#include "internal/ffc.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
+#include "crypto/dh.h"
+#include "crypto/dsa.h"
#include "crypto/ec.h"
#include "crypto/ecx.h"
+#include "crypto/rsa.h"
+#include "crypto/x509.h"
#include "internal/provider.h"
#include "evp_local.h"
-#include "crypto/ec.h"
-
#include "e_os.h" /* strcasecmp on Windows */
static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
/*
* If |to| is provided, we know that |from| is legacy at this point.
- * Try exporting |from| to |to|'s keymgmt, then use evp_keymgmt_copy()
+ * Try exporting |from| to |to|'s keymgmt, then use evp_keymgmt_dup()
* to copy the appropriate data to |to|'s keydata.
+ * We cannot override existing data so do it only if there is no keydata
+ * in |to| yet.
*/
- if (to->keymgmt != NULL) {
+ if (to->keymgmt != NULL && to->keydata == NULL) {
EVP_KEYMGMT *to_keymgmt = to->keymgmt;
void *from_keydata =
evp_pkey_export_to_provider((EVP_PKEY *)from, NULL, &to_keymgmt,
if (from_keydata == NULL)
ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_KEY_TYPES);
else
- ok = evp_keymgmt_copy(to->keymgmt, to->keydata, from_keydata,
- SELECT_PARAMETERS);
+ ok = (to->keydata = evp_keymgmt_dup(to->keymgmt,
+ from_keydata,
+ SELECT_PARAMETERS)) != NULL;
goto end;
}
return evp_keymgmt_match(keymgmt1, keydata1, keydata2, selection);
}
+# ifndef OPENSSL_NO_DEPRECATED_3_0
int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
return EVP_PKEY_parameters_eq(a, b);
}
+#endif
int EVP_PKEY_parameters_eq(const EVP_PKEY *a, const EVP_PKEY *b)
{
return -2;
}
+# ifndef OPENSSL_NO_DEPRECATED_3_0
int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
return EVP_PKEY_eq(a, b);
}
+#endif
int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b)
{
* is gone.
*/
+ /* Trivial shortcuts */
+ if (a == b)
+ return 1;
+ if (a == NULL || b == NULL)
+ return 0;
+
if (a->keymgmt != NULL || b->keymgmt != NULL)
return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS
| OSSL_KEYMGMT_SELECT_PUBLIC_KEY));
return pkey_set_type(pkey, NULL, EVP_PKEY_NONE, str, len, NULL);
}
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type)
-{
- if (!evp_pkey_is_legacy(pkey)) {
- const char *name = OBJ_nid2sn(type);
-
- if (name != NULL && EVP_PKEY_is_a(pkey, name))
- return 1;
-
- ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
- return 0;
- }
-
- if (pkey->type == type) {
- return 1; /* it already is that type */
- }
-
- /*
- * The application is requesting to alias this to a different pkey type,
- * but not one that resolves to the base type.
- */
- if (EVP_PKEY_type(type) != EVP_PKEY_base_id(pkey)) {
- ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_ALGORITHM);
- return 0;
- }
-
- pkey->type = type;
- return 1;
-}
-# endif
-
# ifndef OPENSSL_NO_ENGINE
int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *e)
{
# endif
# ifndef OPENSSL_NO_DEPRECATED_3_0
-int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
+static void detect_foreign_key(EVP_PKEY *pkey)
{
- int alias = type;
+ switch (pkey->type) {
+ case EVP_PKEY_RSA:
+ pkey->foreign = pkey->pkey.rsa != NULL
+ && ossl_rsa_is_foreign(pkey->pkey.rsa);
+ break;
+# ifndef OPENSSL_NO_EC
+ case EVP_PKEY_SM2:
+ case EVP_PKEY_EC:
+ pkey->foreign = pkey->pkey.ec != NULL
+ && ossl_ec_key_is_foreign(pkey->pkey.ec);
+ break;
+# endif
+# ifndef OPENSSL_NO_DSA
+ case EVP_PKEY_DSA:
+ pkey->foreign = pkey->pkey.dsa != NULL
+ && ossl_dsa_is_foreign(pkey->pkey.dsa);
+ break;
+#endif
+# ifndef OPENSSL_NO_DH
+ case EVP_PKEY_DH:
+ pkey->foreign = pkey->pkey.dh != NULL
+ && ossl_dh_is_foreign(pkey->pkey.dh);
+ break;
+#endif
+ default:
+ pkey->foreign = 0;
+ break;
+ }
+}
+int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
+{
# ifndef OPENSSL_NO_EC
- if ((key != NULL) && (EVP_PKEY_type(type) == EVP_PKEY_EC)) {
+ int pktype;
+
+ pktype = EVP_PKEY_type(type);
+ if ((key != NULL) && (pktype == EVP_PKEY_EC || pktype == EVP_PKEY_SM2)) {
const EC_GROUP *group = EC_KEY_get0_group(key);
- if (group != NULL && EC_GROUP_get_curve_name(group) == NID_sm2)
- alias = EVP_PKEY_SM2;
+ if (group != NULL) {
+ int curve = EC_GROUP_get_curve_name(group);
+
+ /*
+ * Regardless of what is requested the SM2 curve must be SM2 type,
+ * and non SM2 curves are EC type.
+ */
+ if (curve == NID_sm2 && pktype == EVP_PKEY_EC)
+ type = EVP_PKEY_SM2;
+ else if(curve != NID_sm2 && pktype == EVP_PKEY_SM2)
+ type = EVP_PKEY_EC;
+ }
}
# endif
if (pkey == NULL || !EVP_PKEY_set_type(pkey, type))
return 0;
- if (!EVP_PKEY_set_alias_type(pkey, alias))
- return 0;
+
pkey->pkey.ptr = key;
+ detect_foreign_key(pkey);
+
return (key != NULL);
}
# endif
static ECX_KEY *evp_pkey_get1_ECX_KEY(EVP_PKEY *pkey, int type)
{
ECX_KEY *ret = (ECX_KEY *)evp_pkey_get0_ECX_KEY(pkey, type);
- if (ret != NULL)
- ossl_ecx_key_up_ref(ret);
+
+ if (ret != NULL && !ossl_ecx_key_up_ref(ret))
+ ret = NULL;
return ret;
}
# if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *dhkey)
{
- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
- int ret = EVP_PKEY_assign(pkey, type, key);
+ int ret, type;
+
+ /*
+ * ossl_dh_is_named_safe_prime_group() returns 1 for named safe prime groups
+ * related to ffdhe and modp (which cache q = (p - 1) / 2),
+ * and returns 0 for all other dh parameter generation types including
+ * RFC5114 named groups.
+ *
+ * The EVP_PKEY_DH type is used for dh parameter generation types:
+ * - named safe prime groups related to ffdhe and modp
+ * - safe prime generator
+ *
+ * The type EVP_PKEY_DHX is used for dh parameter generation types
+ * - fips186-4 and fips186-2
+ * - rfc5114 named groups.
+ *
+ * The EVP_PKEY_DH type is used to save PKCS#3 data than can be stored
+ * without a q value.
+ * The EVP_PKEY_DHX type is used to save X9.42 data that requires the
+ * q value to be stored.
+ */
+ if (ossl_dh_is_named_safe_prime_group(dhkey))
+ type = EVP_PKEY_DH;
+ else
+ type = DH_get0_q(dhkey) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
+
+ ret = EVP_PKEY_assign(pkey, type, dhkey);
if (ret)
- DH_up_ref(key);
+ DH_up_ref(dhkey);
return ret;
}
return EVP_KEYMGMT_is_a(pkey->keymgmt, name);
}
-int EVP_PKEY_typenames_do_all(const EVP_PKEY *pkey,
- void (*fn)(const char *name, void *data),
- void *data)
+int EVP_PKEY_type_names_do_all(const EVP_PKEY *pkey,
+ void (*fn)(const char *name, void *data),
+ void *data)
{
if (!evp_pkey_is_typed(pkey))
return 0;
const char *supported_sig =
pkey->keymgmt->query_operation_name != NULL
? pkey->keymgmt->query_operation_name(OSSL_OP_SIGNATURE)
- : evp_first_name(prov, pkey->keymgmt->name_id);
+ : EVP_KEYMGMT_name(pkey->keymgmt);
EVP_SIGNATURE *signature = NULL;
signature = EVP_SIGNATURE_fetch(libctx, supported_sig, NULL);
int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid)
{
- int rv, default_nid;
+ int rv = -2, default_nid;
- rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL);
if (rv == -2) {
/*
* If there is a mandatory default digest and this isn't it, then
ret->type = EVP_PKEY_NONE;
ret->save_type = EVP_PKEY_NONE;
ret->references = 1;
- ret->save_parameters = 1;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
}
#ifndef FIPS_MODULE
+ ret->save_parameters = 1;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EVP_PKEY, ret, &ret->ex_data)) {
ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
goto err;
* EVP_PKEY_KEYMGMT, which indicates that one should be cautious
* with functions that expect legacy internal keys.
*/
- if (ameth != NULL)
- pkey->type = ameth->pkey_id;
- else
+ if (ameth != NULL) {
+ if (type == EVP_PKEY_NONE)
+ pkey->type = ameth->pkey_id;
+ } else {
pkey->type = EVP_PKEY_KEYMGMT;
+ }
#endif
}
return 1;
}
#ifndef FIPS_MODULE
+EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey)
+{
+ EVP_PKEY *dup_pk;
+
+ if (pkey == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+
+ if ((dup_pk = EVP_PKEY_new()) == NULL)
+ return NULL;
+
+ if (evp_pkey_is_blank(pkey))
+ goto done;
+
+ if (evp_pkey_is_provided(pkey)) {
+ if (!evp_keymgmt_util_copy(dup_pk, pkey,
+ OSSL_KEYMGMT_SELECT_ALL))
+ goto err;
+ goto done;
+ }
+
+ if (evp_pkey_is_legacy(pkey)) {
+ const EVP_PKEY_ASN1_METHOD *ameth = pkey->ameth;
+
+ if (ameth == NULL || ameth->copy == NULL) {
+ if (pkey->pkey.ptr == NULL /* empty key, just set type */
+ && EVP_PKEY_set_type(dup_pk, pkey->type) != 0)
+ goto done;
+ ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE);
+ goto err;
+ }
+ if (!ameth->copy(dup_pk, pkey))
+ goto err;
+ goto done;
+ }
+
+ goto err;
+done:
+ /* copy auxiliary data */
+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EVP_PKEY,
+ &dup_pk->ex_data, &pkey->ex_data))
+ goto err;
+
+ if (pkey->attributes != NULL) {
+ if ((dup_pk->attributes = ossl_x509at_dup(pkey->attributes)) == NULL)
+ goto err;
+ }
+ return dup_pk;
+err:
+ EVP_PKEY_free(dup_pk);
+ return NULL;
+}
+
void evp_pkey_free_legacy(EVP_PKEY *x)
{
const EVP_PKEY_ASN1_METHOD *ameth = x->ameth;
return size < 0 ? 0 : size;
}
+const char *EVP_PKEY_description(const EVP_PKEY *pkey)
+{
+ if (!evp_pkey_is_assigned(pkey))
+ return NULL;
+
+ if (evp_pkey_is_provided(pkey) && pkey->keymgmt->description != NULL)
+ return pkey->keymgmt->description;
+#ifndef FIPS_MODULE
+ if (pkey->ameth != NULL)
+ return pkey->ameth->info;
+#endif
+ return NULL;
+}
+
void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
EVP_KEYMGMT **keymgmt,
const char *propquery)
/* Synchronize the dirty count */
pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
-
+
CRYPTO_THREAD_unlock(pk->lock);
goto end;
}
int type = src->type;
const char *keytype = NULL;
- keytype = evp_first_name(EVP_KEYMGMT_provider(keymgmt),
- keymgmt->name_id);
+ keytype = EVP_KEYMGMT_name(keymgmt);
/*
* If the type is EVP_PKEY_NONE, then we have a problem somewhere
projects / openssl.git / blobdiff