crypto/evp/keymgmt_lib.c

   1 /*
   2  * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/core_names.h>
  11 #include "internal/cryptlib.h"
  12 #include "internal/nelem.h"
  13 #include "crypto/evp.h"
  14 #include "crypto/asn1.h"
  15 #include "internal/core.h"
  16 #include "internal/provider.h"
  17 #include "evp_local.h"
  18
  19 struct import_data_st {
  20     EVP_KEYMGMT *keymgmt;
  21     void *keydata;
  22
  23     int selection;
  24 };
  25
  26 static int try_import(const OSSL_PARAM params[], void *arg)
  27 {
  28     struct import_data_st *data = arg;
  29
  30     return evp_keymgmt_import(data->keymgmt, data->keydata, data->selection,
  31                               params);
  32 }
  33
  34 void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
  35 {
  36     void *keydata = NULL;
  37     size_t i, j;
  38
  39     /*
  40      * If there is an underlying legacy key and it has changed, invalidate
  41      * the cache of provider keys.
  42      */
  43     if (pk->pkey.ptr != NULL) {
  44         /*
  45          * If there is no dirty counter, this key can't be used with
  46          * providers.
  47          */
  48         if (pk->ameth->dirty_cnt == NULL)
  49             return NULL;
  50
  51         if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
  52             evp_keymgmt_util_clear_pkey_cache(pk);
  53     }
  54
  55     /*
  56      * See if we have exported to this provider already.
  57      * If we have, return immediately.
  58      */
  59     for (i = 0;
  60          i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
  61          i++) {
  62         if (keymgmt == pk->pkeys[i].keymgmt)
  63             return pk->pkeys[i].keydata;
  64     }
  65
  66     if ((keydata = evp_keymgmt_newdata(keymgmt)) == NULL)
  67         return NULL;
  68
  69     if (pk->pkey.ptr != NULL) {
  70         /* There is a legacy key, try to export that one to the provider */
  71
  72         /*
  73          * If the legacy key doesn't have an export function or the export
  74          * function fails, give up
  75          */
  76         if (pk->ameth->export_to == NULL
  77             || !pk->ameth->export_to(pk, keydata, keymgmt)) {
  78             evp_keymgmt_freedata(keymgmt, keydata);
  79             return NULL;
  80         }
  81
  82         /* Synchronize the dirty count */
  83         pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
  84     } else {
  85         /*
  86          * Here, there is no legacy key, so we look at the already cached
  87          * provider keys, and import from the first that supports it
  88          * (i.e. use its export function), and export the imported data to
  89          * the new provider.
  90          */
  91
  92         /* Setup for the export callback */
  93         struct import_data_st import_data;
  94
  95         import_data.keydata = keydata;
  96         import_data.keymgmt = keymgmt;
  97         import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
  98
  99         for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
 100             EVP_KEYMGMT *exp_keymgmt = pk->pkeys[i].keymgmt;
 101             void *exp_keydata = pk->pkeys[i].keydata;
 102
 103             /*
 104              * TODO(3.0) consider an evp_keymgmt_export() return value that
 105              * indicates that the method is unsupported.
 106              */
 107             if (exp_keymgmt->export == NULL)
 108                 continue;
 109
 110             /*
 111              * The export function calls the callback (try_import), which
 112              * does the import for us.  If successful, we're done.
 113              */
 114             if (evp_keymgmt_export(exp_keymgmt, exp_keydata,
 115                                    OSSL_KEYMGMT_SELECT_ALL,
 116                                    &try_import, &import_data))
 117                 break;
 118
 119             /* If there was an error, bail out */
 120             evp_keymgmt_freedata(keymgmt, keydata);
 121             return NULL;
 122         }
 123     }
 124
 125     /*
 126      * TODO(3.0) Right now, we assume we have ample space.  We will
 127      * have to think about a cache aging scheme, though, if |i| indexes
 128      * outside the array.
 129      */
 130     if (!ossl_assert(i < OSSL_NELEM(pk->pkeys)))
 131         return NULL;
 132
 133     evp_keymgmt_util_cache_pkey(pk, i, keymgmt, keydata);
 134
 135     return keydata;
 136 }
 137
 138 void evp_keymgmt_util_clear_pkey_cache(EVP_PKEY *pk)
 139 {
 140     size_t i;
 141
 142     if (pk != NULL) {
 143         for (i = 0;
 144              i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
 145              i++) {
 146             EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt;
 147             void *keydata = pk->pkeys[i].keydata;
 148
 149             pk->pkeys[i].keymgmt = NULL;
 150             pk->pkeys[i].keydata = NULL;
 151             evp_keymgmt_freedata(keymgmt, keydata);
 152             EVP_KEYMGMT_free(keymgmt);
 153         }
 154
 155         pk->cache.size = 0;
 156         pk->cache.bits = 0;
 157         pk->cache.security_bits = 0;
 158     }
 159 }
 160
 161 void evp_keymgmt_util_cache_pkey(EVP_PKEY *pk, size_t index,
 162                                  EVP_KEYMGMT *keymgmt, void *keydata)
 163 {
 164     if (keydata != NULL) {
 165         EVP_KEYMGMT_up_ref(keymgmt);
 166         pk->pkeys[index].keydata = keydata;
 167         pk->pkeys[index].keymgmt = keymgmt;
 168
 169         /*
 170          * Cache information about the key object.  Only needed for the
 171          * "original" provider side key.
 172          *
 173          * This services functions like EVP_PKEY_size, EVP_PKEY_bits, etc
 174          */
 175         if (index == 0) {
 176             int bits = 0;
 177             int security_bits = 0;
 178             int size = 0;
 179             OSSL_PARAM params[4];
 180
 181             params[0] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_BITS, &bits);
 182             params[1] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_SECURITY_BITS,
 183                                                  &security_bits);
 184             params[2] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_MAX_SIZE,
 185                                                  &size);
 186             params[3] = OSSL_PARAM_construct_end();
 187             if (evp_keymgmt_get_params(keymgmt, keydata, params)) {
 188                 pk->cache.size = size;
 189                 pk->cache.bits = bits;
 190                 pk->cache.security_bits = security_bits;
 191             }
 192         }
 193     }
 194 }
 195
 196 void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
 197                                 int selection, const OSSL_PARAM params[])
 198 {
 199     void *keydata = evp_keymgmt_newdata(keymgmt);
 200
 201     if (keydata != NULL) {
 202         if (!evp_keymgmt_import(keymgmt, keydata, selection, params)) {
 203             evp_keymgmt_freedata(keymgmt, keydata);
 204             return NULL;
 205         }
 206
 207
 208         evp_keymgmt_util_clear_pkey_cache(target);
 209         evp_keymgmt_util_cache_pkey(target, 0, keymgmt, keydata);
 210     }
 211
 212     return keydata;
 213 }