/work/mbedtls-2.28.8/library/pkparse.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Public Key layer for parsing key files and structures |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | #include "common.h" |
9 | | |
10 | | #if defined(MBEDTLS_PK_PARSE_C) |
11 | | |
12 | | #include "mbedtls/pk.h" |
13 | | #include "mbedtls/asn1.h" |
14 | | #include "mbedtls/oid.h" |
15 | | #include "mbedtls/platform_util.h" |
16 | | #include "mbedtls/error.h" |
17 | | |
18 | | #include <string.h> |
19 | | |
20 | | #if defined(MBEDTLS_RSA_C) |
21 | | #include "mbedtls/rsa.h" |
22 | | #endif |
23 | | #if defined(MBEDTLS_ECP_C) |
24 | | #include "mbedtls/ecp.h" |
25 | | #endif |
26 | | #if defined(MBEDTLS_ECDSA_C) |
27 | | #include "mbedtls/ecdsa.h" |
28 | | #endif |
29 | | #if defined(MBEDTLS_PEM_PARSE_C) |
30 | | #include "mbedtls/pem.h" |
31 | | #endif |
32 | | #if defined(MBEDTLS_PKCS5_C) |
33 | | #include "mbedtls/pkcs5.h" |
34 | | #endif |
35 | | #if defined(MBEDTLS_PKCS12_C) |
36 | | #include "mbedtls/pkcs12.h" |
37 | | #endif |
38 | | |
39 | | #include "mbedtls/platform.h" |
40 | | |
41 | | /* Parameter validation macros based on platform_util.h */ |
42 | | #define PK_VALIDATE_RET(cond) \ |
43 | 0 | MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA) |
44 | | #define PK_VALIDATE(cond) \ |
45 | | MBEDTLS_INTERNAL_VALIDATE(cond) |
46 | | |
47 | | #if defined(MBEDTLS_FS_IO) |
48 | | /* |
49 | | * Load all data from a file into a given buffer. |
50 | | * |
51 | | * The file is expected to contain either PEM or DER encoded data. |
52 | | * A terminating null byte is always appended. It is included in the announced |
53 | | * length only if the data looks like it is PEM encoded. |
54 | | */ |
55 | | int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) |
56 | 0 | { |
57 | 0 | FILE *f; |
58 | 0 | long size; |
59 | |
|
60 | 0 | PK_VALIDATE_RET(path != NULL); |
61 | 0 | PK_VALIDATE_RET(buf != NULL); |
62 | 0 | PK_VALIDATE_RET(n != NULL); |
63 | |
|
64 | 0 | if ((f = fopen(path, "rb")) == NULL) { |
65 | 0 | return MBEDTLS_ERR_PK_FILE_IO_ERROR; |
66 | 0 | } |
67 | | |
68 | 0 | fseek(f, 0, SEEK_END); |
69 | 0 | if ((size = ftell(f)) == -1) { |
70 | 0 | fclose(f); |
71 | 0 | return MBEDTLS_ERR_PK_FILE_IO_ERROR; |
72 | 0 | } |
73 | 0 | fseek(f, 0, SEEK_SET); |
74 | |
|
75 | 0 | *n = (size_t) size; |
76 | |
|
77 | 0 | if (*n + 1 == 0 || |
78 | 0 | (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { |
79 | 0 | fclose(f); |
80 | 0 | return MBEDTLS_ERR_PK_ALLOC_FAILED; |
81 | 0 | } |
82 | | |
83 | 0 | if (fread(*buf, 1, *n, f) != *n) { |
84 | 0 | fclose(f); |
85 | |
|
86 | 0 | mbedtls_platform_zeroize(*buf, *n); |
87 | 0 | mbedtls_free(*buf); |
88 | |
|
89 | 0 | return MBEDTLS_ERR_PK_FILE_IO_ERROR; |
90 | 0 | } |
91 | | |
92 | 0 | fclose(f); |
93 | |
|
94 | 0 | (*buf)[*n] = '\0'; |
95 | |
|
96 | 0 | if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { |
97 | 0 | ++*n; |
98 | 0 | } |
99 | |
|
100 | 0 | return 0; |
101 | 0 | } |
102 | | |
103 | | /* |
104 | | * Load and parse a private key |
105 | | */ |
106 | | int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx, |
107 | | const char *path, const char *pwd) |
108 | 0 | { |
109 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
110 | 0 | size_t n; |
111 | 0 | unsigned char *buf; |
112 | |
|
113 | 0 | PK_VALIDATE_RET(ctx != NULL); |
114 | 0 | PK_VALIDATE_RET(path != NULL); |
115 | |
|
116 | 0 | if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { |
117 | 0 | return ret; |
118 | 0 | } |
119 | | |
120 | 0 | if (pwd == NULL) { |
121 | 0 | ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0); |
122 | 0 | } else { |
123 | 0 | ret = mbedtls_pk_parse_key(ctx, buf, n, |
124 | 0 | (const unsigned char *) pwd, strlen(pwd)); |
125 | 0 | } |
126 | |
|
127 | 0 | mbedtls_platform_zeroize(buf, n); |
128 | 0 | mbedtls_free(buf); |
129 | |
|
130 | 0 | return ret; |
131 | 0 | } |
132 | | |
133 | | /* |
134 | | * Load and parse a public key |
135 | | */ |
136 | | int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) |
137 | 0 | { |
138 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
139 | 0 | size_t n; |
140 | 0 | unsigned char *buf; |
141 | |
|
142 | 0 | PK_VALIDATE_RET(ctx != NULL); |
143 | 0 | PK_VALIDATE_RET(path != NULL); |
144 | |
|
145 | 0 | if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { |
146 | 0 | return ret; |
147 | 0 | } |
148 | | |
149 | 0 | ret = mbedtls_pk_parse_public_key(ctx, buf, n); |
150 | |
|
151 | 0 | mbedtls_platform_zeroize(buf, n); |
152 | 0 | mbedtls_free(buf); |
153 | |
|
154 | 0 | return ret; |
155 | 0 | } |
156 | | #endif /* MBEDTLS_FS_IO */ |
157 | | |
158 | | #if defined(MBEDTLS_ECP_C) |
159 | | /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf |
160 | | * |
161 | | * ECParameters ::= CHOICE { |
162 | | * namedCurve OBJECT IDENTIFIER |
163 | | * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } |
164 | | * -- implicitCurve NULL |
165 | | * } |
166 | | */ |
167 | | static int pk_get_ecparams(unsigned char **p, const unsigned char *end, |
168 | | mbedtls_asn1_buf *params) |
169 | 0 | { |
170 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
171 | |
|
172 | 0 | if (end - *p < 1) { |
173 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
174 | 0 | MBEDTLS_ERR_ASN1_OUT_OF_DATA); |
175 | 0 | } |
176 | | |
177 | | /* Tag may be either OID or SEQUENCE */ |
178 | 0 | params->tag = **p; |
179 | 0 | if (params->tag != MBEDTLS_ASN1_OID |
180 | 0 | #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) |
181 | 0 | && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) |
182 | 0 | #endif |
183 | 0 | ) { |
184 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
185 | 0 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); |
186 | 0 | } |
187 | | |
188 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, ¶ms->len, params->tag)) != 0) { |
189 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
190 | 0 | } |
191 | | |
192 | 0 | params->p = *p; |
193 | 0 | *p += params->len; |
194 | |
|
195 | 0 | if (*p != end) { |
196 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
197 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
198 | 0 | } |
199 | | |
200 | 0 | return 0; |
201 | 0 | } |
202 | | |
203 | | #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) |
204 | | /* |
205 | | * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. |
206 | | * WARNING: the resulting group should only be used with |
207 | | * pk_group_id_from_specified(), since its base point may not be set correctly |
208 | | * if it was encoded compressed. |
209 | | * |
210 | | * SpecifiedECDomain ::= SEQUENCE { |
211 | | * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), |
212 | | * fieldID FieldID {{FieldTypes}}, |
213 | | * curve Curve, |
214 | | * base ECPoint, |
215 | | * order INTEGER, |
216 | | * cofactor INTEGER OPTIONAL, |
217 | | * hash HashAlgorithm OPTIONAL, |
218 | | * ... |
219 | | * } |
220 | | * |
221 | | * We only support prime-field as field type, and ignore hash and cofactor. |
222 | | */ |
223 | | static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) |
224 | 0 | { |
225 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
226 | 0 | unsigned char *p = params->p; |
227 | 0 | const unsigned char * const end = params->p + params->len; |
228 | 0 | const unsigned char *end_field, *end_curve; |
229 | 0 | size_t len; |
230 | 0 | int ver; |
231 | | |
232 | | /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ |
233 | 0 | if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) { |
234 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
235 | 0 | } |
236 | | |
237 | 0 | if (ver < 1 || ver > 3) { |
238 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
239 | 0 | } |
240 | | |
241 | | /* |
242 | | * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field |
243 | | * fieldType FIELD-ID.&id({IOSet}), |
244 | | * parameters FIELD-ID.&Type({IOSet}{@fieldType}) |
245 | | * } |
246 | | */ |
247 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
248 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
249 | 0 | return ret; |
250 | 0 | } |
251 | | |
252 | 0 | end_field = p + len; |
253 | | |
254 | | /* |
255 | | * FIELD-ID ::= TYPE-IDENTIFIER |
256 | | * FieldTypes FIELD-ID ::= { |
257 | | * { Prime-p IDENTIFIED BY prime-field } | |
258 | | * { Characteristic-two IDENTIFIED BY characteristic-two-field } |
259 | | * } |
260 | | * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } |
261 | | */ |
262 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) { |
263 | 0 | return ret; |
264 | 0 | } |
265 | | |
266 | 0 | if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) || |
267 | 0 | memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) { |
268 | 0 | return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; |
269 | 0 | } |
270 | | |
271 | 0 | p += len; |
272 | | |
273 | | /* Prime-p ::= INTEGER -- Field of size p. */ |
274 | 0 | if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) { |
275 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
276 | 0 | } |
277 | | |
278 | 0 | grp->pbits = mbedtls_mpi_bitlen(&grp->P); |
279 | |
|
280 | 0 | if (p != end_field) { |
281 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
282 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
283 | 0 | } |
284 | | |
285 | | /* |
286 | | * Curve ::= SEQUENCE { |
287 | | * a FieldElement, |
288 | | * b FieldElement, |
289 | | * seed BIT STRING OPTIONAL |
290 | | * -- Shall be present if used in SpecifiedECDomain |
291 | | * -- with version equal to ecdpVer2 or ecdpVer3 |
292 | | * } |
293 | | */ |
294 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
295 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
296 | 0 | return ret; |
297 | 0 | } |
298 | | |
299 | 0 | end_curve = p + len; |
300 | | |
301 | | /* |
302 | | * FieldElement ::= OCTET STRING |
303 | | * containing an integer in the case of a prime field |
304 | | */ |
305 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 || |
306 | 0 | (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) { |
307 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
308 | 0 | } |
309 | | |
310 | 0 | p += len; |
311 | |
|
312 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 || |
313 | 0 | (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) { |
314 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
315 | 0 | } |
316 | | |
317 | 0 | p += len; |
318 | | |
319 | | /* Ignore seed BIT STRING OPTIONAL */ |
320 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) { |
321 | 0 | p += len; |
322 | 0 | } |
323 | |
|
324 | 0 | if (p != end_curve) { |
325 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
326 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
327 | 0 | } |
328 | | |
329 | | /* |
330 | | * ECPoint ::= OCTET STRING |
331 | | */ |
332 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
333 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
334 | 0 | } |
335 | | |
336 | 0 | if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G, |
337 | 0 | (const unsigned char *) p, len)) != 0) { |
338 | | /* |
339 | | * If we can't read the point because it's compressed, cheat by |
340 | | * reading only the X coordinate and the parity bit of Y. |
341 | | */ |
342 | 0 | if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || |
343 | 0 | (p[0] != 0x02 && p[0] != 0x03) || |
344 | 0 | len != mbedtls_mpi_size(&grp->P) + 1 || |
345 | 0 | mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 || |
346 | 0 | mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 || |
347 | 0 | mbedtls_mpi_lset(&grp->G.Z, 1) != 0) { |
348 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
349 | 0 | } |
350 | 0 | } |
351 | | |
352 | 0 | p += len; |
353 | | |
354 | | /* |
355 | | * order INTEGER |
356 | | */ |
357 | 0 | if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) { |
358 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
359 | 0 | } |
360 | | |
361 | 0 | grp->nbits = mbedtls_mpi_bitlen(&grp->N); |
362 | | |
363 | | /* |
364 | | * Allow optional elements by purposefully not enforcing p == end here. |
365 | | */ |
366 | |
|
367 | 0 | return 0; |
368 | 0 | } |
369 | | |
370 | | /* |
371 | | * Find the group id associated with an (almost filled) group as generated by |
372 | | * pk_group_from_specified(), or return an error if unknown. |
373 | | */ |
374 | | static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id) |
375 | 0 | { |
376 | 0 | int ret = 0; |
377 | 0 | mbedtls_ecp_group ref; |
378 | 0 | const mbedtls_ecp_group_id *id; |
379 | |
|
380 | 0 | mbedtls_ecp_group_init(&ref); |
381 | |
|
382 | 0 | for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) { |
383 | | /* Load the group associated to that id */ |
384 | 0 | mbedtls_ecp_group_free(&ref); |
385 | 0 | MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id)); |
386 | | |
387 | | /* Compare to the group we were given, starting with easy tests */ |
388 | 0 | if (grp->pbits == ref.pbits && grp->nbits == ref.nbits && |
389 | 0 | mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 && |
390 | 0 | mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 && |
391 | 0 | mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 && |
392 | 0 | mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 && |
393 | 0 | mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 && |
394 | 0 | mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 && |
395 | | /* For Y we may only know the parity bit, so compare only that */ |
396 | 0 | mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) { |
397 | 0 | break; |
398 | 0 | } |
399 | |
|
400 | 0 | } |
401 | | |
402 | 0 | cleanup: |
403 | 0 | mbedtls_ecp_group_free(&ref); |
404 | |
|
405 | 0 | *grp_id = *id; |
406 | |
|
407 | 0 | if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) { |
408 | 0 | ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; |
409 | 0 | } |
410 | |
|
411 | 0 | return ret; |
412 | 0 | } |
413 | | |
414 | | /* |
415 | | * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID |
416 | | */ |
417 | | static int pk_group_id_from_specified(const mbedtls_asn1_buf *params, |
418 | | mbedtls_ecp_group_id *grp_id) |
419 | 0 | { |
420 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
421 | 0 | mbedtls_ecp_group grp; |
422 | |
|
423 | 0 | mbedtls_ecp_group_init(&grp); |
424 | |
|
425 | 0 | if ((ret = pk_group_from_specified(params, &grp)) != 0) { |
426 | 0 | goto cleanup; |
427 | 0 | } |
428 | | |
429 | 0 | ret = pk_group_id_from_group(&grp, grp_id); |
430 | |
|
431 | 0 | cleanup: |
432 | 0 | mbedtls_ecp_group_free(&grp); |
433 | |
|
434 | 0 | return ret; |
435 | 0 | } |
436 | | #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ |
437 | | |
438 | | /* |
439 | | * Use EC parameters to initialise an EC group |
440 | | * |
441 | | * ECParameters ::= CHOICE { |
442 | | * namedCurve OBJECT IDENTIFIER |
443 | | * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } |
444 | | * -- implicitCurve NULL |
445 | | */ |
446 | | static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) |
447 | 0 | { |
448 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
449 | 0 | mbedtls_ecp_group_id grp_id; |
450 | |
|
451 | 0 | if (params->tag == MBEDTLS_ASN1_OID) { |
452 | 0 | if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) { |
453 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE; |
454 | 0 | } |
455 | 0 | } else { |
456 | 0 | #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) |
457 | 0 | if ((ret = pk_group_id_from_specified(params, &grp_id)) != 0) { |
458 | 0 | return ret; |
459 | 0 | } |
460 | | #else |
461 | | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
462 | | #endif |
463 | 0 | } |
464 | | |
465 | | /* |
466 | | * grp may already be initialized; if so, make sure IDs match |
467 | | */ |
468 | 0 | if (grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id) { |
469 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
470 | 0 | } |
471 | | |
472 | 0 | if ((ret = mbedtls_ecp_group_load(grp, grp_id)) != 0) { |
473 | 0 | return ret; |
474 | 0 | } |
475 | | |
476 | 0 | return 0; |
477 | 0 | } |
478 | | |
479 | | /* |
480 | | * EC public key is an EC point |
481 | | * |
482 | | * The caller is responsible for clearing the structure upon failure if |
483 | | * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE |
484 | | * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. |
485 | | */ |
486 | | static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, |
487 | | mbedtls_ecp_keypair *key) |
488 | 0 | { |
489 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
490 | |
|
491 | 0 | if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q, |
492 | 0 | (const unsigned char *) *p, end - *p)) == 0) { |
493 | 0 | ret = mbedtls_ecp_check_pubkey(&key->grp, &key->Q); |
494 | 0 | } |
495 | | |
496 | | /* |
497 | | * We know mbedtls_ecp_point_read_binary consumed all bytes or failed |
498 | | */ |
499 | 0 | *p = (unsigned char *) end; |
500 | |
|
501 | 0 | return ret; |
502 | 0 | } |
503 | | #endif /* MBEDTLS_ECP_C */ |
504 | | |
505 | | #if defined(MBEDTLS_RSA_C) |
506 | | /* |
507 | | * RSAPublicKey ::= SEQUENCE { |
508 | | * modulus INTEGER, -- n |
509 | | * publicExponent INTEGER -- e |
510 | | * } |
511 | | */ |
512 | | static int pk_get_rsapubkey(unsigned char **p, |
513 | | const unsigned char *end, |
514 | | mbedtls_rsa_context *rsa) |
515 | 0 | { |
516 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
517 | 0 | size_t len; |
518 | |
|
519 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
520 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
521 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); |
522 | 0 | } |
523 | | |
524 | 0 | if (*p + len != end) { |
525 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, |
526 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
527 | 0 | } |
528 | | |
529 | | /* Import N */ |
530 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { |
531 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); |
532 | 0 | } |
533 | | |
534 | 0 | if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, |
535 | 0 | NULL, 0, NULL, 0)) != 0) { |
536 | 0 | return MBEDTLS_ERR_PK_INVALID_PUBKEY; |
537 | 0 | } |
538 | | |
539 | 0 | *p += len; |
540 | | |
541 | | /* Import E */ |
542 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { |
543 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); |
544 | 0 | } |
545 | | |
546 | 0 | if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, |
547 | 0 | NULL, 0, *p, len)) != 0) { |
548 | 0 | return MBEDTLS_ERR_PK_INVALID_PUBKEY; |
549 | 0 | } |
550 | | |
551 | 0 | *p += len; |
552 | |
|
553 | 0 | if (mbedtls_rsa_complete(rsa) != 0 || |
554 | 0 | mbedtls_rsa_check_pubkey(rsa) != 0) { |
555 | 0 | return MBEDTLS_ERR_PK_INVALID_PUBKEY; |
556 | 0 | } |
557 | | |
558 | 0 | if (*p != end) { |
559 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, |
560 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
561 | 0 | } |
562 | | |
563 | 0 | return 0; |
564 | 0 | } |
565 | | #endif /* MBEDTLS_RSA_C */ |
566 | | |
567 | | /* Get a PK algorithm identifier |
568 | | * |
569 | | * AlgorithmIdentifier ::= SEQUENCE { |
570 | | * algorithm OBJECT IDENTIFIER, |
571 | | * parameters ANY DEFINED BY algorithm OPTIONAL } |
572 | | */ |
573 | | static int pk_get_pk_alg(unsigned char **p, |
574 | | const unsigned char *end, |
575 | | mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params) |
576 | 0 | { |
577 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
578 | 0 | mbedtls_asn1_buf alg_oid; |
579 | |
|
580 | 0 | memset(params, 0, sizeof(mbedtls_asn1_buf)); |
581 | |
|
582 | 0 | if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) { |
583 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret); |
584 | 0 | } |
585 | | |
586 | 0 | if (mbedtls_oid_get_pk_alg(&alg_oid, pk_alg) != 0) { |
587 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
588 | 0 | } |
589 | | |
590 | | /* |
591 | | * No parameters with RSA (only for EC) |
592 | | */ |
593 | 0 | if (*pk_alg == MBEDTLS_PK_RSA && |
594 | 0 | ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) || |
595 | 0 | params->len != 0)) { |
596 | 0 | return MBEDTLS_ERR_PK_INVALID_ALG; |
597 | 0 | } |
598 | | |
599 | 0 | return 0; |
600 | 0 | } |
601 | | |
602 | | /* |
603 | | * SubjectPublicKeyInfo ::= SEQUENCE { |
604 | | * algorithm AlgorithmIdentifier, |
605 | | * subjectPublicKey BIT STRING } |
606 | | */ |
607 | | int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, |
608 | | mbedtls_pk_context *pk) |
609 | 0 | { |
610 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
611 | 0 | size_t len; |
612 | 0 | mbedtls_asn1_buf alg_params; |
613 | 0 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
614 | 0 | const mbedtls_pk_info_t *pk_info; |
615 | |
|
616 | 0 | PK_VALIDATE_RET(p != NULL); |
617 | 0 | PK_VALIDATE_RET(*p != NULL); |
618 | 0 | PK_VALIDATE_RET(end != NULL); |
619 | 0 | PK_VALIDATE_RET(pk != NULL); |
620 | |
|
621 | 0 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
622 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
623 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
624 | 0 | } |
625 | | |
626 | 0 | end = *p + len; |
627 | |
|
628 | 0 | if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params)) != 0) { |
629 | 0 | return ret; |
630 | 0 | } |
631 | | |
632 | 0 | if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) { |
633 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); |
634 | 0 | } |
635 | | |
636 | 0 | if (*p + len != end) { |
637 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, |
638 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
639 | 0 | } |
640 | | |
641 | 0 | if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) { |
642 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
643 | 0 | } |
644 | | |
645 | 0 | if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) { |
646 | 0 | return ret; |
647 | 0 | } |
648 | | |
649 | 0 | #if defined(MBEDTLS_RSA_C) |
650 | 0 | if (pk_alg == MBEDTLS_PK_RSA) { |
651 | 0 | ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk)); |
652 | 0 | } else |
653 | 0 | #endif /* MBEDTLS_RSA_C */ |
654 | 0 | #if defined(MBEDTLS_ECP_C) |
655 | 0 | if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) { |
656 | 0 | ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp); |
657 | 0 | if (ret == 0) { |
658 | 0 | ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk)); |
659 | 0 | } |
660 | 0 | } else |
661 | 0 | #endif /* MBEDTLS_ECP_C */ |
662 | 0 | ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
663 | |
|
664 | 0 | if (ret == 0 && *p != end) { |
665 | 0 | ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, |
666 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
667 | 0 | } |
668 | |
|
669 | 0 | if (ret != 0) { |
670 | 0 | mbedtls_pk_free(pk); |
671 | 0 | } |
672 | |
|
673 | 0 | return ret; |
674 | 0 | } |
675 | | |
676 | | #if defined(MBEDTLS_RSA_C) |
677 | | /* |
678 | | * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. |
679 | | * |
680 | | * The value zero is: |
681 | | * - never a valid value for an RSA parameter |
682 | | * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). |
683 | | * |
684 | | * Since values can't be omitted in PKCS#1, passing a zero value to |
685 | | * rsa_complete() would be incorrect, so reject zero values early. |
686 | | */ |
687 | | static int asn1_get_nonzero_mpi(unsigned char **p, |
688 | | const unsigned char *end, |
689 | | mbedtls_mpi *X) |
690 | 0 | { |
691 | 0 | int ret; |
692 | |
|
693 | 0 | ret = mbedtls_asn1_get_mpi(p, end, X); |
694 | 0 | if (ret != 0) { |
695 | 0 | return ret; |
696 | 0 | } |
697 | | |
698 | 0 | if (mbedtls_mpi_cmp_int(X, 0) == 0) { |
699 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
700 | 0 | } |
701 | | |
702 | 0 | return 0; |
703 | 0 | } |
704 | | |
705 | | /* |
706 | | * Parse a PKCS#1 encoded private RSA key |
707 | | */ |
708 | | static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa, |
709 | | const unsigned char *key, |
710 | | size_t keylen) |
711 | 0 | { |
712 | 0 | int ret, version; |
713 | 0 | size_t len; |
714 | 0 | unsigned char *p, *end; |
715 | |
|
716 | 0 | mbedtls_mpi T; |
717 | 0 | mbedtls_mpi_init(&T); |
718 | |
|
719 | 0 | p = (unsigned char *) key; |
720 | 0 | end = p + keylen; |
721 | | |
722 | | /* |
723 | | * This function parses the RSAPrivateKey (PKCS#1) |
724 | | * |
725 | | * RSAPrivateKey ::= SEQUENCE { |
726 | | * version Version, |
727 | | * modulus INTEGER, -- n |
728 | | * publicExponent INTEGER, -- e |
729 | | * privateExponent INTEGER, -- d |
730 | | * prime1 INTEGER, -- p |
731 | | * prime2 INTEGER, -- q |
732 | | * exponent1 INTEGER, -- d mod (p-1) |
733 | | * exponent2 INTEGER, -- d mod (q-1) |
734 | | * coefficient INTEGER, -- (inverse of q) mod p |
735 | | * otherPrimeInfos OtherPrimeInfos OPTIONAL |
736 | | * } |
737 | | */ |
738 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
739 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
740 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
741 | 0 | } |
742 | | |
743 | 0 | end = p + len; |
744 | |
|
745 | 0 | if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { |
746 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
747 | 0 | } |
748 | | |
749 | 0 | if (version != 0) { |
750 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; |
751 | 0 | } |
752 | | |
753 | | /* Import N */ |
754 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
755 | 0 | (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, |
756 | 0 | NULL, NULL)) != 0) { |
757 | 0 | goto cleanup; |
758 | 0 | } |
759 | | |
760 | | /* Import E */ |
761 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
762 | 0 | (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, |
763 | 0 | NULL, &T)) != 0) { |
764 | 0 | goto cleanup; |
765 | 0 | } |
766 | | |
767 | | /* Import D */ |
768 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
769 | 0 | (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, |
770 | 0 | &T, NULL)) != 0) { |
771 | 0 | goto cleanup; |
772 | 0 | } |
773 | | |
774 | | /* Import P */ |
775 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
776 | 0 | (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, |
777 | 0 | NULL, NULL)) != 0) { |
778 | 0 | goto cleanup; |
779 | 0 | } |
780 | | |
781 | | /* Import Q */ |
782 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
783 | 0 | (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, |
784 | 0 | NULL, NULL)) != 0) { |
785 | 0 | goto cleanup; |
786 | 0 | } |
787 | | |
788 | 0 | #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) |
789 | | /* |
790 | | * The RSA CRT parameters DP, DQ and QP are nominally redundant, in |
791 | | * that they can be easily recomputed from D, P and Q. However by |
792 | | * parsing them from the PKCS1 structure it is possible to avoid |
793 | | * recalculating them which both reduces the overhead of loading |
794 | | * RSA private keys into memory and also avoids side channels which |
795 | | * can arise when computing those values, since all of D, P, and Q |
796 | | * are secret. See https://eprint.iacr.org/2020/055 for a |
797 | | * description of one such attack. |
798 | | */ |
799 | | |
800 | | /* Import DP */ |
801 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
802 | 0 | (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { |
803 | 0 | goto cleanup; |
804 | 0 | } |
805 | | |
806 | | /* Import DQ */ |
807 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
808 | 0 | (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { |
809 | 0 | goto cleanup; |
810 | 0 | } |
811 | | |
812 | | /* Import QP */ |
813 | 0 | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
814 | 0 | (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { |
815 | 0 | goto cleanup; |
816 | 0 | } |
817 | | |
818 | | #else |
819 | | /* Verify existence of the CRT params */ |
820 | | if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
821 | | (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || |
822 | | (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { |
823 | | goto cleanup; |
824 | | } |
825 | | #endif |
826 | | |
827 | | /* rsa_complete() doesn't complete anything with the default |
828 | | * implementation but is still called: |
829 | | * - for the benefit of alternative implementation that may want to |
830 | | * pre-compute stuff beyond what's provided (eg Montgomery factors) |
831 | | * - as is also sanity-checks the key |
832 | | * |
833 | | * Furthermore, we also check the public part for consistency with |
834 | | * mbedtls_pk_parse_pubkey(), as it includes size minima for example. |
835 | | */ |
836 | 0 | if ((ret = mbedtls_rsa_complete(rsa)) != 0 || |
837 | 0 | (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { |
838 | 0 | goto cleanup; |
839 | 0 | } |
840 | | |
841 | 0 | if (p != end) { |
842 | 0 | ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
843 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
844 | 0 | } |
845 | |
|
846 | 0 | cleanup: |
847 | |
|
848 | 0 | mbedtls_mpi_free(&T); |
849 | |
|
850 | 0 | if (ret != 0) { |
851 | | /* Wrap error code if it's coming from a lower level */ |
852 | 0 | if ((ret & 0xff80) == 0) { |
853 | 0 | ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
854 | 0 | } else { |
855 | 0 | ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
856 | 0 | } |
857 | |
|
858 | 0 | mbedtls_rsa_free(rsa); |
859 | 0 | } |
860 | |
|
861 | 0 | return ret; |
862 | 0 | } |
863 | | #endif /* MBEDTLS_RSA_C */ |
864 | | |
865 | | #if defined(MBEDTLS_ECP_C) |
866 | | /* |
867 | | * Parse a SEC1 encoded private EC key |
868 | | */ |
869 | | static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck, |
870 | | const unsigned char *key, |
871 | | size_t keylen) |
872 | 0 | { |
873 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
874 | 0 | int version, pubkey_done; |
875 | 0 | size_t len; |
876 | 0 | mbedtls_asn1_buf params; |
877 | 0 | unsigned char *p = (unsigned char *) key; |
878 | 0 | unsigned char *end = p + keylen; |
879 | 0 | unsigned char *end2; |
880 | | |
881 | | /* |
882 | | * RFC 5915, or SEC1 Appendix C.4 |
883 | | * |
884 | | * ECPrivateKey ::= SEQUENCE { |
885 | | * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), |
886 | | * privateKey OCTET STRING, |
887 | | * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, |
888 | | * publicKey [1] BIT STRING OPTIONAL |
889 | | * } |
890 | | */ |
891 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
892 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
893 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
894 | 0 | } |
895 | | |
896 | 0 | end = p + len; |
897 | |
|
898 | 0 | if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { |
899 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
900 | 0 | } |
901 | | |
902 | 0 | if (version != 1) { |
903 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; |
904 | 0 | } |
905 | | |
906 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
907 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
908 | 0 | } |
909 | | |
910 | 0 | if ((ret = mbedtls_mpi_read_binary(&eck->d, p, len)) != 0) { |
911 | 0 | mbedtls_ecp_keypair_free(eck); |
912 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
913 | 0 | } |
914 | | |
915 | 0 | p += len; |
916 | |
|
917 | 0 | pubkey_done = 0; |
918 | 0 | if (p != end) { |
919 | | /* |
920 | | * Is 'parameters' present? |
921 | | */ |
922 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
923 | 0 | MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | |
924 | 0 | 0)) == 0) { |
925 | 0 | if ((ret = pk_get_ecparams(&p, p + len, ¶ms)) != 0 || |
926 | 0 | (ret = pk_use_ecparams(¶ms, &eck->grp)) != 0) { |
927 | 0 | mbedtls_ecp_keypair_free(eck); |
928 | 0 | return ret; |
929 | 0 | } |
930 | 0 | } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { |
931 | 0 | mbedtls_ecp_keypair_free(eck); |
932 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
933 | 0 | } |
934 | 0 | } |
935 | | |
936 | 0 | if (p != end) { |
937 | | /* |
938 | | * Is 'publickey' present? If not, or if we can't read it (eg because it |
939 | | * is compressed), create it from the private key. |
940 | | */ |
941 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
942 | 0 | MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | |
943 | 0 | 1)) == 0) { |
944 | 0 | end2 = p + len; |
945 | |
|
946 | 0 | if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) { |
947 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
948 | 0 | } |
949 | | |
950 | 0 | if (p + len != end2) { |
951 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
952 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
953 | 0 | } |
954 | | |
955 | 0 | if ((ret = pk_get_ecpubkey(&p, end2, eck)) == 0) { |
956 | 0 | pubkey_done = 1; |
957 | 0 | } else { |
958 | | /* |
959 | | * The only acceptable failure mode of pk_get_ecpubkey() above |
960 | | * is if the point format is not recognized. |
961 | | */ |
962 | 0 | if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) { |
963 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
964 | 0 | } |
965 | 0 | } |
966 | 0 | } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { |
967 | 0 | mbedtls_ecp_keypair_free(eck); |
968 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
969 | 0 | } |
970 | 0 | } |
971 | | |
972 | 0 | if (!pubkey_done && |
973 | 0 | (ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, |
974 | 0 | NULL, NULL)) != 0) { |
975 | 0 | mbedtls_ecp_keypair_free(eck); |
976 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
977 | 0 | } |
978 | | |
979 | 0 | if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) { |
980 | 0 | mbedtls_ecp_keypair_free(eck); |
981 | 0 | return ret; |
982 | 0 | } |
983 | | |
984 | 0 | return 0; |
985 | 0 | } |
986 | | #endif /* MBEDTLS_ECP_C */ |
987 | | |
988 | | /* |
989 | | * Parse an unencrypted PKCS#8 encoded private key |
990 | | * |
991 | | * Notes: |
992 | | * |
993 | | * - This function does not own the key buffer. It is the |
994 | | * responsibility of the caller to take care of zeroizing |
995 | | * and freeing it after use. |
996 | | * |
997 | | * - The function is responsible for freeing the provided |
998 | | * PK context on failure. |
999 | | * |
1000 | | */ |
1001 | | static int pk_parse_key_pkcs8_unencrypted_der( |
1002 | | mbedtls_pk_context *pk, |
1003 | | const unsigned char *key, |
1004 | | size_t keylen) |
1005 | 0 | { |
1006 | 0 | int ret, version; |
1007 | 0 | size_t len; |
1008 | 0 | mbedtls_asn1_buf params; |
1009 | 0 | unsigned char *p = (unsigned char *) key; |
1010 | 0 | unsigned char *end = p + keylen; |
1011 | 0 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
1012 | 0 | const mbedtls_pk_info_t *pk_info; |
1013 | | |
1014 | | /* |
1015 | | * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) |
1016 | | * |
1017 | | * PrivateKeyInfo ::= SEQUENCE { |
1018 | | * version Version, |
1019 | | * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, |
1020 | | * privateKey PrivateKey, |
1021 | | * attributes [0] IMPLICIT Attributes OPTIONAL } |
1022 | | * |
1023 | | * Version ::= INTEGER |
1024 | | * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier |
1025 | | * PrivateKey ::= OCTET STRING |
1026 | | * |
1027 | | * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey |
1028 | | */ |
1029 | |
|
1030 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
1031 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
1032 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1033 | 0 | } |
1034 | | |
1035 | 0 | end = p + len; |
1036 | |
|
1037 | 0 | if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { |
1038 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1039 | 0 | } |
1040 | | |
1041 | 0 | if (version != 0) { |
1042 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret); |
1043 | 0 | } |
1044 | | |
1045 | 0 | if ((ret = pk_get_pk_alg(&p, end, &pk_alg, ¶ms)) != 0) { |
1046 | 0 | return ret; |
1047 | 0 | } |
1048 | | |
1049 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
1050 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1051 | 0 | } |
1052 | | |
1053 | 0 | if (len < 1) { |
1054 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, |
1055 | 0 | MBEDTLS_ERR_ASN1_OUT_OF_DATA); |
1056 | 0 | } |
1057 | | |
1058 | 0 | if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) { |
1059 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
1060 | 0 | } |
1061 | | |
1062 | 0 | if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) { |
1063 | 0 | return ret; |
1064 | 0 | } |
1065 | | |
1066 | 0 | #if defined(MBEDTLS_RSA_C) |
1067 | 0 | if (pk_alg == MBEDTLS_PK_RSA) { |
1068 | 0 | if ((ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), p, len)) != 0) { |
1069 | 0 | mbedtls_pk_free(pk); |
1070 | 0 | return ret; |
1071 | 0 | } |
1072 | 0 | } else |
1073 | 0 | #endif /* MBEDTLS_RSA_C */ |
1074 | 0 | #if defined(MBEDTLS_ECP_C) |
1075 | 0 | if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) { |
1076 | 0 | if ((ret = pk_use_ecparams(¶ms, &mbedtls_pk_ec(*pk)->grp)) != 0 || |
1077 | 0 | (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len)) != 0) { |
1078 | 0 | mbedtls_pk_free(pk); |
1079 | 0 | return ret; |
1080 | 0 | } |
1081 | 0 | } else |
1082 | 0 | #endif /* MBEDTLS_ECP_C */ |
1083 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
1084 | | |
1085 | 0 | return 0; |
1086 | 0 | } |
1087 | | |
1088 | | /* |
1089 | | * Parse an encrypted PKCS#8 encoded private key |
1090 | | * |
1091 | | * To save space, the decryption happens in-place on the given key buffer. |
1092 | | * Also, while this function may modify the keybuffer, it doesn't own it, |
1093 | | * and instead it is the responsibility of the caller to zeroize and properly |
1094 | | * free it after use. |
1095 | | * |
1096 | | */ |
1097 | | #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) |
1098 | | static int pk_parse_key_pkcs8_encrypted_der( |
1099 | | mbedtls_pk_context *pk, |
1100 | | unsigned char *key, size_t keylen, |
1101 | | const unsigned char *pwd, size_t pwdlen) |
1102 | 0 | { |
1103 | 0 | int ret, decrypted = 0; |
1104 | 0 | size_t len; |
1105 | 0 | unsigned char *buf; |
1106 | 0 | unsigned char *p, *end; |
1107 | 0 | mbedtls_asn1_buf pbe_alg_oid, pbe_params; |
1108 | 0 | #if defined(MBEDTLS_PKCS12_C) |
1109 | 0 | mbedtls_cipher_type_t cipher_alg; |
1110 | 0 | mbedtls_md_type_t md_alg; |
1111 | 0 | #endif |
1112 | |
|
1113 | 0 | p = key; |
1114 | 0 | end = p + keylen; |
1115 | |
|
1116 | 0 | if (pwdlen == 0) { |
1117 | 0 | return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; |
1118 | 0 | } |
1119 | | |
1120 | | /* |
1121 | | * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) |
1122 | | * |
1123 | | * EncryptedPrivateKeyInfo ::= SEQUENCE { |
1124 | | * encryptionAlgorithm EncryptionAlgorithmIdentifier, |
1125 | | * encryptedData EncryptedData |
1126 | | * } |
1127 | | * |
1128 | | * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier |
1129 | | * |
1130 | | * EncryptedData ::= OCTET STRING |
1131 | | * |
1132 | | * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo |
1133 | | * |
1134 | | */ |
1135 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
1136 | 0 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
1137 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1138 | 0 | } |
1139 | | |
1140 | 0 | end = p + len; |
1141 | |
|
1142 | 0 | if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) { |
1143 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1144 | 0 | } |
1145 | | |
1146 | 0 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
1147 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); |
1148 | 0 | } |
1149 | | |
1150 | 0 | buf = p; |
1151 | | |
1152 | | /* |
1153 | | * Decrypt EncryptedData with appropriate PBE |
1154 | | */ |
1155 | 0 | #if defined(MBEDTLS_PKCS12_C) |
1156 | 0 | if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) { |
1157 | 0 | if ((ret = mbedtls_pkcs12_pbe(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, |
1158 | 0 | cipher_alg, md_alg, |
1159 | 0 | pwd, pwdlen, p, len, buf)) != 0) { |
1160 | 0 | if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) { |
1161 | 0 | return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; |
1162 | 0 | } |
1163 | | |
1164 | 0 | return ret; |
1165 | 0 | } |
1166 | | |
1167 | 0 | decrypted = 1; |
1168 | 0 | } else if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid) == 0) { |
1169 | 0 | if ((ret = mbedtls_pkcs12_pbe_sha1_rc4_128(&pbe_params, |
1170 | 0 | MBEDTLS_PKCS12_PBE_DECRYPT, |
1171 | 0 | pwd, pwdlen, |
1172 | 0 | p, len, buf)) != 0) { |
1173 | 0 | return ret; |
1174 | 0 | } |
1175 | | |
1176 | | // Best guess for password mismatch when using RC4. If first tag is |
1177 | | // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE |
1178 | | // |
1179 | 0 | if (*buf != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) { |
1180 | 0 | return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; |
1181 | 0 | } |
1182 | | |
1183 | 0 | decrypted = 1; |
1184 | 0 | } else |
1185 | 0 | #endif /* MBEDTLS_PKCS12_C */ |
1186 | 0 | #if defined(MBEDTLS_PKCS5_C) |
1187 | 0 | if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) { |
1188 | 0 | if ((ret = mbedtls_pkcs5_pbes2(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, |
1189 | 0 | p, len, buf)) != 0) { |
1190 | 0 | if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) { |
1191 | 0 | return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; |
1192 | 0 | } |
1193 | | |
1194 | 0 | return ret; |
1195 | 0 | } |
1196 | | |
1197 | 0 | decrypted = 1; |
1198 | 0 | } else |
1199 | 0 | #endif /* MBEDTLS_PKCS5_C */ |
1200 | 0 | { |
1201 | 0 | ((void) pwd); |
1202 | 0 | } |
1203 | | |
1204 | 0 | if (decrypted == 0) { |
1205 | 0 | return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; |
1206 | 0 | } |
1207 | | |
1208 | 0 | return pk_parse_key_pkcs8_unencrypted_der(pk, buf, len); |
1209 | 0 | } |
1210 | | #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ |
1211 | | |
1212 | | /* |
1213 | | * Parse a private key |
1214 | | */ |
1215 | | int mbedtls_pk_parse_key(mbedtls_pk_context *pk, |
1216 | | const unsigned char *key, size_t keylen, |
1217 | | const unsigned char *pwd, size_t pwdlen) |
1218 | 0 | { |
1219 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1220 | 0 | const mbedtls_pk_info_t *pk_info; |
1221 | 0 | #if defined(MBEDTLS_PEM_PARSE_C) |
1222 | 0 | size_t len; |
1223 | 0 | mbedtls_pem_context pem; |
1224 | 0 | #endif |
1225 | |
|
1226 | 0 | (void) pk_info; |
1227 | |
|
1228 | 0 | PK_VALIDATE_RET(pk != NULL); |
1229 | 0 | if (keylen == 0) { |
1230 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
1231 | 0 | } |
1232 | 0 | PK_VALIDATE_RET(key != NULL); |
1233 | |
|
1234 | 0 | #if defined(MBEDTLS_PEM_PARSE_C) |
1235 | 0 | mbedtls_pem_init(&pem); |
1236 | |
|
1237 | 0 | #if defined(MBEDTLS_RSA_C) |
1238 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1239 | 0 | if (key[keylen - 1] != '\0') { |
1240 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1241 | 0 | } else { |
1242 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1243 | 0 | "-----BEGIN RSA PRIVATE KEY-----", |
1244 | 0 | "-----END RSA PRIVATE KEY-----", |
1245 | 0 | key, pwd, pwdlen, &len); |
1246 | 0 | } |
1247 | |
|
1248 | 0 | if (ret == 0) { |
1249 | 0 | pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); |
1250 | 0 | if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || |
1251 | 0 | (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), |
1252 | 0 | pem.buf, pem.buflen)) != 0) { |
1253 | 0 | mbedtls_pk_free(pk); |
1254 | 0 | } |
1255 | |
|
1256 | 0 | mbedtls_pem_free(&pem); |
1257 | 0 | return ret; |
1258 | 0 | } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) { |
1259 | 0 | return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; |
1260 | 0 | } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) { |
1261 | 0 | return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; |
1262 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1263 | 0 | return ret; |
1264 | 0 | } |
1265 | 0 | #endif /* MBEDTLS_RSA_C */ |
1266 | | |
1267 | 0 | #if defined(MBEDTLS_ECP_C) |
1268 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1269 | 0 | if (key[keylen - 1] != '\0') { |
1270 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1271 | 0 | } else { |
1272 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1273 | 0 | "-----BEGIN EC PRIVATE KEY-----", |
1274 | 0 | "-----END EC PRIVATE KEY-----", |
1275 | 0 | key, pwd, pwdlen, &len); |
1276 | 0 | } |
1277 | 0 | if (ret == 0) { |
1278 | 0 | pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); |
1279 | |
|
1280 | 0 | if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || |
1281 | 0 | (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), |
1282 | 0 | pem.buf, pem.buflen)) != 0) { |
1283 | 0 | mbedtls_pk_free(pk); |
1284 | 0 | } |
1285 | |
|
1286 | 0 | mbedtls_pem_free(&pem); |
1287 | 0 | return ret; |
1288 | 0 | } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) { |
1289 | 0 | return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; |
1290 | 0 | } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) { |
1291 | 0 | return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; |
1292 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1293 | 0 | return ret; |
1294 | 0 | } |
1295 | 0 | #endif /* MBEDTLS_ECP_C */ |
1296 | | |
1297 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1298 | 0 | if (key[keylen - 1] != '\0') { |
1299 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1300 | 0 | } else { |
1301 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1302 | 0 | "-----BEGIN PRIVATE KEY-----", |
1303 | 0 | "-----END PRIVATE KEY-----", |
1304 | 0 | key, NULL, 0, &len); |
1305 | 0 | } |
1306 | 0 | if (ret == 0) { |
1307 | 0 | if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk, |
1308 | 0 | pem.buf, pem.buflen)) != 0) { |
1309 | 0 | mbedtls_pk_free(pk); |
1310 | 0 | } |
1311 | |
|
1312 | 0 | mbedtls_pem_free(&pem); |
1313 | 0 | return ret; |
1314 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1315 | 0 | return ret; |
1316 | 0 | } |
1317 | | |
1318 | 0 | #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) |
1319 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1320 | 0 | if (key[keylen - 1] != '\0') { |
1321 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1322 | 0 | } else { |
1323 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1324 | 0 | "-----BEGIN ENCRYPTED PRIVATE KEY-----", |
1325 | 0 | "-----END ENCRYPTED PRIVATE KEY-----", |
1326 | 0 | key, NULL, 0, &len); |
1327 | 0 | } |
1328 | 0 | if (ret == 0) { |
1329 | 0 | if ((ret = pk_parse_key_pkcs8_encrypted_der(pk, |
1330 | 0 | pem.buf, pem.buflen, |
1331 | 0 | pwd, pwdlen)) != 0) { |
1332 | 0 | mbedtls_pk_free(pk); |
1333 | 0 | } |
1334 | |
|
1335 | 0 | mbedtls_pem_free(&pem); |
1336 | 0 | return ret; |
1337 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1338 | 0 | return ret; |
1339 | 0 | } |
1340 | 0 | #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ |
1341 | | #else |
1342 | | ((void) pwd); |
1343 | | ((void) pwdlen); |
1344 | | #endif /* MBEDTLS_PEM_PARSE_C */ |
1345 | | |
1346 | | /* |
1347 | | * At this point we only know it's not a PEM formatted key. Could be any |
1348 | | * of the known DER encoded private key formats |
1349 | | * |
1350 | | * We try the different DER format parsers to see if one passes without |
1351 | | * error |
1352 | | */ |
1353 | 0 | #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) |
1354 | 0 | { |
1355 | 0 | unsigned char *key_copy; |
1356 | |
|
1357 | 0 | if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) { |
1358 | 0 | return MBEDTLS_ERR_PK_ALLOC_FAILED; |
1359 | 0 | } |
1360 | | |
1361 | 0 | memcpy(key_copy, key, keylen); |
1362 | |
|
1363 | 0 | ret = pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen, |
1364 | 0 | pwd, pwdlen); |
1365 | |
|
1366 | 0 | mbedtls_platform_zeroize(key_copy, keylen); |
1367 | 0 | mbedtls_free(key_copy); |
1368 | 0 | } |
1369 | | |
1370 | 0 | if (ret == 0) { |
1371 | 0 | return 0; |
1372 | 0 | } |
1373 | | |
1374 | 0 | mbedtls_pk_free(pk); |
1375 | 0 | mbedtls_pk_init(pk); |
1376 | |
|
1377 | 0 | if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) { |
1378 | 0 | return ret; |
1379 | 0 | } |
1380 | 0 | #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ |
1381 | | |
1382 | 0 | ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen); |
1383 | 0 | if (ret == 0) { |
1384 | 0 | return 0; |
1385 | 0 | } |
1386 | | |
1387 | 0 | mbedtls_pk_free(pk); |
1388 | 0 | mbedtls_pk_init(pk); |
1389 | |
|
1390 | 0 | #if defined(MBEDTLS_RSA_C) |
1391 | |
|
1392 | 0 | pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); |
1393 | 0 | if (mbedtls_pk_setup(pk, pk_info) == 0 && |
1394 | 0 | pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) { |
1395 | 0 | return 0; |
1396 | 0 | } |
1397 | | |
1398 | 0 | mbedtls_pk_free(pk); |
1399 | 0 | mbedtls_pk_init(pk); |
1400 | 0 | #endif /* MBEDTLS_RSA_C */ |
1401 | |
|
1402 | 0 | #if defined(MBEDTLS_ECP_C) |
1403 | 0 | pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); |
1404 | 0 | if (mbedtls_pk_setup(pk, pk_info) == 0 && |
1405 | 0 | pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), |
1406 | 0 | key, keylen) == 0) { |
1407 | 0 | return 0; |
1408 | 0 | } |
1409 | 0 | mbedtls_pk_free(pk); |
1410 | 0 | #endif /* MBEDTLS_ECP_C */ |
1411 | | |
1412 | | /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, |
1413 | | * it is ok to leave the PK context initialized but not |
1414 | | * freed: It is the caller's responsibility to call pk_init() |
1415 | | * before calling this function, and to call pk_free() |
1416 | | * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C |
1417 | | * isn't, this leads to mbedtls_pk_free() being called |
1418 | | * twice, once here and once by the caller, but this is |
1419 | | * also ok and in line with the mbedtls_pk_free() calls |
1420 | | * on failed PEM parsing attempts. */ |
1421 | |
|
1422 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
1423 | 0 | } |
1424 | | |
1425 | | /* |
1426 | | * Parse a public key |
1427 | | */ |
1428 | | int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, |
1429 | | const unsigned char *key, size_t keylen) |
1430 | 0 | { |
1431 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1432 | 0 | unsigned char *p; |
1433 | 0 | #if defined(MBEDTLS_RSA_C) |
1434 | 0 | const mbedtls_pk_info_t *pk_info; |
1435 | 0 | #endif |
1436 | 0 | #if defined(MBEDTLS_PEM_PARSE_C) |
1437 | 0 | size_t len; |
1438 | 0 | mbedtls_pem_context pem; |
1439 | 0 | #endif |
1440 | |
|
1441 | 0 | PK_VALIDATE_RET(ctx != NULL); |
1442 | 0 | if (keylen == 0) { |
1443 | 0 | return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; |
1444 | 0 | } |
1445 | 0 | PK_VALIDATE_RET(key != NULL || keylen == 0); |
1446 | |
|
1447 | 0 | #if defined(MBEDTLS_PEM_PARSE_C) |
1448 | 0 | mbedtls_pem_init(&pem); |
1449 | 0 | #if defined(MBEDTLS_RSA_C) |
1450 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1451 | 0 | if (key[keylen - 1] != '\0') { |
1452 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1453 | 0 | } else { |
1454 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1455 | 0 | "-----BEGIN RSA PUBLIC KEY-----", |
1456 | 0 | "-----END RSA PUBLIC KEY-----", |
1457 | 0 | key, NULL, 0, &len); |
1458 | 0 | } |
1459 | |
|
1460 | 0 | if (ret == 0) { |
1461 | 0 | p = pem.buf; |
1462 | 0 | if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) { |
1463 | 0 | mbedtls_pem_free(&pem); |
1464 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
1465 | 0 | } |
1466 | | |
1467 | 0 | if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) { |
1468 | 0 | mbedtls_pem_free(&pem); |
1469 | 0 | return ret; |
1470 | 0 | } |
1471 | | |
1472 | 0 | if ((ret = pk_get_rsapubkey(&p, p + pem.buflen, mbedtls_pk_rsa(*ctx))) != 0) { |
1473 | 0 | mbedtls_pk_free(ctx); |
1474 | 0 | } |
1475 | |
|
1476 | 0 | mbedtls_pem_free(&pem); |
1477 | 0 | return ret; |
1478 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1479 | 0 | mbedtls_pem_free(&pem); |
1480 | 0 | return ret; |
1481 | 0 | } |
1482 | 0 | #endif /* MBEDTLS_RSA_C */ |
1483 | | |
1484 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
1485 | 0 | if (key[keylen - 1] != '\0') { |
1486 | 0 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
1487 | 0 | } else { |
1488 | 0 | ret = mbedtls_pem_read_buffer(&pem, |
1489 | 0 | "-----BEGIN PUBLIC KEY-----", |
1490 | 0 | "-----END PUBLIC KEY-----", |
1491 | 0 | key, NULL, 0, &len); |
1492 | 0 | } |
1493 | |
|
1494 | 0 | if (ret == 0) { |
1495 | | /* |
1496 | | * Was PEM encoded |
1497 | | */ |
1498 | 0 | p = pem.buf; |
1499 | |
|
1500 | 0 | ret = mbedtls_pk_parse_subpubkey(&p, p + pem.buflen, ctx); |
1501 | 0 | mbedtls_pem_free(&pem); |
1502 | 0 | return ret; |
1503 | 0 | } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
1504 | 0 | mbedtls_pem_free(&pem); |
1505 | 0 | return ret; |
1506 | 0 | } |
1507 | 0 | mbedtls_pem_free(&pem); |
1508 | 0 | #endif /* MBEDTLS_PEM_PARSE_C */ |
1509 | |
|
1510 | 0 | #if defined(MBEDTLS_RSA_C) |
1511 | 0 | if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) { |
1512 | 0 | return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; |
1513 | 0 | } |
1514 | | |
1515 | 0 | if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) { |
1516 | 0 | return ret; |
1517 | 0 | } |
1518 | | |
1519 | 0 | p = (unsigned char *) key; |
1520 | 0 | ret = pk_get_rsapubkey(&p, p + keylen, mbedtls_pk_rsa(*ctx)); |
1521 | 0 | if (ret == 0) { |
1522 | 0 | return ret; |
1523 | 0 | } |
1524 | 0 | mbedtls_pk_free(ctx); |
1525 | 0 | if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, |
1526 | 0 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))) { |
1527 | 0 | return ret; |
1528 | 0 | } |
1529 | 0 | #endif /* MBEDTLS_RSA_C */ |
1530 | 0 | p = (unsigned char *) key; |
1531 | |
|
1532 | 0 | ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx); |
1533 | |
|
1534 | 0 | return ret; |
1535 | 0 | } |
1536 | | |
1537 | | #endif /* MBEDTLS_PK_PARSE_C */ |