Coverage Report

Created: 2025-07-01 06:54

/work/mbedtls-2.28.8/library/pkparse.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  Public Key layer for parsing key files and structures
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
#include "common.h"
9
10
#if defined(MBEDTLS_PK_PARSE_C)
11
12
#include "mbedtls/pk.h"
13
#include "mbedtls/asn1.h"
14
#include "mbedtls/oid.h"
15
#include "mbedtls/platform_util.h"
16
#include "mbedtls/error.h"
17
18
#include <string.h>
19
20
#if defined(MBEDTLS_RSA_C)
21
#include "mbedtls/rsa.h"
22
#endif
23
#if defined(MBEDTLS_ECP_C)
24
#include "mbedtls/ecp.h"
25
#endif
26
#if defined(MBEDTLS_ECDSA_C)
27
#include "mbedtls/ecdsa.h"
28
#endif
29
#if defined(MBEDTLS_PEM_PARSE_C)
30
#include "mbedtls/pem.h"
31
#endif
32
#if defined(MBEDTLS_PKCS5_C)
33
#include "mbedtls/pkcs5.h"
34
#endif
35
#if defined(MBEDTLS_PKCS12_C)
36
#include "mbedtls/pkcs12.h"
37
#endif
38
39
#include "mbedtls/platform.h"
40
41
/* Parameter validation macros based on platform_util.h */
42
#define PK_VALIDATE_RET(cond)    \
43
0
    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA)
44
#define PK_VALIDATE(cond)        \
45
    MBEDTLS_INTERNAL_VALIDATE(cond)
46
47
#if defined(MBEDTLS_FS_IO)
48
/*
49
 * Load all data from a file into a given buffer.
50
 *
51
 * The file is expected to contain either PEM or DER encoded data.
52
 * A terminating null byte is always appended. It is included in the announced
53
 * length only if the data looks like it is PEM encoded.
54
 */
55
int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n)
56
0
{
57
0
    FILE *f;
58
0
    long size;
59
60
0
    PK_VALIDATE_RET(path != NULL);
61
0
    PK_VALIDATE_RET(buf != NULL);
62
0
    PK_VALIDATE_RET(n != NULL);
63
64
0
    if ((f = fopen(path, "rb")) == NULL) {
65
0
        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
66
0
    }
67
68
0
    fseek(f, 0, SEEK_END);
69
0
    if ((size = ftell(f)) == -1) {
70
0
        fclose(f);
71
0
        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
72
0
    }
73
0
    fseek(f, 0, SEEK_SET);
74
75
0
    *n = (size_t) size;
76
77
0
    if (*n + 1 == 0 ||
78
0
        (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
79
0
        fclose(f);
80
0
        return MBEDTLS_ERR_PK_ALLOC_FAILED;
81
0
    }
82
83
0
    if (fread(*buf, 1, *n, f) != *n) {
84
0
        fclose(f);
85
86
0
        mbedtls_platform_zeroize(*buf, *n);
87
0
        mbedtls_free(*buf);
88
89
0
        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
90
0
    }
91
92
0
    fclose(f);
93
94
0
    (*buf)[*n] = '\0';
95
96
0
    if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
97
0
        ++*n;
98
0
    }
99
100
0
    return 0;
101
0
}
102
103
/*
104
 * Load and parse a private key
105
 */
106
int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
107
                             const char *path, const char *pwd)
108
0
{
109
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
110
0
    size_t n;
111
0
    unsigned char *buf;
112
113
0
    PK_VALIDATE_RET(ctx != NULL);
114
0
    PK_VALIDATE_RET(path != NULL);
115
116
0
    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
117
0
        return ret;
118
0
    }
119
120
0
    if (pwd == NULL) {
121
0
        ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0);
122
0
    } else {
123
0
        ret = mbedtls_pk_parse_key(ctx, buf, n,
124
0
                                   (const unsigned char *) pwd, strlen(pwd));
125
0
    }
126
127
0
    mbedtls_platform_zeroize(buf, n);
128
0
    mbedtls_free(buf);
129
130
0
    return ret;
131
0
}
132
133
/*
134
 * Load and parse a public key
135
 */
136
int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path)
137
0
{
138
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
139
0
    size_t n;
140
0
    unsigned char *buf;
141
142
0
    PK_VALIDATE_RET(ctx != NULL);
143
0
    PK_VALIDATE_RET(path != NULL);
144
145
0
    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
146
0
        return ret;
147
0
    }
148
149
0
    ret = mbedtls_pk_parse_public_key(ctx, buf, n);
150
151
0
    mbedtls_platform_zeroize(buf, n);
152
0
    mbedtls_free(buf);
153
154
0
    return ret;
155
0
}
156
#endif /* MBEDTLS_FS_IO */
157
158
#if defined(MBEDTLS_ECP_C)
159
/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
160
 *
161
 * ECParameters ::= CHOICE {
162
 *   namedCurve         OBJECT IDENTIFIER
163
 *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
164
 *   -- implicitCurve   NULL
165
 * }
166
 */
167
static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
168
                           mbedtls_asn1_buf *params)
169
0
{
170
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
171
172
0
    if (end - *p < 1) {
173
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
174
0
                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
175
0
    }
176
177
    /* Tag may be either OID or SEQUENCE */
178
0
    params->tag = **p;
179
0
    if (params->tag != MBEDTLS_ASN1_OID
180
0
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
181
0
        && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)
182
0
#endif
183
0
        ) {
184
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
185
0
                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
186
0
    }
187
188
0
    if ((ret = mbedtls_asn1_get_tag(p, end, &params->len, params->tag)) != 0) {
189
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
190
0
    }
191
192
0
    params->p = *p;
193
0
    *p += params->len;
194
195
0
    if (*p != end) {
196
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
197
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
198
0
    }
199
200
0
    return 0;
201
0
}
202
203
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
204
/*
205
 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
206
 * WARNING: the resulting group should only be used with
207
 * pk_group_id_from_specified(), since its base point may not be set correctly
208
 * if it was encoded compressed.
209
 *
210
 *  SpecifiedECDomain ::= SEQUENCE {
211
 *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
212
 *      fieldID FieldID {{FieldTypes}},
213
 *      curve Curve,
214
 *      base ECPoint,
215
 *      order INTEGER,
216
 *      cofactor INTEGER OPTIONAL,
217
 *      hash HashAlgorithm OPTIONAL,
218
 *      ...
219
 *  }
220
 *
221
 * We only support prime-field as field type, and ignore hash and cofactor.
222
 */
223
static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
224
0
{
225
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
226
0
    unsigned char *p = params->p;
227
0
    const unsigned char * const end = params->p + params->len;
228
0
    const unsigned char *end_field, *end_curve;
229
0
    size_t len;
230
0
    int ver;
231
232
    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
233
0
    if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) {
234
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
235
0
    }
236
237
0
    if (ver < 1 || ver > 3) {
238
0
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
239
0
    }
240
241
    /*
242
     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
243
     *       fieldType FIELD-ID.&id({IOSet}),
244
     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
245
     * }
246
     */
247
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
248
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
249
0
        return ret;
250
0
    }
251
252
0
    end_field = p + len;
253
254
    /*
255
     * FIELD-ID ::= TYPE-IDENTIFIER
256
     * FieldTypes FIELD-ID ::= {
257
     *       { Prime-p IDENTIFIED BY prime-field } |
258
     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
259
     * }
260
     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
261
     */
262
0
    if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) {
263
0
        return ret;
264
0
    }
265
266
0
    if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) ||
267
0
        memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) {
268
0
        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
269
0
    }
270
271
0
    p += len;
272
273
    /* Prime-p ::= INTEGER -- Field of size p. */
274
0
    if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) {
275
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
276
0
    }
277
278
0
    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
279
280
0
    if (p != end_field) {
281
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
282
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
283
0
    }
284
285
    /*
286
     * Curve ::= SEQUENCE {
287
     *       a FieldElement,
288
     *       b FieldElement,
289
     *       seed BIT STRING OPTIONAL
290
     *       -- Shall be present if used in SpecifiedECDomain
291
     *       -- with version equal to ecdpVer2 or ecdpVer3
292
     * }
293
     */
294
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
295
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
296
0
        return ret;
297
0
    }
298
299
0
    end_curve = p + len;
300
301
    /*
302
     * FieldElement ::= OCTET STRING
303
     * containing an integer in the case of a prime field
304
     */
305
0
    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
306
0
        (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) {
307
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
308
0
    }
309
310
0
    p += len;
311
312
0
    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
313
0
        (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) {
314
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
315
0
    }
316
317
0
    p += len;
318
319
    /* Ignore seed BIT STRING OPTIONAL */
320
0
    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) {
321
0
        p += len;
322
0
    }
323
324
0
    if (p != end_curve) {
325
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
326
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
327
0
    }
328
329
    /*
330
     * ECPoint ::= OCTET STRING
331
     */
332
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
333
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
334
0
    }
335
336
0
    if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G,
337
0
                                             (const unsigned char *) p, len)) != 0) {
338
        /*
339
         * If we can't read the point because it's compressed, cheat by
340
         * reading only the X coordinate and the parity bit of Y.
341
         */
342
0
        if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
343
0
            (p[0] != 0x02 && p[0] != 0x03) ||
344
0
            len != mbedtls_mpi_size(&grp->P) + 1 ||
345
0
            mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 ||
346
0
            mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 ||
347
0
            mbedtls_mpi_lset(&grp->G.Z, 1) != 0) {
348
0
            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
349
0
        }
350
0
    }
351
352
0
    p += len;
353
354
    /*
355
     * order INTEGER
356
     */
357
0
    if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) {
358
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
359
0
    }
360
361
0
    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
362
363
    /*
364
     * Allow optional elements by purposefully not enforcing p == end here.
365
     */
366
367
0
    return 0;
368
0
}
369
370
/*
371
 * Find the group id associated with an (almost filled) group as generated by
372
 * pk_group_from_specified(), or return an error if unknown.
373
 */
374
static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id)
375
0
{
376
0
    int ret = 0;
377
0
    mbedtls_ecp_group ref;
378
0
    const mbedtls_ecp_group_id *id;
379
380
0
    mbedtls_ecp_group_init(&ref);
381
382
0
    for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) {
383
        /* Load the group associated to that id */
384
0
        mbedtls_ecp_group_free(&ref);
385
0
        MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id));
386
387
        /* Compare to the group we were given, starting with easy tests */
388
0
        if (grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
389
0
            mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 &&
390
0
            mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 &&
391
0
            mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 &&
392
0
            mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 &&
393
0
            mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 &&
394
0
            mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 &&
395
            /* For Y we may only know the parity bit, so compare only that */
396
0
            mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) {
397
0
            break;
398
0
        }
399
400
0
    }
401
402
0
cleanup:
403
0
    mbedtls_ecp_group_free(&ref);
404
405
0
    *grp_id = *id;
406
407
0
    if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) {
408
0
        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
409
0
    }
410
411
0
    return ret;
412
0
}
413
414
/*
415
 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
416
 */
417
static int pk_group_id_from_specified(const mbedtls_asn1_buf *params,
418
                                      mbedtls_ecp_group_id *grp_id)
419
0
{
420
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
421
0
    mbedtls_ecp_group grp;
422
423
0
    mbedtls_ecp_group_init(&grp);
424
425
0
    if ((ret = pk_group_from_specified(params, &grp)) != 0) {
426
0
        goto cleanup;
427
0
    }
428
429
0
    ret = pk_group_id_from_group(&grp, grp_id);
430
431
0
cleanup:
432
0
    mbedtls_ecp_group_free(&grp);
433
434
0
    return ret;
435
0
}
436
#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
437
438
/*
439
 * Use EC parameters to initialise an EC group
440
 *
441
 * ECParameters ::= CHOICE {
442
 *   namedCurve         OBJECT IDENTIFIER
443
 *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
444
 *   -- implicitCurve   NULL
445
 */
446
static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
447
0
{
448
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
449
0
    mbedtls_ecp_group_id grp_id;
450
451
0
    if (params->tag == MBEDTLS_ASN1_OID) {
452
0
        if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) {
453
0
            return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE;
454
0
        }
455
0
    } else {
456
0
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
457
0
        if ((ret = pk_group_id_from_specified(params, &grp_id)) != 0) {
458
0
            return ret;
459
0
        }
460
#else
461
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
462
#endif
463
0
    }
464
465
    /*
466
     * grp may already be initialized; if so, make sure IDs match
467
     */
468
0
    if (grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id) {
469
0
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
470
0
    }
471
472
0
    if ((ret = mbedtls_ecp_group_load(grp, grp_id)) != 0) {
473
0
        return ret;
474
0
    }
475
476
0
    return 0;
477
0
}
478
479
/*
480
 * EC public key is an EC point
481
 *
482
 * The caller is responsible for clearing the structure upon failure if
483
 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
484
 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
485
 */
486
static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
487
                           mbedtls_ecp_keypair *key)
488
0
{
489
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
490
491
0
    if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q,
492
0
                                             (const unsigned char *) *p, end - *p)) == 0) {
493
0
        ret = mbedtls_ecp_check_pubkey(&key->grp, &key->Q);
494
0
    }
495
496
    /*
497
     * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
498
     */
499
0
    *p = (unsigned char *) end;
500
501
0
    return ret;
502
0
}
503
#endif /* MBEDTLS_ECP_C */
504
505
#if defined(MBEDTLS_RSA_C)
506
/*
507
 *  RSAPublicKey ::= SEQUENCE {
508
 *      modulus           INTEGER,  -- n
509
 *      publicExponent    INTEGER   -- e
510
 *  }
511
 */
512
static int pk_get_rsapubkey(unsigned char **p,
513
                            const unsigned char *end,
514
                            mbedtls_rsa_context *rsa)
515
0
{
516
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
517
0
    size_t len;
518
519
0
    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
520
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
521
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
522
0
    }
523
524
0
    if (*p + len != end) {
525
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
526
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
527
0
    }
528
529
    /* Import N */
530
0
    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
531
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
532
0
    }
533
534
0
    if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0,
535
0
                                      NULL, 0, NULL, 0)) != 0) {
536
0
        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
537
0
    }
538
539
0
    *p += len;
540
541
    /* Import E */
542
0
    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
543
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
544
0
    }
545
546
0
    if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
547
0
                                      NULL, 0, *p, len)) != 0) {
548
0
        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
549
0
    }
550
551
0
    *p += len;
552
553
0
    if (mbedtls_rsa_complete(rsa) != 0 ||
554
0
        mbedtls_rsa_check_pubkey(rsa) != 0) {
555
0
        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
556
0
    }
557
558
0
    if (*p != end) {
559
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
560
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
561
0
    }
562
563
0
    return 0;
564
0
}
565
#endif /* MBEDTLS_RSA_C */
566
567
/* Get a PK algorithm identifier
568
 *
569
 *  AlgorithmIdentifier  ::=  SEQUENCE  {
570
 *       algorithm               OBJECT IDENTIFIER,
571
 *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
572
 */
573
static int pk_get_pk_alg(unsigned char **p,
574
                         const unsigned char *end,
575
                         mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params)
576
0
{
577
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
578
0
    mbedtls_asn1_buf alg_oid;
579
580
0
    memset(params, 0, sizeof(mbedtls_asn1_buf));
581
582
0
    if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) {
583
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret);
584
0
    }
585
586
0
    if (mbedtls_oid_get_pk_alg(&alg_oid, pk_alg) != 0) {
587
0
        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
588
0
    }
589
590
    /*
591
     * No parameters with RSA (only for EC)
592
     */
593
0
    if (*pk_alg == MBEDTLS_PK_RSA &&
594
0
        ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) ||
595
0
         params->len != 0)) {
596
0
        return MBEDTLS_ERR_PK_INVALID_ALG;
597
0
    }
598
599
0
    return 0;
600
0
}
601
602
/*
603
 *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
604
 *       algorithm            AlgorithmIdentifier,
605
 *       subjectPublicKey     BIT STRING }
606
 */
607
int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
608
                               mbedtls_pk_context *pk)
609
0
{
610
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
611
0
    size_t len;
612
0
    mbedtls_asn1_buf alg_params;
613
0
    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
614
0
    const mbedtls_pk_info_t *pk_info;
615
616
0
    PK_VALIDATE_RET(p != NULL);
617
0
    PK_VALIDATE_RET(*p != NULL);
618
0
    PK_VALIDATE_RET(end != NULL);
619
0
    PK_VALIDATE_RET(pk != NULL);
620
621
0
    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
622
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
623
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
624
0
    }
625
626
0
    end = *p + len;
627
628
0
    if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params)) != 0) {
629
0
        return ret;
630
0
    }
631
632
0
    if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) {
633
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
634
0
    }
635
636
0
    if (*p + len != end) {
637
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
638
0
                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
639
0
    }
640
641
0
    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
642
0
        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
643
0
    }
644
645
0
    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
646
0
        return ret;
647
0
    }
648
649
0
#if defined(MBEDTLS_RSA_C)
650
0
    if (pk_alg == MBEDTLS_PK_RSA) {
651
0
        ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk));
652
0
    } else
653
0
#endif /* MBEDTLS_RSA_C */
654
0
#if defined(MBEDTLS_ECP_C)
655
0
    if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
656
0
        ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp);
657
0
        if (ret == 0) {
658
0
            ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk));
659
0
        }
660
0
    } else
661
0
#endif /* MBEDTLS_ECP_C */
662
0
    ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
663
664
0
    if (ret == 0 && *p != end) {
665
0
        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
666
0
                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
667
0
    }
668
669
0
    if (ret != 0) {
670
0
        mbedtls_pk_free(pk);
671
0
    }
672
673
0
    return ret;
674
0
}
675
676
#if defined(MBEDTLS_RSA_C)
677
/*
678
 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
679
 *
680
 * The value zero is:
681
 * - never a valid value for an RSA parameter
682
 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
683
 *
684
 * Since values can't be omitted in PKCS#1, passing a zero value to
685
 * rsa_complete() would be incorrect, so reject zero values early.
686
 */
687
static int asn1_get_nonzero_mpi(unsigned char **p,
688
                                const unsigned char *end,
689
                                mbedtls_mpi *X)
690
0
{
691
0
    int ret;
692
693
0
    ret = mbedtls_asn1_get_mpi(p, end, X);
694
0
    if (ret != 0) {
695
0
        return ret;
696
0
    }
697
698
0
    if (mbedtls_mpi_cmp_int(X, 0) == 0) {
699
0
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
700
0
    }
701
702
0
    return 0;
703
0
}
704
705
/*
706
 * Parse a PKCS#1 encoded private RSA key
707
 */
708
static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa,
709
                                  const unsigned char *key,
710
                                  size_t keylen)
711
0
{
712
0
    int ret, version;
713
0
    size_t len;
714
0
    unsigned char *p, *end;
715
716
0
    mbedtls_mpi T;
717
0
    mbedtls_mpi_init(&T);
718
719
0
    p = (unsigned char *) key;
720
0
    end = p + keylen;
721
722
    /*
723
     * This function parses the RSAPrivateKey (PKCS#1)
724
     *
725
     *  RSAPrivateKey ::= SEQUENCE {
726
     *      version           Version,
727
     *      modulus           INTEGER,  -- n
728
     *      publicExponent    INTEGER,  -- e
729
     *      privateExponent   INTEGER,  -- d
730
     *      prime1            INTEGER,  -- p
731
     *      prime2            INTEGER,  -- q
732
     *      exponent1         INTEGER,  -- d mod (p-1)
733
     *      exponent2         INTEGER,  -- d mod (q-1)
734
     *      coefficient       INTEGER,  -- (inverse of q) mod p
735
     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
736
     *  }
737
     */
738
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
739
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
740
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
741
0
    }
742
743
0
    end = p + len;
744
745
0
    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
746
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
747
0
    }
748
749
0
    if (version != 0) {
750
0
        return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
751
0
    }
752
753
    /* Import N */
754
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
755
0
        (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
756
0
                                  NULL, NULL)) != 0) {
757
0
        goto cleanup;
758
0
    }
759
760
    /* Import E */
761
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
762
0
        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
763
0
                                  NULL, &T)) != 0) {
764
0
        goto cleanup;
765
0
    }
766
767
    /* Import D */
768
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
769
0
        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
770
0
                                  &T, NULL)) != 0) {
771
0
        goto cleanup;
772
0
    }
773
774
    /* Import P */
775
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
776
0
        (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
777
0
                                  NULL, NULL)) != 0) {
778
0
        goto cleanup;
779
0
    }
780
781
    /* Import Q */
782
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
783
0
        (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
784
0
                                  NULL, NULL)) != 0) {
785
0
        goto cleanup;
786
0
    }
787
788
0
#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
789
    /*
790
     * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
791
     * that they can be easily recomputed from D, P and Q. However by
792
     * parsing them from the PKCS1 structure it is possible to avoid
793
     * recalculating them which both reduces the overhead of loading
794
     * RSA private keys into memory and also avoids side channels which
795
     * can arise when computing those values, since all of D, P, and Q
796
     * are secret. See https://eprint.iacr.org/2020/055 for a
797
     * description of one such attack.
798
     */
799
800
    /* Import DP */
801
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
802
0
        (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) {
803
0
        goto cleanup;
804
0
    }
805
806
    /* Import DQ */
807
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
808
0
        (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) {
809
0
        goto cleanup;
810
0
    }
811
812
    /* Import QP */
813
0
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
814
0
        (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) {
815
0
        goto cleanup;
816
0
    }
817
818
#else
819
    /* Verify existence of the CRT params */
820
    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
821
        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
822
        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) {
823
        goto cleanup;
824
    }
825
#endif
826
827
    /* rsa_complete() doesn't complete anything with the default
828
     * implementation but is still called:
829
     * - for the benefit of alternative implementation that may want to
830
     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
831
     * - as is also sanity-checks the key
832
     *
833
     * Furthermore, we also check the public part for consistency with
834
     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
835
     */
836
0
    if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
837
0
        (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
838
0
        goto cleanup;
839
0
    }
840
841
0
    if (p != end) {
842
0
        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
843
0
                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
844
0
    }
845
846
0
cleanup:
847
848
0
    mbedtls_mpi_free(&T);
849
850
0
    if (ret != 0) {
851
        /* Wrap error code if it's coming from a lower level */
852
0
        if ((ret & 0xff80) == 0) {
853
0
            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
854
0
        } else {
855
0
            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
856
0
        }
857
858
0
        mbedtls_rsa_free(rsa);
859
0
    }
860
861
0
    return ret;
862
0
}
863
#endif /* MBEDTLS_RSA_C */
864
865
#if defined(MBEDTLS_ECP_C)
866
/*
867
 * Parse a SEC1 encoded private EC key
868
 */
869
static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
870
                                 const unsigned char *key,
871
                                 size_t keylen)
872
0
{
873
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
874
0
    int version, pubkey_done;
875
0
    size_t len;
876
0
    mbedtls_asn1_buf params;
877
0
    unsigned char *p = (unsigned char *) key;
878
0
    unsigned char *end = p + keylen;
879
0
    unsigned char *end2;
880
881
    /*
882
     * RFC 5915, or SEC1 Appendix C.4
883
     *
884
     * ECPrivateKey ::= SEQUENCE {
885
     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
886
     *      privateKey     OCTET STRING,
887
     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
888
     *      publicKey  [1] BIT STRING OPTIONAL
889
     *    }
890
     */
891
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
892
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
893
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
894
0
    }
895
896
0
    end = p + len;
897
898
0
    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
899
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
900
0
    }
901
902
0
    if (version != 1) {
903
0
        return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
904
0
    }
905
906
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
907
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
908
0
    }
909
910
0
    if ((ret = mbedtls_mpi_read_binary(&eck->d, p, len)) != 0) {
911
0
        mbedtls_ecp_keypair_free(eck);
912
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
913
0
    }
914
915
0
    p += len;
916
917
0
    pubkey_done = 0;
918
0
    if (p != end) {
919
        /*
920
         * Is 'parameters' present?
921
         */
922
0
        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
923
0
                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
924
0
                                        0)) == 0) {
925
0
            if ((ret = pk_get_ecparams(&p, p + len, &params)) != 0 ||
926
0
                (ret = pk_use_ecparams(&params, &eck->grp)) != 0) {
927
0
                mbedtls_ecp_keypair_free(eck);
928
0
                return ret;
929
0
            }
930
0
        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
931
0
            mbedtls_ecp_keypair_free(eck);
932
0
            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
933
0
        }
934
0
    }
935
936
0
    if (p != end) {
937
        /*
938
         * Is 'publickey' present? If not, or if we can't read it (eg because it
939
         * is compressed), create it from the private key.
940
         */
941
0
        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
942
0
                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
943
0
                                        1)) == 0) {
944
0
            end2 = p + len;
945
946
0
            if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) {
947
0
                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
948
0
            }
949
950
0
            if (p + len != end2) {
951
0
                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
952
0
                                         MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
953
0
            }
954
955
0
            if ((ret = pk_get_ecpubkey(&p, end2, eck)) == 0) {
956
0
                pubkey_done = 1;
957
0
            } else {
958
                /*
959
                 * The only acceptable failure mode of pk_get_ecpubkey() above
960
                 * is if the point format is not recognized.
961
                 */
962
0
                if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) {
963
0
                    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
964
0
                }
965
0
            }
966
0
        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
967
0
            mbedtls_ecp_keypair_free(eck);
968
0
            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
969
0
        }
970
0
    }
971
972
0
    if (!pubkey_done &&
973
0
        (ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G,
974
0
                               NULL, NULL)) != 0) {
975
0
        mbedtls_ecp_keypair_free(eck);
976
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
977
0
    }
978
979
0
    if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
980
0
        mbedtls_ecp_keypair_free(eck);
981
0
        return ret;
982
0
    }
983
984
0
    return 0;
985
0
}
986
#endif /* MBEDTLS_ECP_C */
987
988
/*
989
 * Parse an unencrypted PKCS#8 encoded private key
990
 *
991
 * Notes:
992
 *
993
 * - This function does not own the key buffer. It is the
994
 *   responsibility of the caller to take care of zeroizing
995
 *   and freeing it after use.
996
 *
997
 * - The function is responsible for freeing the provided
998
 *   PK context on failure.
999
 *
1000
 */
1001
static int pk_parse_key_pkcs8_unencrypted_der(
1002
    mbedtls_pk_context *pk,
1003
    const unsigned char *key,
1004
    size_t keylen)
1005
0
{
1006
0
    int ret, version;
1007
0
    size_t len;
1008
0
    mbedtls_asn1_buf params;
1009
0
    unsigned char *p = (unsigned char *) key;
1010
0
    unsigned char *end = p + keylen;
1011
0
    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
1012
0
    const mbedtls_pk_info_t *pk_info;
1013
1014
    /*
1015
     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
1016
     *
1017
     *    PrivateKeyInfo ::= SEQUENCE {
1018
     *      version                   Version,
1019
     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
1020
     *      privateKey                PrivateKey,
1021
     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
1022
     *
1023
     *    Version ::= INTEGER
1024
     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
1025
     *    PrivateKey ::= OCTET STRING
1026
     *
1027
     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
1028
     */
1029
1030
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1031
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1032
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1033
0
    }
1034
1035
0
    end = p + len;
1036
1037
0
    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
1038
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1039
0
    }
1040
1041
0
    if (version != 0) {
1042
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret);
1043
0
    }
1044
1045
0
    if ((ret = pk_get_pk_alg(&p, end, &pk_alg, &params)) != 0) {
1046
0
        return ret;
1047
0
    }
1048
1049
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
1050
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1051
0
    }
1052
1053
0
    if (len < 1) {
1054
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
1055
0
                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
1056
0
    }
1057
1058
0
    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
1059
0
        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
1060
0
    }
1061
1062
0
    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
1063
0
        return ret;
1064
0
    }
1065
1066
0
#if defined(MBEDTLS_RSA_C)
1067
0
    if (pk_alg == MBEDTLS_PK_RSA) {
1068
0
        if ((ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), p, len)) != 0) {
1069
0
            mbedtls_pk_free(pk);
1070
0
            return ret;
1071
0
        }
1072
0
    } else
1073
0
#endif /* MBEDTLS_RSA_C */
1074
0
#if defined(MBEDTLS_ECP_C)
1075
0
    if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
1076
0
        if ((ret = pk_use_ecparams(&params, &mbedtls_pk_ec(*pk)->grp)) != 0 ||
1077
0
            (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len)) != 0) {
1078
0
            mbedtls_pk_free(pk);
1079
0
            return ret;
1080
0
        }
1081
0
    } else
1082
0
#endif /* MBEDTLS_ECP_C */
1083
0
    return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
1084
1085
0
    return 0;
1086
0
}
1087
1088
/*
1089
 * Parse an encrypted PKCS#8 encoded private key
1090
 *
1091
 * To save space, the decryption happens in-place on the given key buffer.
1092
 * Also, while this function may modify the keybuffer, it doesn't own it,
1093
 * and instead it is the responsibility of the caller to zeroize and properly
1094
 * free it after use.
1095
 *
1096
 */
1097
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1098
static int pk_parse_key_pkcs8_encrypted_der(
1099
    mbedtls_pk_context *pk,
1100
    unsigned char *key, size_t keylen,
1101
    const unsigned char *pwd, size_t pwdlen)
1102
0
{
1103
0
    int ret, decrypted = 0;
1104
0
    size_t len;
1105
0
    unsigned char *buf;
1106
0
    unsigned char *p, *end;
1107
0
    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
1108
0
#if defined(MBEDTLS_PKCS12_C)
1109
0
    mbedtls_cipher_type_t cipher_alg;
1110
0
    mbedtls_md_type_t md_alg;
1111
0
#endif
1112
1113
0
    p = key;
1114
0
    end = p + keylen;
1115
1116
0
    if (pwdlen == 0) {
1117
0
        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
1118
0
    }
1119
1120
    /*
1121
     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
1122
     *
1123
     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
1124
     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
1125
     *    encryptedData        EncryptedData
1126
     *  }
1127
     *
1128
     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1129
     *
1130
     *  EncryptedData ::= OCTET STRING
1131
     *
1132
     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
1133
     *
1134
     */
1135
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1136
0
                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1137
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1138
0
    }
1139
1140
0
    end = p + len;
1141
1142
0
    if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) {
1143
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1144
0
    }
1145
1146
0
    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
1147
0
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
1148
0
    }
1149
1150
0
    buf = p;
1151
1152
    /*
1153
     * Decrypt EncryptedData with appropriate PBE
1154
     */
1155
0
#if defined(MBEDTLS_PKCS12_C)
1156
0
    if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
1157
0
        if ((ret = mbedtls_pkcs12_pbe(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
1158
0
                                      cipher_alg, md_alg,
1159
0
                                      pwd, pwdlen, p, len, buf)) != 0) {
1160
0
            if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
1161
0
                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
1162
0
            }
1163
1164
0
            return ret;
1165
0
        }
1166
1167
0
        decrypted = 1;
1168
0
    } else if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid) == 0) {
1169
0
        if ((ret = mbedtls_pkcs12_pbe_sha1_rc4_128(&pbe_params,
1170
0
                                                   MBEDTLS_PKCS12_PBE_DECRYPT,
1171
0
                                                   pwd, pwdlen,
1172
0
                                                   p, len, buf)) != 0) {
1173
0
            return ret;
1174
0
        }
1175
1176
        // Best guess for password mismatch when using RC4. If first tag is
1177
        // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
1178
        //
1179
0
        if (*buf != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
1180
0
            return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
1181
0
        }
1182
1183
0
        decrypted = 1;
1184
0
    } else
1185
0
#endif /* MBEDTLS_PKCS12_C */
1186
0
#if defined(MBEDTLS_PKCS5_C)
1187
0
    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
1188
0
        if ((ret = mbedtls_pkcs5_pbes2(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
1189
0
                                       p, len, buf)) != 0) {
1190
0
            if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
1191
0
                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
1192
0
            }
1193
1194
0
            return ret;
1195
0
        }
1196
1197
0
        decrypted = 1;
1198
0
    } else
1199
0
#endif /* MBEDTLS_PKCS5_C */
1200
0
    {
1201
0
        ((void) pwd);
1202
0
    }
1203
1204
0
    if (decrypted == 0) {
1205
0
        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1206
0
    }
1207
1208
0
    return pk_parse_key_pkcs8_unencrypted_der(pk, buf, len);
1209
0
}
1210
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1211
1212
/*
1213
 * Parse a private key
1214
 */
1215
int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
1216
                         const unsigned char *key, size_t keylen,
1217
                         const unsigned char *pwd, size_t pwdlen)
1218
0
{
1219
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1220
0
    const mbedtls_pk_info_t *pk_info;
1221
0
#if defined(MBEDTLS_PEM_PARSE_C)
1222
0
    size_t len;
1223
0
    mbedtls_pem_context pem;
1224
0
#endif
1225
1226
0
    (void) pk_info;
1227
1228
0
    PK_VALIDATE_RET(pk != NULL);
1229
0
    if (keylen == 0) {
1230
0
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
1231
0
    }
1232
0
    PK_VALIDATE_RET(key != NULL);
1233
1234
0
#if defined(MBEDTLS_PEM_PARSE_C)
1235
0
    mbedtls_pem_init(&pem);
1236
1237
0
#if defined(MBEDTLS_RSA_C)
1238
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1239
0
    if (key[keylen - 1] != '\0') {
1240
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1241
0
    } else {
1242
0
        ret = mbedtls_pem_read_buffer(&pem,
1243
0
                                      "-----BEGIN RSA PRIVATE KEY-----",
1244
0
                                      "-----END RSA PRIVATE KEY-----",
1245
0
                                      key, pwd, pwdlen, &len);
1246
0
    }
1247
1248
0
    if (ret == 0) {
1249
0
        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
1250
0
        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
1251
0
            (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk),
1252
0
                                          pem.buf, pem.buflen)) != 0) {
1253
0
            mbedtls_pk_free(pk);
1254
0
        }
1255
1256
0
        mbedtls_pem_free(&pem);
1257
0
        return ret;
1258
0
    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
1259
0
        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
1260
0
    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
1261
0
        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
1262
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1263
0
        return ret;
1264
0
    }
1265
0
#endif /* MBEDTLS_RSA_C */
1266
1267
0
#if defined(MBEDTLS_ECP_C)
1268
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1269
0
    if (key[keylen - 1] != '\0') {
1270
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1271
0
    } else {
1272
0
        ret = mbedtls_pem_read_buffer(&pem,
1273
0
                                      "-----BEGIN EC PRIVATE KEY-----",
1274
0
                                      "-----END EC PRIVATE KEY-----",
1275
0
                                      key, pwd, pwdlen, &len);
1276
0
    }
1277
0
    if (ret == 0) {
1278
0
        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
1279
1280
0
        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
1281
0
            (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
1282
0
                                         pem.buf, pem.buflen)) != 0) {
1283
0
            mbedtls_pk_free(pk);
1284
0
        }
1285
1286
0
        mbedtls_pem_free(&pem);
1287
0
        return ret;
1288
0
    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
1289
0
        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
1290
0
    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
1291
0
        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
1292
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1293
0
        return ret;
1294
0
    }
1295
0
#endif /* MBEDTLS_ECP_C */
1296
1297
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1298
0
    if (key[keylen - 1] != '\0') {
1299
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1300
0
    } else {
1301
0
        ret = mbedtls_pem_read_buffer(&pem,
1302
0
                                      "-----BEGIN PRIVATE KEY-----",
1303
0
                                      "-----END PRIVATE KEY-----",
1304
0
                                      key, NULL, 0, &len);
1305
0
    }
1306
0
    if (ret == 0) {
1307
0
        if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk,
1308
0
                                                      pem.buf, pem.buflen)) != 0) {
1309
0
            mbedtls_pk_free(pk);
1310
0
        }
1311
1312
0
        mbedtls_pem_free(&pem);
1313
0
        return ret;
1314
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1315
0
        return ret;
1316
0
    }
1317
1318
0
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1319
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1320
0
    if (key[keylen - 1] != '\0') {
1321
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1322
0
    } else {
1323
0
        ret = mbedtls_pem_read_buffer(&pem,
1324
0
                                      "-----BEGIN ENCRYPTED PRIVATE KEY-----",
1325
0
                                      "-----END ENCRYPTED PRIVATE KEY-----",
1326
0
                                      key, NULL, 0, &len);
1327
0
    }
1328
0
    if (ret == 0) {
1329
0
        if ((ret = pk_parse_key_pkcs8_encrypted_der(pk,
1330
0
                                                    pem.buf, pem.buflen,
1331
0
                                                    pwd, pwdlen)) != 0) {
1332
0
            mbedtls_pk_free(pk);
1333
0
        }
1334
1335
0
        mbedtls_pem_free(&pem);
1336
0
        return ret;
1337
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1338
0
        return ret;
1339
0
    }
1340
0
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1341
#else
1342
    ((void) pwd);
1343
    ((void) pwdlen);
1344
#endif /* MBEDTLS_PEM_PARSE_C */
1345
1346
    /*
1347
     * At this point we only know it's not a PEM formatted key. Could be any
1348
     * of the known DER encoded private key formats
1349
     *
1350
     * We try the different DER format parsers to see if one passes without
1351
     * error
1352
     */
1353
0
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1354
0
    {
1355
0
        unsigned char *key_copy;
1356
1357
0
        if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) {
1358
0
            return MBEDTLS_ERR_PK_ALLOC_FAILED;
1359
0
        }
1360
1361
0
        memcpy(key_copy, key, keylen);
1362
1363
0
        ret = pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
1364
0
                                               pwd, pwdlen);
1365
1366
0
        mbedtls_platform_zeroize(key_copy, keylen);
1367
0
        mbedtls_free(key_copy);
1368
0
    }
1369
1370
0
    if (ret == 0) {
1371
0
        return 0;
1372
0
    }
1373
1374
0
    mbedtls_pk_free(pk);
1375
0
    mbedtls_pk_init(pk);
1376
1377
0
    if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) {
1378
0
        return ret;
1379
0
    }
1380
0
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1381
1382
0
    ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen);
1383
0
    if (ret == 0) {
1384
0
        return 0;
1385
0
    }
1386
1387
0
    mbedtls_pk_free(pk);
1388
0
    mbedtls_pk_init(pk);
1389
1390
0
#if defined(MBEDTLS_RSA_C)
1391
1392
0
    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
1393
0
    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
1394
0
        pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) {
1395
0
        return 0;
1396
0
    }
1397
1398
0
    mbedtls_pk_free(pk);
1399
0
    mbedtls_pk_init(pk);
1400
0
#endif /* MBEDTLS_RSA_C */
1401
1402
0
#if defined(MBEDTLS_ECP_C)
1403
0
    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
1404
0
    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
1405
0
        pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
1406
0
                              key, keylen) == 0) {
1407
0
        return 0;
1408
0
    }
1409
0
    mbedtls_pk_free(pk);
1410
0
#endif /* MBEDTLS_ECP_C */
1411
1412
    /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
1413
     * it is ok to leave the PK context initialized but not
1414
     * freed: It is the caller's responsibility to call pk_init()
1415
     * before calling this function, and to call pk_free()
1416
     * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
1417
     * isn't, this leads to mbedtls_pk_free() being called
1418
     * twice, once here and once by the caller, but this is
1419
     * also ok and in line with the mbedtls_pk_free() calls
1420
     * on failed PEM parsing attempts. */
1421
1422
0
    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
1423
0
}
1424
1425
/*
1426
 * Parse a public key
1427
 */
1428
int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
1429
                                const unsigned char *key, size_t keylen)
1430
0
{
1431
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1432
0
    unsigned char *p;
1433
0
#if defined(MBEDTLS_RSA_C)
1434
0
    const mbedtls_pk_info_t *pk_info;
1435
0
#endif
1436
0
#if defined(MBEDTLS_PEM_PARSE_C)
1437
0
    size_t len;
1438
0
    mbedtls_pem_context pem;
1439
0
#endif
1440
1441
0
    PK_VALIDATE_RET(ctx != NULL);
1442
0
    if (keylen == 0) {
1443
0
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
1444
0
    }
1445
0
    PK_VALIDATE_RET(key != NULL || keylen == 0);
1446
1447
0
#if defined(MBEDTLS_PEM_PARSE_C)
1448
0
    mbedtls_pem_init(&pem);
1449
0
#if defined(MBEDTLS_RSA_C)
1450
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1451
0
    if (key[keylen - 1] != '\0') {
1452
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1453
0
    } else {
1454
0
        ret = mbedtls_pem_read_buffer(&pem,
1455
0
                                      "-----BEGIN RSA PUBLIC KEY-----",
1456
0
                                      "-----END RSA PUBLIC KEY-----",
1457
0
                                      key, NULL, 0, &len);
1458
0
    }
1459
1460
0
    if (ret == 0) {
1461
0
        p = pem.buf;
1462
0
        if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
1463
0
            mbedtls_pem_free(&pem);
1464
0
            return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
1465
0
        }
1466
1467
0
        if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
1468
0
            mbedtls_pem_free(&pem);
1469
0
            return ret;
1470
0
        }
1471
1472
0
        if ((ret = pk_get_rsapubkey(&p, p + pem.buflen, mbedtls_pk_rsa(*ctx))) != 0) {
1473
0
            mbedtls_pk_free(ctx);
1474
0
        }
1475
1476
0
        mbedtls_pem_free(&pem);
1477
0
        return ret;
1478
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1479
0
        mbedtls_pem_free(&pem);
1480
0
        return ret;
1481
0
    }
1482
0
#endif /* MBEDTLS_RSA_C */
1483
1484
    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1485
0
    if (key[keylen - 1] != '\0') {
1486
0
        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1487
0
    } else {
1488
0
        ret = mbedtls_pem_read_buffer(&pem,
1489
0
                                      "-----BEGIN PUBLIC KEY-----",
1490
0
                                      "-----END PUBLIC KEY-----",
1491
0
                                      key, NULL, 0, &len);
1492
0
    }
1493
1494
0
    if (ret == 0) {
1495
        /*
1496
         * Was PEM encoded
1497
         */
1498
0
        p = pem.buf;
1499
1500
0
        ret = mbedtls_pk_parse_subpubkey(&p,  p + pem.buflen, ctx);
1501
0
        mbedtls_pem_free(&pem);
1502
0
        return ret;
1503
0
    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1504
0
        mbedtls_pem_free(&pem);
1505
0
        return ret;
1506
0
    }
1507
0
    mbedtls_pem_free(&pem);
1508
0
#endif /* MBEDTLS_PEM_PARSE_C */
1509
1510
0
#if defined(MBEDTLS_RSA_C)
1511
0
    if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
1512
0
        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
1513
0
    }
1514
1515
0
    if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
1516
0
        return ret;
1517
0
    }
1518
1519
0
    p = (unsigned char *) key;
1520
0
    ret = pk_get_rsapubkey(&p, p + keylen, mbedtls_pk_rsa(*ctx));
1521
0
    if (ret == 0) {
1522
0
        return ret;
1523
0
    }
1524
0
    mbedtls_pk_free(ctx);
1525
0
    if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
1526
0
                                  MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))) {
1527
0
        return ret;
1528
0
    }
1529
0
#endif /* MBEDTLS_RSA_C */
1530
0
    p = (unsigned char *) key;
1531
1532
0
    ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx);
1533
1534
0
    return ret;
1535
0
}
1536
1537
#endif /* MBEDTLS_PK_PARSE_C */