/src/openssl/crypto/store/store_result.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include "internal/e_os.h" |
11 | | #include <string.h> |
12 | | |
13 | | #include <openssl/core.h> |
14 | | #include <openssl/core_names.h> |
15 | | #include <openssl/core_object.h> |
16 | | #include <openssl/err.h> |
17 | | #include <openssl/pkcs12.h> |
18 | | #include <openssl/provider.h> |
19 | | #include <openssl/decoder.h> |
20 | | #include <openssl/store.h> |
21 | | #include "internal/provider.h" |
22 | | #include "internal/passphrase.h" |
23 | | #include "crypto/decoder.h" |
24 | | #include "crypto/evp.h" |
25 | | #include "crypto/x509.h" |
26 | | #include "store_local.h" |
27 | | |
28 | | #ifndef OSSL_OBJECT_PKCS12 |
29 | | /* |
30 | | * The object abstraction doesn't know PKCS#12, but we want to indicate |
31 | | * it anyway, so we create our own. Since the public macros use positive |
32 | | * numbers, negative ones should be fine. They must never slip out from |
33 | | * this translation unit anyway. |
34 | | */ |
35 | 0 | #define OSSL_OBJECT_PKCS12 -1 |
36 | | #endif |
37 | | |
38 | | /* |
39 | | * ossl_store_handle_load_result() is initially written to be a companion |
40 | | * to our 'file:' scheme provider implementation, but has been made generic |
41 | | * to serve others as well. |
42 | | * |
43 | | * This result handler takes any object abstraction (see provider-object(7)) |
44 | | * and does the best it can with it. If the object is passed by value (not |
45 | | * by reference), the contents are currently expected to be DER encoded. |
46 | | * If an object type is specified, that will be respected; otherwise, this |
47 | | * handler will guess the contents, by trying the following in order: |
48 | | * |
49 | | * 1. Decode it into an EVP_PKEY, using OSSL_DECODER. |
50 | | * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX. |
51 | | * 3. Decode it into an X.509 CRL, using d2i_X509_CRL. |
52 | | * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*). |
53 | | * |
54 | | * For the 'file:' scheme implementation, this is division of labor. Since |
55 | | * the libcrypto <-> provider interface currently doesn't support certain |
56 | | * structures as first class objects, they must be unpacked from DER here |
57 | | * rather than in the provider. The current exception is asymmetric keys, |
58 | | * which can reside within the provider boundary, most of all thanks to |
59 | | * OSSL_FUNC_keymgmt_load(), which allows loading the key material by |
60 | | * reference. |
61 | | */ |
62 | | |
63 | | struct extracted_param_data_st { |
64 | | int object_type; |
65 | | const char *data_type; |
66 | | const char *input_type; |
67 | | const char *data_structure; |
68 | | const char *utf8_data; |
69 | | const void *octet_data; |
70 | | size_t octet_data_size; |
71 | | const void *ref; |
72 | | size_t ref_size; |
73 | | const char *desc; |
74 | | }; |
75 | | |
76 | | static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **); |
77 | | static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
78 | | OSSL_STORE_CTX *, const OSSL_PROVIDER *, |
79 | | OSSL_LIB_CTX *, const char *); |
80 | | static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
81 | | OSSL_LIB_CTX *, const char *); |
82 | | static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
83 | | OSSL_LIB_CTX *, const char *); |
84 | | static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
85 | | OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *); |
86 | | static int try_skey(struct extracted_param_data_st *, OSSL_STORE_INFO **, |
87 | | const OSSL_PROVIDER *, OSSL_LIB_CTX *, const char *); |
88 | | |
89 | | int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) |
90 | 0 | { |
91 | 0 | struct ossl_load_result_data_st *cbdata = arg; |
92 | 0 | OSSL_STORE_INFO **v = &cbdata->v; |
93 | 0 | OSSL_STORE_CTX *ctx = cbdata->ctx; |
94 | 0 | const OSSL_PROVIDER *provider = OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader); |
95 | 0 | OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider); |
96 | 0 | const char *propq = ctx->properties; |
97 | 0 | const OSSL_PARAM *p; |
98 | 0 | struct extracted_param_data_st helper_data; |
99 | |
|
100 | 0 | memset(&helper_data, 0, sizeof(helper_data)); |
101 | 0 | helper_data.object_type = OSSL_OBJECT_UNKNOWN; |
102 | |
|
103 | 0 | if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL |
104 | 0 | && !OSSL_PARAM_get_int(p, &helper_data.object_type)) |
105 | 0 | return 0; |
106 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); |
107 | 0 | if (p != NULL |
108 | 0 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type)) |
109 | 0 | return 0; |
110 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA); |
111 | 0 | if (p != NULL |
112 | 0 | && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data, |
113 | 0 | &helper_data.octet_data_size) |
114 | 0 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data)) |
115 | 0 | return 0; |
116 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE); |
117 | 0 | if (p != NULL |
118 | 0 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure)) |
119 | 0 | return 0; |
120 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_INPUT_TYPE); |
121 | 0 | if (p != NULL |
122 | 0 | && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.input_type)) |
123 | 0 | return 0; |
124 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); |
125 | 0 | if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref, &helper_data.ref_size)) |
126 | 0 | return 0; |
127 | 0 | p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC); |
128 | 0 | if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc)) |
129 | 0 | return 0; |
130 | | |
131 | | /* |
132 | | * The helper functions return 0 on actual errors, otherwise 1, even if |
133 | | * they didn't fill out |*v|. |
134 | | */ |
135 | 0 | ERR_set_mark(); |
136 | 0 | if (*v == NULL && !try_name(&helper_data, v)) |
137 | 0 | goto err; |
138 | 0 | ERR_pop_to_mark(); |
139 | 0 | ERR_set_mark(); |
140 | 0 | if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq)) |
141 | 0 | goto err; |
142 | 0 | ERR_pop_to_mark(); |
143 | 0 | ERR_set_mark(); |
144 | 0 | if (*v == NULL && !try_cert(&helper_data, v, libctx, propq)) |
145 | 0 | goto err; |
146 | 0 | ERR_pop_to_mark(); |
147 | 0 | ERR_set_mark(); |
148 | 0 | if (*v == NULL && !try_crl(&helper_data, v, libctx, propq)) |
149 | 0 | goto err; |
150 | 0 | ERR_pop_to_mark(); |
151 | 0 | ERR_set_mark(); |
152 | 0 | if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq)) |
153 | 0 | goto err; |
154 | 0 | ERR_pop_to_mark(); |
155 | 0 | ERR_set_mark(); |
156 | 0 | if (*v == NULL && !try_skey(&helper_data, v, provider, libctx, propq)) |
157 | 0 | goto err; |
158 | 0 | ERR_pop_to_mark(); |
159 | |
|
160 | 0 | if (*v == NULL) { |
161 | 0 | const char *hint = ""; |
162 | |
|
163 | 0 | if (!OSSL_PROVIDER_available(libctx, "default")) |
164 | 0 | hint = ":maybe need to load the default provider?"; |
165 | 0 | if (provider != NULL) |
166 | 0 | ERR_raise_data(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED, "provider=%s%s", |
167 | 0 | OSSL_PROVIDER_get0_name(provider), hint); |
168 | 0 | else if (hint[0] != '\0') |
169 | 0 | ERR_raise_data(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED, "%s", hint); |
170 | 0 | else |
171 | 0 | ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED); |
172 | 0 | } |
173 | |
|
174 | 0 | return (*v != NULL); |
175 | 0 | err: |
176 | 0 | ERR_clear_last_mark(); |
177 | 0 | return 0; |
178 | 0 | } |
179 | | |
180 | | static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v) |
181 | 0 | { |
182 | 0 | if (data->object_type == OSSL_OBJECT_NAME) { |
183 | 0 | char *newname = NULL, *newdesc = NULL; |
184 | |
|
185 | 0 | if (data->utf8_data == NULL) |
186 | 0 | return 0; |
187 | 0 | if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL |
188 | 0 | || (data->desc != NULL |
189 | 0 | && (newdesc = OPENSSL_strdup(data->desc)) == NULL) |
190 | 0 | || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) { |
191 | 0 | OPENSSL_free(newname); |
192 | 0 | OPENSSL_free(newdesc); |
193 | 0 | return 0; |
194 | 0 | } |
195 | 0 | OSSL_STORE_INFO_set0_NAME_description(*v, newdesc); |
196 | 0 | } |
197 | 0 | return 1; |
198 | 0 | } |
199 | | |
200 | | /* |
201 | | * For the rest of the object types, the provider code may not know what |
202 | | * type of data it gave us, so we may need to figure that out on our own. |
203 | | * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and |
204 | | * only return 0 on error if the object type is known. |
205 | | */ |
206 | | |
207 | | static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data, |
208 | | OSSL_STORE_CTX *ctx, |
209 | | const OSSL_PROVIDER *provider, |
210 | | OSSL_LIB_CTX *libctx, const char *propq) |
211 | 0 | { |
212 | 0 | EVP_PKEY *pk = NULL; |
213 | 0 | EVP_KEYMGMT *keymgmt = NULL; |
214 | 0 | void *keydata = NULL; |
215 | 0 | int try_fallback = 2; |
216 | | |
217 | | /* If we have an object reference, we must have a data type */ |
218 | 0 | if (data->data_type == NULL) |
219 | 0 | return 0; |
220 | | |
221 | 0 | keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq); |
222 | 0 | ERR_set_mark(); |
223 | 0 | while (keymgmt != NULL && keydata == NULL && try_fallback-- > 0) { |
224 | | /* |
225 | | * There are two possible cases |
226 | | * |
227 | | * 1. The keymgmt is from the same provider as the loader, |
228 | | * so we can use evp_keymgmt_load() |
229 | | * 2. The keymgmt is from another provider, then we must |
230 | | * do the export/import dance. |
231 | | */ |
232 | 0 | if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { |
233 | | /* no point trying fallback here */ |
234 | 0 | try_fallback = 0; |
235 | 0 | keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size); |
236 | 0 | } else { |
237 | 0 | struct evp_keymgmt_util_try_import_data_st import_data; |
238 | 0 | OSSL_FUNC_store_export_object_fn *export_object = ctx->fetched_loader->p_export_object; |
239 | |
|
240 | 0 | import_data.keymgmt = keymgmt; |
241 | 0 | import_data.keydata = NULL; |
242 | 0 | import_data.selection = OSSL_KEYMGMT_SELECT_ALL; |
243 | |
|
244 | 0 | if (export_object != NULL) { |
245 | | /* |
246 | | * No need to check for errors here, the value of |
247 | | * |import_data.keydata| is as much an indicator. |
248 | | */ |
249 | 0 | (void)export_object(ctx->loader_ctx, |
250 | 0 | data->ref, data->ref_size, |
251 | 0 | &evp_keymgmt_util_try_import, |
252 | 0 | &import_data); |
253 | 0 | } |
254 | |
|
255 | 0 | keydata = import_data.keydata; |
256 | 0 | } |
257 | |
|
258 | 0 | if (keydata == NULL && try_fallback > 0) { |
259 | 0 | EVP_KEYMGMT_free(keymgmt); |
260 | 0 | keymgmt = evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)provider, |
261 | 0 | data->data_type, propq); |
262 | 0 | if (keymgmt != NULL) { |
263 | 0 | ERR_pop_to_mark(); |
264 | 0 | ERR_set_mark(); |
265 | 0 | } |
266 | 0 | } |
267 | 0 | } |
268 | 0 | if (keydata != NULL) { |
269 | 0 | ERR_pop_to_mark(); |
270 | 0 | pk = evp_keymgmt_util_make_pkey(keymgmt, keydata); |
271 | 0 | } else { |
272 | 0 | ERR_clear_last_mark(); |
273 | 0 | } |
274 | 0 | EVP_KEYMGMT_free(keymgmt); |
275 | |
|
276 | 0 | return pk; |
277 | 0 | } |
278 | | |
279 | | static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, |
280 | | OSSL_STORE_CTX *ctx, |
281 | | OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, |
282 | | OSSL_LIB_CTX *libctx, const char *propq, |
283 | | int *harderr) |
284 | 0 | { |
285 | 0 | EVP_PKEY *pk = NULL; |
286 | 0 | OSSL_DECODER_CTX *decoderctx = NULL; |
287 | 0 | const unsigned char *pdata = data->octet_data; |
288 | 0 | size_t pdatalen = data->octet_data_size; |
289 | 0 | int selection = 0; |
290 | |
|
291 | 0 | switch (ctx->expected_type) { |
292 | 0 | case 0: |
293 | 0 | break; |
294 | 0 | case OSSL_STORE_INFO_PARAMS: |
295 | 0 | selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; |
296 | 0 | break; |
297 | 0 | case OSSL_STORE_INFO_PUBKEY: |
298 | 0 | selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY |
299 | 0 | | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; |
300 | 0 | break; |
301 | 0 | case OSSL_STORE_INFO_PKEY: |
302 | 0 | selection = OSSL_KEYMGMT_SELECT_ALL; |
303 | 0 | break; |
304 | 0 | default: |
305 | 0 | return NULL; |
306 | 0 | } |
307 | | |
308 | 0 | decoderctx = OSSL_DECODER_CTX_new_for_pkey(&pk, data->input_type, data->data_structure, |
309 | 0 | data->data_type, selection, libctx, |
310 | 0 | propq); |
311 | 0 | (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); |
312 | | |
313 | | /* No error if this couldn't be decoded */ |
314 | 0 | (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen); |
315 | | |
316 | | /* Save the hard error state. */ |
317 | 0 | *harderr = ossl_decoder_ctx_get_harderr(decoderctx); |
318 | 0 | OSSL_DECODER_CTX_free(decoderctx); |
319 | |
|
320 | 0 | return pk; |
321 | 0 | } |
322 | | |
323 | | typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *); |
324 | | |
325 | | static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, |
326 | | store_info_new_fn **store_info_new, |
327 | | OSSL_STORE_CTX *ctx, |
328 | | OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, |
329 | | OSSL_LIB_CTX *libctx, const char *propq) |
330 | 0 | { |
331 | 0 | EVP_PKEY *pk = NULL; |
332 | 0 | const unsigned char *der = data->octet_data, *derp; |
333 | 0 | long der_len = (long)data->octet_data_size; |
334 | | |
335 | | /* Try PUBKEY first, that's a real easy target */ |
336 | 0 | if (ctx->expected_type == 0 |
337 | 0 | || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) { |
338 | 0 | derp = der; |
339 | 0 | pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq); |
340 | |
|
341 | 0 | if (pk != NULL) |
342 | 0 | *store_info_new = OSSL_STORE_INFO_new_PUBKEY; |
343 | 0 | } |
344 | | |
345 | | /* Try private keys next */ |
346 | 0 | if (pk == NULL |
347 | 0 | && (ctx->expected_type == 0 |
348 | 0 | || ctx->expected_type == OSSL_STORE_INFO_PKEY)) { |
349 | 0 | unsigned char *new_der = NULL; |
350 | 0 | X509_SIG *p8 = NULL; |
351 | 0 | PKCS8_PRIV_KEY_INFO *p8info = NULL; |
352 | | |
353 | | /* See if it's an encrypted PKCS#8 and decrypt it. */ |
354 | 0 | derp = der; |
355 | 0 | p8 = d2i_X509_SIG(NULL, &derp, der_len); |
356 | |
|
357 | 0 | if (p8 != NULL) { |
358 | 0 | char pbuf[PEM_BUFSIZE]; |
359 | 0 | size_t plen = 0; |
360 | |
|
361 | 0 | if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) { |
362 | 0 | ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ); |
363 | 0 | } else { |
364 | 0 | const X509_ALGOR *alg = NULL; |
365 | 0 | const ASN1_OCTET_STRING *oct = NULL; |
366 | 0 | int len = 0; |
367 | |
|
368 | 0 | X509_SIG_get0(p8, &alg, &oct); |
369 | | |
370 | | /* |
371 | | * No need to check the returned value, |new_der| |
372 | | * will be NULL on error anyway. |
373 | | */ |
374 | 0 | PKCS12_pbe_crypt(alg, pbuf, (int)plen, |
375 | 0 | oct->data, oct->length, |
376 | 0 | &new_der, &len, 0); |
377 | 0 | der_len = len; |
378 | 0 | der = new_der; |
379 | 0 | } |
380 | 0 | X509_SIG_free(p8); |
381 | 0 | } |
382 | | |
383 | | /* |
384 | | * If the encrypted PKCS#8 couldn't be decrypted, |
385 | | * |der| is NULL |
386 | | */ |
387 | 0 | if (der != NULL) { |
388 | | /* Try to unpack an unencrypted PKCS#8, that's easy */ |
389 | 0 | derp = der; |
390 | 0 | p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len); |
391 | |
|
392 | 0 | if (p8info != NULL) { |
393 | 0 | pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq); |
394 | 0 | PKCS8_PRIV_KEY_INFO_free(p8info); |
395 | 0 | } |
396 | 0 | } |
397 | |
|
398 | 0 | if (pk != NULL) |
399 | 0 | *store_info_new = OSSL_STORE_INFO_new_PKEY; |
400 | |
|
401 | 0 | OPENSSL_free(new_der); |
402 | 0 | } |
403 | |
|
404 | 0 | return pk; |
405 | 0 | } |
406 | | |
407 | | static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, |
408 | | OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider, |
409 | | OSSL_LIB_CTX *libctx, const char *propq) |
410 | 0 | { |
411 | 0 | store_info_new_fn *store_info_new = NULL; |
412 | 0 | int harderr = 0; |
413 | |
|
414 | 0 | if (data->object_type == OSSL_OBJECT_UNKNOWN |
415 | 0 | || data->object_type == OSSL_OBJECT_PKEY) { |
416 | 0 | EVP_PKEY *pk = NULL; |
417 | | |
418 | | /* Prefer key by reference than key by value */ |
419 | 0 | if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) { |
420 | 0 | pk = try_key_ref(data, ctx, provider, libctx, propq); |
421 | | |
422 | | /* |
423 | | * If for some reason we couldn't get a key, it's an error. |
424 | | * It indicates that while decoders could make a key reference, |
425 | | * the keymgmt somehow couldn't handle it, or doesn't have a |
426 | | * OSSL_FUNC_keymgmt_load function. |
427 | | */ |
428 | 0 | if (pk == NULL) |
429 | 0 | return 0; |
430 | 0 | } else if (data->octet_data != NULL) { |
431 | 0 | OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec; |
432 | 0 | void *cbarg = &ctx->pwdata; |
433 | |
|
434 | 0 | pk = try_key_value(data, ctx, cb, cbarg, libctx, propq, &harderr); |
435 | | |
436 | | /* |
437 | | * Desperate last maneuver, in case the decoders don't support |
438 | | * the data we have, then we try on our own to at least get an |
439 | | * engine provided legacy key. |
440 | | * This is the same as der2key_decode() does, but in a limited |
441 | | * way and within the walls of libcrypto. |
442 | | */ |
443 | 0 | if (pk == NULL && harderr == 0) |
444 | 0 | pk = try_key_value_legacy(data, &store_info_new, ctx, |
445 | 0 | cb, cbarg, libctx, propq); |
446 | 0 | } |
447 | | |
448 | 0 | if (pk != NULL) { |
449 | 0 | data->object_type = OSSL_OBJECT_PKEY; |
450 | |
|
451 | 0 | if (store_info_new == NULL) { |
452 | | /* |
453 | | * We determined the object type for OSSL_STORE_INFO, which |
454 | | * makes an explicit difference between an EVP_PKEY with just |
455 | | * (domain) parameters and an EVP_PKEY with actual key |
456 | | * material. |
457 | | * The logic is that an EVP_PKEY with actual key material |
458 | | * always has the public half. |
459 | | */ |
460 | 0 | if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) |
461 | 0 | store_info_new = OSSL_STORE_INFO_new_PKEY; |
462 | 0 | else if (evp_keymgmt_util_has(pk, |
463 | 0 | OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) |
464 | 0 | store_info_new = OSSL_STORE_INFO_new_PUBKEY; |
465 | 0 | else |
466 | 0 | store_info_new = OSSL_STORE_INFO_new_PARAMS; |
467 | 0 | } |
468 | 0 | *v = store_info_new(pk); |
469 | 0 | } |
470 | |
|
471 | 0 | if (*v == NULL) |
472 | 0 | EVP_PKEY_free(pk); |
473 | 0 | } |
474 | | |
475 | 0 | return harderr == 0; |
476 | 0 | } |
477 | | |
478 | | static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, |
479 | | OSSL_LIB_CTX *libctx, const char *propq) |
480 | 0 | { |
481 | 0 | if (data->object_type == OSSL_OBJECT_UNKNOWN |
482 | 0 | || data->object_type == OSSL_OBJECT_CERT) { |
483 | | /* |
484 | | * In most cases, we can try to interpret the serialized |
485 | | * data as a trusted cert (X509 + X509_AUX) and fall back |
486 | | * to reading it as a normal cert (just X509), but if |
487 | | * |data_type| (the PEM name) specifically declares it as a |
488 | | * trusted cert, then no fallback should be engaged. |
489 | | * |ignore_trusted| tells if the fallback can be used (1) |
490 | | * or not (0). |
491 | | */ |
492 | 0 | int ignore_trusted = 1; |
493 | 0 | X509 *cert = X509_new_ex(libctx, propq); |
494 | |
|
495 | 0 | if (cert == NULL) |
496 | 0 | return 0; |
497 | | |
498 | | /* If we have a data type, it should be a PEM name */ |
499 | 0 | if (data->data_type != NULL |
500 | 0 | && (OPENSSL_strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) |
501 | 0 | ignore_trusted = 0; |
502 | |
|
503 | 0 | if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data, |
504 | 0 | (long)data->octet_data_size) |
505 | 0 | == NULL |
506 | 0 | && (!ignore_trusted |
507 | 0 | || d2i_X509(&cert, (const unsigned char **)&data->octet_data, |
508 | 0 | (long)data->octet_data_size) |
509 | 0 | == NULL)) { |
510 | 0 | X509_free(cert); |
511 | 0 | cert = NULL; |
512 | 0 | } |
513 | |
|
514 | 0 | if (cert != NULL) { |
515 | | /* We determined the object type */ |
516 | 0 | data->object_type = OSSL_OBJECT_CERT; |
517 | 0 | *v = OSSL_STORE_INFO_new_CERT(cert); |
518 | 0 | if (*v == NULL) |
519 | 0 | X509_free(cert); |
520 | 0 | } |
521 | 0 | } |
522 | | |
523 | 0 | return 1; |
524 | 0 | } |
525 | | |
526 | | static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, |
527 | | OSSL_LIB_CTX *libctx, const char *propq) |
528 | 0 | { |
529 | 0 | if (data->object_type == OSSL_OBJECT_UNKNOWN |
530 | 0 | || data->object_type == OSSL_OBJECT_CRL) { |
531 | 0 | X509_CRL *crl; |
532 | |
|
533 | 0 | crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data, |
534 | 0 | (long)data->octet_data_size); |
535 | |
|
536 | 0 | if (crl != NULL) |
537 | | /* We determined the object type */ |
538 | 0 | data->object_type = OSSL_OBJECT_CRL; |
539 | |
|
540 | 0 | if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) { |
541 | 0 | X509_CRL_free(crl); |
542 | 0 | crl = NULL; |
543 | 0 | } |
544 | |
|
545 | 0 | if (crl != NULL) |
546 | 0 | *v = OSSL_STORE_INFO_new_CRL(crl); |
547 | 0 | if (*v == NULL) |
548 | 0 | X509_CRL_free(crl); |
549 | 0 | } |
550 | |
|
551 | 0 | return 1; |
552 | 0 | } |
553 | | |
554 | | static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, |
555 | | OSSL_STORE_CTX *ctx, |
556 | | OSSL_LIB_CTX *libctx, const char *propq) |
557 | 0 | { |
558 | 0 | int ok = 1; |
559 | | |
560 | | /* There is no specific object type for PKCS12 */ |
561 | 0 | if (data->object_type == OSSL_OBJECT_UNKNOWN) { |
562 | | /* Initial parsing */ |
563 | 0 | PKCS12 *p12; |
564 | |
|
565 | 0 | p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data, |
566 | 0 | (long)data->octet_data_size); |
567 | |
|
568 | 0 | if (p12 != NULL) { |
569 | 0 | char *pass = NULL; |
570 | 0 | char tpass[PEM_BUFSIZE + 1]; |
571 | 0 | size_t tpass_len; |
572 | 0 | EVP_PKEY *pkey = NULL; |
573 | 0 | X509 *cert = NULL; |
574 | 0 | STACK_OF(X509) *chain = NULL; |
575 | |
|
576 | 0 | data->object_type = OSSL_OBJECT_PKCS12; |
577 | |
|
578 | 0 | ok = 0; /* Assume decryption or parse error */ |
579 | |
|
580 | 0 | if (!PKCS12_mac_present(p12) |
581 | 0 | || PKCS12_verify_mac(p12, NULL, 0)) { |
582 | 0 | pass = NULL; |
583 | 0 | } else if (PKCS12_verify_mac(p12, "", 0)) { |
584 | 0 | pass = ""; |
585 | 0 | } else { |
586 | 0 | static char prompt_info[] = "PKCS12 import pass phrase"; |
587 | 0 | OSSL_PARAM pw_params[] = { |
588 | 0 | OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, |
589 | 0 | prompt_info, |
590 | 0 | sizeof(prompt_info) - 1), |
591 | 0 | OSSL_PARAM_END |
592 | 0 | }; |
593 | |
|
594 | 0 | if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1, |
595 | 0 | &tpass_len, |
596 | 0 | pw_params, 0, &ctx->pwdata)) { |
597 | 0 | ERR_raise(ERR_LIB_OSSL_STORE, |
598 | 0 | OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); |
599 | 0 | goto p12_end; |
600 | 0 | } |
601 | 0 | pass = tpass; |
602 | | /* |
603 | | * ossl_pw_get_passphrase() does not NUL terminate but |
604 | | * we must do it for PKCS12_parse() |
605 | | */ |
606 | 0 | pass[tpass_len] = '\0'; |
607 | 0 | if (!PKCS12_verify_mac(p12, pass, (int)tpass_len)) { |
608 | 0 | ERR_raise_data(ERR_LIB_OSSL_STORE, |
609 | 0 | OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, |
610 | 0 | tpass_len == 0 ? "empty password" : "maybe wrong password"); |
611 | 0 | goto p12_end; |
612 | 0 | } |
613 | 0 | } |
614 | | |
615 | 0 | if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) { |
616 | 0 | STACK_OF(OSSL_STORE_INFO) *infos = NULL; |
617 | 0 | OSSL_STORE_INFO *osi_pkey = NULL; |
618 | 0 | OSSL_STORE_INFO *osi_cert = NULL; |
619 | 0 | OSSL_STORE_INFO *osi_ca = NULL; |
620 | |
|
621 | 0 | ok = 1; /* Parsing went through correctly! */ |
622 | |
|
623 | 0 | if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) { |
624 | 0 | if (pkey != NULL) { |
625 | 0 | if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL |
626 | | /* clearing pkey here avoids case distinctions */ |
627 | 0 | && (pkey = NULL) == NULL |
628 | 0 | && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0) |
629 | 0 | osi_pkey = NULL; |
630 | 0 | else |
631 | 0 | ok = 0; |
632 | 0 | } |
633 | 0 | if (ok && cert != NULL) { |
634 | 0 | if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL |
635 | | /* clearing cert here avoids case distinctions */ |
636 | 0 | && (cert = NULL) == NULL |
637 | 0 | && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0) |
638 | 0 | osi_cert = NULL; |
639 | 0 | else |
640 | 0 | ok = 0; |
641 | 0 | } |
642 | 0 | while (ok && sk_X509_num(chain) > 0) { |
643 | 0 | X509 *ca = sk_X509_value(chain, 0); |
644 | |
|
645 | 0 | if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL |
646 | 0 | && sk_X509_shift(chain) != NULL |
647 | 0 | && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0) |
648 | 0 | osi_ca = NULL; |
649 | 0 | else |
650 | 0 | ok = 0; |
651 | 0 | } |
652 | 0 | } |
653 | 0 | EVP_PKEY_free(pkey); |
654 | 0 | X509_free(cert); |
655 | 0 | OSSL_STACK_OF_X509_free(chain); |
656 | 0 | OSSL_STORE_INFO_free(osi_pkey); |
657 | 0 | OSSL_STORE_INFO_free(osi_cert); |
658 | 0 | OSSL_STORE_INFO_free(osi_ca); |
659 | 0 | if (!ok) { |
660 | 0 | sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free); |
661 | 0 | infos = NULL; |
662 | 0 | } |
663 | 0 | ctx->cached_info = infos; |
664 | 0 | } |
665 | 0 | p12_end: |
666 | 0 | OPENSSL_cleanse(tpass, sizeof(tpass)); |
667 | 0 | PKCS12_free(p12); |
668 | 0 | } |
669 | 0 | *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); |
670 | 0 | } |
671 | | |
672 | 0 | return ok; |
673 | 0 | } |
674 | | |
675 | | static int try_skey(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, |
676 | | const OSSL_PROVIDER *provider, OSSL_LIB_CTX *libctx, const char *propq) |
677 | 0 | { |
678 | 0 | EVP_SKEY *skey = NULL; |
679 | 0 | const char *skeymgmt_name = data->data_type == NULL |
680 | 0 | ? OSSL_SKEY_TYPE_GENERIC |
681 | 0 | : data->data_type; |
682 | 0 | size_t keysize = 0; |
683 | 0 | unsigned char *keybytes = NULL; |
684 | |
|
685 | 0 | if (data->object_type != OSSL_OBJECT_SKEY) |
686 | 0 | return 0; |
687 | | |
688 | 0 | if (data->octet_data != NULL) { |
689 | 0 | keysize = data->octet_data_size; |
690 | 0 | keybytes = (unsigned char *)data->octet_data; |
691 | 0 | skey = EVP_SKEY_import_raw_key(libctx, skeymgmt_name, |
692 | 0 | keybytes, keysize, propq); |
693 | 0 | } else if (data->ref != NULL) { |
694 | 0 | EVP_SKEYMGMT *skeymgmt = evp_skeymgmt_fetch_from_prov((OSSL_PROVIDER *)provider, |
695 | 0 | skeymgmt_name, propq); |
696 | 0 | OSSL_PARAM params[2]; |
697 | | |
698 | | /* |
699 | | * We got an internal reference from a particular provider so we need the SKEYMGMT |
700 | | * exactly from this provider |
701 | | */ |
702 | 0 | if (skeymgmt == NULL) |
703 | 0 | return 0; |
704 | | |
705 | 0 | keysize = data->ref_size; |
706 | 0 | keybytes = (unsigned char *)data->ref; |
707 | 0 | params[0] = OSSL_PARAM_construct_octet_ptr(OSSL_OBJECT_PARAM_REFERENCE, |
708 | 0 | (void **)&keybytes, keysize); |
709 | 0 | params[1] = OSSL_PARAM_construct_end(); |
710 | |
|
711 | 0 | skey = EVP_SKEY_import_SKEYMGMT(libctx, skeymgmt, OSSL_SKEYMGMT_SELECT_ALL, params); |
712 | 0 | } |
713 | | |
714 | 0 | if (skey != NULL) |
715 | 0 | *v = OSSL_STORE_INFO_new_SKEY(skey); |
716 | 0 | if (*v == NULL) |
717 | 0 | EVP_SKEY_free(skey); |
718 | |
|
719 | 0 | return 1; |
720 | 0 | } |