlgoRaw, &pvAlgoFree, pErrInfo);
+    AssertRCReturn(rc, rc);
+
+    const unsigned char *puchAlgo     = pbAlgoRaw;
+    X509_ALGOR          *pOsslAlgoRet = NULL;
+    pOsslAlgoRet = d2i_X509_ALGOR(&pOsslAlgoRet, &puchAlgo, cbAlgoRaw);
+
+    RTMemTmpFree(pvAlgoFree);
+    if (pOsslAlgoRet)
+    {
+        /*
+         * Do the decryption (en_de = 0).
+         */
+        int            cbDecrypted   = 0;
+        unsigned char *puchDecrypted = NULL;
+        puchDecrypted = PKCS12_pbe_crypt(pOsslAlgoRet, pszPassword, (int)strlen(pszPassword),
+                                         pEncryptedKey->EncryptedData.Asn1Core.uData.puch,
+                                         (int)pEncryptedKey->EncryptedData.Asn1Core.cb,
+                                         &puchDecrypted, &cbDecrypted, 0 /*en_de*/);
+        if (puchDecrypted)
+        {
+            /*
+             * Transfer to a safer buffer and carefully wipe the OpenSSL buffer.
+             */
+            uint8_t *pbFinal = (uint8_t *)RTMemSaferAllocZ(cbDecrypted);
+            if (pbFinal)
+            {
+                memcpy(pbFinal, puchDecrypted, cbDecrypted);
+                *ppbDecrypted        = pbFinal;
+                *pcbDecrypted        = cbDecrypted;
+                *pcbDecryptedAlloced = cbDecrypted;
+                rc = VINF_SUCCESS;
+            }
+            else
+                rc = VERR_NO_MEMORY;
+            RTMemWipeThoroughly(puchDecrypted, cbDecrypted, 3);
+            OPENSSL_free(puchDecrypted);
+        }
+        else
+            rc = RTERRINFO_LOG_SET_F(pErrInfo, VERR_CR_KEY_DECRYPTION_FAILED,
+                                     "Incorrect password? d2i_X509_ALGOR failed (%u)", ERR_get_error());
+        X509_ALGOR_free(pOsslAlgoRet);
+    }
+    else
+        rc = RTERRINFO_LOG_SET_F(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PRIVATE_KEY_FAILED /* close enough */,
+                                 "d2i_X509_ALGOR failed (%u)", ERR_get_error());
+    return rc;
+
+#else
+    RT_NOREF(pEncryptedKey, pszPassword, pErrInfo);
+    return VERR_CR_KEY_DECRYPTION_NOT_SUPPORTED;
+#endif
+}
 
 
@@ -173 +312 @@
 
     /*
-     * Do we support the cihper?
+     * Do we support the cipher?
      */
 #ifdef IPRT_WITH_OPENSSL /** @todo abstract encryption & decryption. */
@@ -471 +610 @@
 
         case kKeyFormat_PrivateKeyInfo:
+            rc = rtCrKeyCreateFromPrivateKeyInfo(phKey, &PrimaryCursor, pSection->pbData, pSection->cbData, pErrInfo, pszErrorTag);
+            break;
+
+        case kKeyFormat_EncryptedPrivateKeyInfo:
         {
             RTAsn1CursorInitPrimary(&PrimaryCursor, pSection->pbData, (uint32_t)pSection->cbData,
                                     pErrInfo, &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, pszErrorTag);
-            RTCRPKCS8PRIVATEKEYINFO PrivateKeyInfo;
-            RT_ZERO(PrivateKeyInfo);
-            rc = RTCrPkcs8PrivateKeyInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &PrivateKeyInfo,
-                                                    pszErrorTag ? pszErrorTag : "PrivateKeyInfo");
+            RTCRPKCS8ENCRYPTEDPRIVATEKEYINFO EncryptedPrivateKeyInfo;
+            RT_ZERO(EncryptedPrivateKeyInfo);
+            rc = RTCrPkcs8EncryptedPrivateKeyInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &EncryptedPrivateKeyInfo,
+                                                             pszErrorTag ? pszErrorTag : "EncryptedPrivateKeyInfo");
             if (RT_SUCCESS(rc))
             {
-                /*
-                 * Load the private key according to it's algorithm.
-                 * We currently only support RSA (pkcs1-RsaEncryption).
-                 */
-                if (RTAsn1ObjId_CompareWithString(&PrivateKeyInfo.PrivateKeyAlgorithm.Algorithm,
-                                                  RTCRX509ALGORITHMIDENTIFIERID_RSA) == 0)
-                    rc = rtCrKeyCreateRsaPrivate(phKey, PrivateKeyInfo.PrivateKey.Asn1Core.uData.pv,
-                                                 PrivateKeyInfo.PrivateKey.Asn1Core.cb, pErrInfo, pszErrorTag);
-                else
-                    rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
-                                      "Support for PKCS#8 PrivateKeyInfo for non-RSA keys is not yet implemented");
+                uint8_t *pbDecrypted = NULL;
+                size_t   cbDecrypted = 0;
+                size_t   cbDecryptedAlloced = 0;
+                rc = rtCrKeyDecryptPkcs8Info(&EncryptedPrivateKeyInfo, pszPassword,
+                                             &pbDecrypted, &cbDecrypted, &cbDecryptedAlloced, pErrInfo);
+                if (RT_SUCCESS(rc))
+                {
+                    rc = rtCrKeyCreateFromPrivateKeyInfo(phKey, &PrimaryCursor, pbDecrypted, cbDecrypted, pErrInfo, pszErrorTag);
+
+                    RTMemSaferFree(pbDecrypted, cbDecryptedAlloced);
+                }
+                RTCrPkcs8EncryptedPrivateKeyInfo_Delete(&EncryptedPrivateKeyInfo);
             }
             break;
         }
-
-        case kKeyFormat_EncryptedPrivateKeyInfo:
-            rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
-                              "Support for encrypted PKCS#8 PrivateKeyInfo is not yet implemented");
-            break;
 
         default:

trunk/src/VBox/Runtime/common/crypto/pkcs8-template.h

@@ -53 +53 @@
 #undef RTASN1TMPL_INT_NAME
 
-#if 0
 
 /*
  * Encrypted private key info
  */
-#define RTASN1TMPL_TYPE         RTCRENCRYPTEDPRIVATEKEY
-#define RTASN1TMPL_EXT_NAME     RTCrEncryptedPrivateKey
-#define RTASN1TMPL_INT_NAME     rtCrEncryptedPrivateKey
+#define RTASN1TMPL_TYPE         RTCRPKCS8ENCRYPTEDPRIVATEKEYINFO
+#define RTASN1TMPL_EXT_NAME     RTCrPkcs8EncryptedPrivateKeyInfo
+#define RTASN1TMPL_INT_NAME     rtCrPkcs8EncryptedPrivateKeyInfo
 RTASN1TMPL_BEGIN_SEQCORE();
 RTASN1TMPL_MEMBER(              EncryptionAlgorithm,    RTCRX509ALGORITHMIDENTIFIER,    RTCrX509AlgorithmIdentifier);
@@ -69 +68 @@
 #undef RTASN1TMPL_INT_NAME
 
-#endif

trunk/src/VBox/Runtime/testcase/tstRTCrPkix-1.cpp

@@ -58 +58 @@
 static const struct { unsigned cBits; const char *pszPrivateKey, *pszPublicKey, *pszPassword; } g_aKeyPairs[] =
 {
+#if 0
     {
         4096,
@@ -256 +257 @@
         "password"
     },
-
+#endif
     /*
      * PKCS8 Test Keys
@@ -285 +286 @@
         "-----END PUBLIC KEY-----\n",
         NULL
-    }
+    },
+    {
+        2048,
+        "-----BEGIN ENCRYPTED PRIVATE KEY-----\n"
+        "MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIRFetWFFFIb4CAggA\n"
+        "MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAZMr0Lq1s+olU2jUY8MuQJBIIE\n"
+        "0ICOZE6GhPCQbUSudbBYTG4zBRGhJOTeGF43c3pqi6UNS4qWK9IQ3B5hm618Iof0\n"
+        "YUnCDKy9G7TPMwP+8pcybFXuvWo1yeJcVGNalBq/LmUG2RBJ3hh/IikDnzj2jq1u\n"
+        "QKFTgl5yZ41bC75d81fdg0CpYqIGOjLdQcUJmVk+lKggWcN7KuqPj+9FhCoRyjIp\n"
+        "UyLYQQ8E0sb7tk0gJoi6VHddTYpLEDiFzGqXP/XWykCFHx977sbRuOymrTF3C3OZ\n"
+        "X5PSkszydSBzomPl1MnmiMjAmgc3j6EABUpzjaUZ2l2xxeM9r/c076zSpHdcBFus\n"
+        "Y3pA9Hm9HvV2q+1FHHNk90vZlXWtyTh8tSJvT3WF63kYMyIXXztovldjxX76fxB0\n"
+        "c5K0E9FH5sjv0R4AfMf4CMsP5InGfy2zICRwi+xvp97lq6nEXjIqiePyNTUA3QAy\n"
+        "brZtzM67KxFL/TuV6Y20DILAPlWZe3C8KFpFeHEi5yddi0VikzQVl1X/hieCt4SP\n"
+        "aTdd+MCn3XIu+58RK6UYCVCxbH9j9iZCznOfWLRMpthvoa9SO8M8DTFlx/bptClt\n"
+        "IKUnsQgBpvT3+xzpJk4sQyD4aZDcDMQeNfDr/1KyYMEjaqvGMqKfLed2HLDHdD9f\n"
+        "rsg41wTCqp/draUh2qxa7pXkK0KcNbH4hLH//pduaLubHmOPofLvprVIISyOtspN\n"
+        "tsPtXs43Ta4dOQWLg2Q/lwlo0psi1im/fHKyr7rpMdUa+dRGX8H4tYsFJufHzVjr\n"
+        "rQrKDHPsNfhy+JuCfQu/8SdZCXwcBxxeSlam5EgtlfsTDC+zIP8dDHaOWsDRm+k3\n"
+        "ryKTSn84LBQLWzc3RhZteAlzDHcmrS/MmF4yfpgSkFI+aUF5+XPLqoYVsoVKQ5bL\n"
+        "NnA6xJBkXVtzNZUYH3cHoiAOATlhHRFtoWrKoEQXlCNvvTCiBGoMPfjpnTy3u/kS\n"
+        "8JaUsJLvDFQBFPSxdYA+w/zb3zy0Nh5s3R9D6IkrH0X2mk8JhABYNzDIDYlS2Ioz\n"
+        "ARpmwuZwPUG1iSzamYZCt2OVd1acPexiwTATihfPVT2RFbHET9+e7NX/5TFnGP++\n"
+        "4o6mckiD5c9QmwE29FLTeiqwKvLweLrrF6/1/S45/okibqXHgh7O567y+PSMmjk5\n"
+        "L0azEmv6UIs5z4FNvDxS5++b3oqUMu+oazQP1aDk0H/8xJaDFrnOKWL9h8waeBn7\n"
+        "JBuuIFKqRb6S9H0ZPb1R7Z9BVuUil76nc4zr0kLNdJ8dq2l/kcqIIFrtVJX/INaf\n"
+        "gYvlsIYXpb/IhBZit1GJxwi8kk29b2QSyDW6CNNi3dC8Y1p9jiLejqFM4LQL/HNr\n"
+        "atc1pUBPePK1ZHJ0OLyVthJYXmn8v+M9eHfptQzBZpILTZZK719uOtHloPrI64LY\n"
+        "iO00glzBju2W1yDF6cTgmWQEigWno65Is5pjN5ByMf3ouHM8qJFIhTEqCpAY7cQQ\n"
+        "2k6o7dqAcQm7Q+BvhfsWcPWq/GH/OOkuUDqQaK1YDA+lUj9uyrxm9AlrDtUjezLE\n"
+        "k3IT6ZiBVrPlKWCMbT6ajm9ti0RuCRnZfrrLn2gu16weRtaNeVyza6D5wn+eKXmE\n"
+        "5dnugDd6T+QBX/3+WLaXTL3l/tj7i9WwNJU4uqW7y6+P\n"
+        "-----END ENCRYPTED PRIVATE KEY-----\n",
+        "-----BEGIN PUBLIC KEY-----\n"
+        "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp6CMrt0Z/k5+c/7C3oWz\n"
+        "bLBmE4fttE84EZsrwB/ZDhMBQDsVF/GMePj1e5zrxnVq6GZhcNbcJTqHp0mWb+K5\n"
+        "HMlAihPKYlswJQtkVgp/czbdXwt3MI+D4ifUiq4v8AMrJHW+AYd0GYKzYma6LGVj\n"
+        "75Bue450bsLocMKwB03iyFE8SBwzGSj9jwJ9UYBvVUnNsutq6nCPTj1bM6naFIHO\n"
+        "Y+cozHIrKyvHGHoWBVUqKARlNT3TtbTyGxaT4QyZj8Pm9jB5Np6CrF7nmV936Q3A\n"
+        "3CHji8BbhfcdZ/9s53wkSwztfpe8NYh1/RiLZtZdky9E6Q67dt3h4bKHsKRFi0xW\n"
+        "jQIDAQAB\n"
+        "-----END PUBLIC KEY-----\n",
+        "password"
+    },
 };