/src/boringssl/crypto/pem/pem_pk8.cc

Source (jump to first uncovered line)
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/pem.h>

#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/pkcs8.h>
#include <openssl/rand.h>
#include <openssl/x509.h>

static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
                      const EVP_CIPHER *enc, const char *pass, int pass_len,
                      pem_password_cb *cb, void *u);
static int do_pk8pkey_fp(FILE *bp, const EVP_PKEY *x, int isder, int nid,
                         const EVP_CIPHER *enc, const char *pass, int pass_len,
                         pem_password_cb *cb, void *u);

// These functions write a private key in PKCS#8 format: it is a "drop in"
// replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
// is NULL then it uses the unencrypted private key form. The 'nid' versions
// uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.

int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, int nid,
                                      const char *pass, int pass_len,
                                      pem_password_cb *cb, void *u) {
  return do_pk8pkey(bp, x, 0, nid, NULL, pass, pass_len, cb, u);
}

int PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x,
                                  const EVP_CIPHER *enc, const char *pass,
                                  int pass_len, pem_password_cb *cb, void *u) {
  return do_pk8pkey(bp, x, 0, -1, enc, pass, pass_len, cb, u);
}

int i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x, const EVP_CIPHER *enc,
                            const char *pass, int pass_len, pem_password_cb *cb,
                            void *u) {
  return do_pk8pkey(bp, x, 1, -1, enc, pass, pass_len, cb, u);
}

int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, int nid,
                                const char *pass, int pass_len,
                                pem_password_cb *cb, void *u) {
  return do_pk8pkey(bp, x, 1, nid, NULL, pass, pass_len, cb, u);
}

static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
                      const EVP_CIPHER *enc, const char *pass, int pass_len,
                      pem_password_cb *cb, void *u) {
  X509_SIG *p8;
  PKCS8_PRIV_KEY_INFO *p8inf;
  char buf[PEM_BUFSIZE];
  int ret;
  if (!(p8inf = EVP_PKEY2PKCS8(x))) {
    OPENSSL_PUT_ERROR(PEM, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
    return 0;
  }
  if (enc || (nid != -1)) {
    if (!pass) {
      if (!cb) {
        cb = PEM_def_callback;
      }
      pass_len = cb(buf, PEM_BUFSIZE, 1, u);
      if (pass_len < 0) {
        OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
        PKCS8_PRIV_KEY_INFO_free(p8inf);
        return 0;
      }

      pass = buf;
    }
    p8 = PKCS8_encrypt(nid, enc, pass, pass_len, NULL, 0, 0, p8inf);
    if (pass == buf) {
      OPENSSL_cleanse(buf, pass_len);
    }
    PKCS8_PRIV_KEY_INFO_free(p8inf);
    if (isder) {
      ret = i2d_PKCS8_bio(bp, p8);
    } else {
      ret = PEM_write_bio_PKCS8(bp, p8);
    }
    X509_SIG_free(p8);
    return ret;
  } else {
    if (isder) {
      ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
    } else {
      ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
    }
    PKCS8_PRIV_KEY_INFO_free(p8inf);
    return ret;
  }
}

EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
                                  void *u) {
  PKCS8_PRIV_KEY_INFO *p8inf = NULL;
  X509_SIG *p8 = NULL;
  int pass_len;
  EVP_PKEY *ret;
  char psbuf[PEM_BUFSIZE];
  p8 = d2i_PKCS8_bio(bp, NULL);
  if (!p8) {
    return NULL;
  }

  pass_len = 0;
  if (!cb) {
    cb = PEM_def_callback;
  }
  pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);
  if (pass_len < 0) {
    OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
    X509_SIG_free(p8);
    return NULL;
  }
  p8inf = PKCS8_decrypt(p8, psbuf, pass_len);
  X509_SIG_free(p8);
  OPENSSL_cleanse(psbuf, pass_len);
  if (!p8inf) {
    return NULL;
  }
  ret = EVP_PKCS82PKEY(p8inf);
  PKCS8_PRIV_KEY_INFO_free(p8inf);
  if (!ret) {
    return NULL;
  }
  if (x) {
    if (*x) {
      EVP_PKEY_free(*x);
    }
    *x = ret;
  }
  return ret;
}


int i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x, const EVP_CIPHER *enc,
                           const char *pass, int pass_len, pem_password_cb *cb,
                           void *u) {
  return do_pk8pkey_fp(fp, x, 1, -1, enc, pass, pass_len, cb, u);
}

int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, int nid,
                               const char *pass, int pass_len,
                               pem_password_cb *cb, void *u) {
  return do_pk8pkey_fp(fp, x, 1, nid, NULL, pass, pass_len, cb, u);
}

int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, int nid,
                                  const char *pass, int pass_len,
                                  pem_password_cb *cb, void *u) {
  return do_pk8pkey_fp(fp, x, 0, nid, NULL, pass, pass_len, cb, u);
}

int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x,
                              const EVP_CIPHER *enc, const char *pass,
                              int pass_len, pem_password_cb *cb, void *u) {
  return do_pk8pkey_fp(fp, x, 0, -1, enc, pass, pass_len, cb, u);
}

static int do_pk8pkey_fp(FILE *fp, const EVP_PKEY *x, int isder, int nid,
                         const EVP_CIPHER *enc, const char *pass, int pass_len,
                         pem_password_cb *cb, void *u) {
  BIO *bp;
  int ret;
  if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
    OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);
    return 0;
  }
  ret = do_pk8pkey(bp, x, isder, nid, enc, pass, pass_len, cb, u);
  BIO_free(bp);
  return ret;
}

EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
                                 void *u) {
  BIO *bp;
  EVP_PKEY *ret;
  if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
    OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);
    return NULL;
  }
  ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
  BIO_free(bp);
  return ret;
}


IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)


IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
                 PKCS8_PRIV_KEY_INFO)

Coverage Report

Created: 2025-06-24 07:00

Line	Count	Source (jump to first uncovered line)
1		// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/pem.h>
16
17		#include <openssl/err.h>
18		#include <openssl/evp.h>
19		#include <openssl/mem.h>
20		#include <openssl/obj.h>
21		#include <openssl/pkcs8.h>
22		#include <openssl/rand.h>
23		#include <openssl/x509.h>
24
25		static int do_pk8pkey(BIO bp, const EVP_PKEY x, int isder, int nid,
26		const EVP_CIPHER enc, const char pass, int pass_len,
27		pem_password_cb cb, void u);
28		static int do_pk8pkey_fp(FILE bp, const EVP_PKEY x, int isder, int nid,
29		const EVP_CIPHER enc, const char pass, int pass_len,
30		pem_password_cb cb, void u);
31
32		// These functions write a private key in PKCS#8 format: it is a "drop in"
33		// replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
34		// is NULL then it uses the unencrypted private key form. The 'nid' versions
35		// uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
36
37		int PEM_write_bio_PKCS8PrivateKey_nid(BIO bp, const EVP_PKEY x, int nid,
38		const char *pass, int pass_len,
39	0	pem_password_cb cb, void u) {
40	0	return do_pk8pkey(bp, x, 0, nid, NULL, pass, pass_len, cb, u);
41	0	}
42
43		int PEM_write_bio_PKCS8PrivateKey(BIO bp, const EVP_PKEY x,
44		const EVP_CIPHER enc, const char pass,
45	0	int pass_len, pem_password_cb cb, void u) {
46	0	return do_pk8pkey(bp, x, 0, -1, enc, pass, pass_len, cb, u);
47	0	}
48
49		int i2d_PKCS8PrivateKey_bio(BIO bp, const EVP_PKEY x, const EVP_CIPHER *enc,
50		const char pass, int pass_len, pem_password_cb cb,
51	0	void *u) {
52	0	return do_pk8pkey(bp, x, 1, -1, enc, pass, pass_len, cb, u);
53	0	}
54
55		int i2d_PKCS8PrivateKey_nid_bio(BIO bp, const EVP_PKEY x, int nid,
56		const char *pass, int pass_len,
57	0	pem_password_cb cb, void u) {
58	0	return do_pk8pkey(bp, x, 1, nid, NULL, pass, pass_len, cb, u);
59	0	}
60
61		static int do_pk8pkey(BIO bp, const EVP_PKEY x, int isder, int nid,
62		const EVP_CIPHER enc, const char pass, int pass_len,
63	0	pem_password_cb cb, void u) {
64	0	X509_SIG *p8;
65	0	PKCS8_PRIV_KEY_INFO *p8inf;
66	0	char buf[PEM_BUFSIZE];
67	0	int ret;
68	0	if (!(p8inf = EVP_PKEY2PKCS8(x))) {
69	0	OPENSSL_PUT_ERROR(PEM, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
70	0	return 0;
71	0	}
72	0	if (enc \|\| (nid != -1)) {
73	0	if (!pass) {
74	0	if (!cb) {
75	0	cb = PEM_def_callback;
76	0	}
77	0	pass_len = cb(buf, PEM_BUFSIZE, 1, u);
78	0	if (pass_len < 0) {
79	0	OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
80	0	PKCS8_PRIV_KEY_INFO_free(p8inf);
81	0	return 0;
82	0	}
83
84	0	pass = buf;
85	0	}
86	0	p8 = PKCS8_encrypt(nid, enc, pass, pass_len, NULL, 0, 0, p8inf);
87	0	if (pass == buf) {
88	0	OPENSSL_cleanse(buf, pass_len);
89	0	}
90	0	PKCS8_PRIV_KEY_INFO_free(p8inf);
91	0	if (isder) {
92	0	ret = i2d_PKCS8_bio(bp, p8);
93	0	} else {
94	0	ret = PEM_write_bio_PKCS8(bp, p8);
95	0	}
96	0	X509_SIG_free(p8);
97	0	return ret;
98	0	} else {
99	0	if (isder) {
100	0	ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
101	0	} else {
102	0	ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
103	0	}
104	0	PKCS8_PRIV_KEY_INFO_free(p8inf);
105	0	return ret;
106	0	}
107	0	}
108
109		EVP_PKEY d2i_PKCS8PrivateKey_bio(BIO bp, EVP_PKEY *x, pem_password_cb cb,
110	0	void *u) {
111	0	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
112	0	X509_SIG *p8 = NULL;
113	0	int pass_len;
114	0	EVP_PKEY *ret;
115	0	char psbuf[PEM_BUFSIZE];
116	0	p8 = d2i_PKCS8_bio(bp, NULL);
117	0	if (!p8) {
118	0	return NULL;
119	0	}
120
121	0	pass_len = 0;
122	0	if (!cb) {
123	0	cb = PEM_def_callback;
124	0	}
125	0	pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);
126	0	if (pass_len < 0) {
127	0	OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
128	0	X509_SIG_free(p8);
129	0	return NULL;
130	0	}
131	0	p8inf = PKCS8_decrypt(p8, psbuf, pass_len);
132	0	X509_SIG_free(p8);
133	0	OPENSSL_cleanse(psbuf, pass_len);
134	0	if (!p8inf) {
135	0	return NULL;
136	0	}
137	0	ret = EVP_PKCS82PKEY(p8inf);
138	0	PKCS8_PRIV_KEY_INFO_free(p8inf);
139	0	if (!ret) {
140	0	return NULL;
141	0	}
142	0	if (x) {
143	0	if (*x) {
144	0	EVP_PKEY_free(*x);
145	0	}
146	0	*x = ret;
147	0	}
148	0	return ret;
149	0	}
150
151
152		int i2d_PKCS8PrivateKey_fp(FILE fp, const EVP_PKEY x, const EVP_CIPHER *enc,
153		const char pass, int pass_len, pem_password_cb cb,
154	0	void *u) {
155	0	return do_pk8pkey_fp(fp, x, 1, -1, enc, pass, pass_len, cb, u);
156	0	}
157
158		int i2d_PKCS8PrivateKey_nid_fp(FILE fp, const EVP_PKEY x, int nid,
159		const char *pass, int pass_len,
160	0	pem_password_cb cb, void u) {
161	0	return do_pk8pkey_fp(fp, x, 1, nid, NULL, pass, pass_len, cb, u);
162	0	}
163
164		int PEM_write_PKCS8PrivateKey_nid(FILE fp, const EVP_PKEY x, int nid,
165		const char *pass, int pass_len,
166	0	pem_password_cb cb, void u) {
167	0	return do_pk8pkey_fp(fp, x, 0, nid, NULL, pass, pass_len, cb, u);
168	0	}
169
170		int PEM_write_PKCS8PrivateKey(FILE fp, const EVP_PKEY x,
171		const EVP_CIPHER enc, const char pass,
172	0	int pass_len, pem_password_cb cb, void u) {
173	0	return do_pk8pkey_fp(fp, x, 0, -1, enc, pass, pass_len, cb, u);
174	0	}
175
176		static int do_pk8pkey_fp(FILE fp, const EVP_PKEY x, int isder, int nid,
177		const EVP_CIPHER enc, const char pass, int pass_len,
178	0	pem_password_cb cb, void u) {
179	0	BIO *bp;
180	0	int ret;
181	0	if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
182	0	OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);
183	0	return 0;
184	0	}
185	0	ret = do_pk8pkey(bp, x, isder, nid, enc, pass, pass_len, cb, u);
186	0	BIO_free(bp);
187	0	return ret;
188	0	}
189
190		EVP_PKEY d2i_PKCS8PrivateKey_fp(FILE fp, EVP_PKEY *x, pem_password_cb cb,
191	0	void *u) {
192	0	BIO *bp;
193	0	EVP_PKEY *ret;
194	0	if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
195	0	OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);
196	0	return NULL;
197	0	}
198	0	ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
199	0	BIO_free(bp);
200	0	return ret;
201	0	}
202
203
204		IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
205
206
207		IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
208		PKCS8_PRIV_KEY_INFO)