From d382e79632677f2457025be3d820e08d7ea12d85 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 30 Apr 2021 16:57:53 +0200 Subject: [PATCH] Make the -inform option to be respected if possible Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called. The input type format is enforced only in case the file type file store is used. By default we use FORMAT_UNDEF meaning the input type is not enforced. Fixes #14569 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15100) --- apps/ca.c | 10 +-- apps/cmp.c | 6 +- apps/cms.c | 16 +++-- apps/crl.c | 6 +- apps/dgst.c | 2 +- apps/dsa.c | 2 +- apps/dsaparam.c | 4 +- apps/ec.c | 2 +- apps/ecparam.c | 2 +- apps/gendsa.c | 2 +- apps/include/apps.h | 15 ++-- apps/lib/apps.c | 61 ++++++++++++----- apps/lib/s_cb.c | 3 +- apps/ocsp.c | 12 ++-- apps/pkcs8.c | 9 +-- apps/pkey.c | 2 +- apps/pkeyutl.c | 5 +- apps/req.c | 6 +- apps/rsa.c | 4 +- apps/rsautl.c | 4 +- apps/s_client.c | 11 +-- apps/s_server.c | 22 +++--- apps/smime.c | 9 +-- apps/spkac.c | 2 +- apps/storeutl.c | 2 +- apps/verify.c | 2 +- apps/x509.c | 8 +-- crypto/pem/pem_pkey.c | 2 +- crypto/store/store_lib.c | 68 +++++++++++-------- crypto/x509/by_store.c | 3 +- doc/man3/OSSL_STORE_attach.pod | 1 + doc/man3/OSSL_STORE_open.pod | 5 +- include/openssl/core_names.h | 2 + include/openssl/store.h | 2 + providers/fips-sources.checksums | 2 +- providers/fips.checksum | 2 +- .../implementations/storemgmt/file_store.c | 33 +++++---- test/ossl_store_test.c | 6 +- 38 files changed, 212 insertions(+), 143 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 9dd46e4f5c..923ede4cde 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -274,7 +274,7 @@ int ca_main(int argc, char **argv) char def_dgst[80] = ""; char *dgst = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; - int certformat = FORMAT_PEM, informat = FORMAT_PEM; + int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; char *passin = NULL; @@ -289,7 +289,7 @@ int ca_main(int argc, char **argv) size_t outdirlen = 0; int create_ser = 0, free_passin = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; - int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; + int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; int rand_ser = 0, i, j, selfsign = 0, def_ret; char *crl_lastupdate = NULL, *crl_nextupdate = NULL; @@ -594,7 +594,7 @@ end_of_options: && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) goto end; - x509 = load_cert_pass(certfile, 1, passin, "CA certificate"); + x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate"); if (x509 == NULL) goto end; @@ -1287,7 +1287,7 @@ end_of_options: } else { X509 *revcert; - revcert = load_cert_pass(infile, 1, passin, + revcert = load_cert_pass(infile, informat, 1, passin, "certificate to be revoked"); if (revcert == NULL) goto end; @@ -1417,7 +1417,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, EVP_PKEY *pktmp = NULL; int ok = -1, i; - if ((template_cert = load_cert_pass(infile, 1, passin, + if ((template_cert = load_cert_pass(infile, certformat, 1, passin, "template certificate")) == NULL) goto end; if (verbose) diff --git a/apps/cmp.c b/apps/cmp.c index fdd0043311..f64cb8c813 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -131,8 +131,8 @@ static int opt_revreason = CRL_REASON_NONE; /* credentials format */ static char *opt_certform_s = "PEM"; static int opt_certform = FORMAT_PEM; -static char *opt_keyform_s = "PEM"; -static int opt_keyform = FORMAT_PEM; +static char *opt_keyform_s = NULL; +static int opt_keyform = FORMAT_UNDEF; static char *opt_otherpass = NULL; static char *opt_engine = NULL; @@ -635,7 +635,7 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc) X509 *cert; char *pass_string = get_passwd(pass, desc); - cert = load_cert_pass(uri, 0, pass_string, desc); + cert = load_cert_pass(uri, FORMAT_UNDEF, 0, pass_string, desc); clear_free(pass_string); return cert; } diff --git a/apps/cms.c b/apps/cms.c index e512f1d3e8..f40049edac 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -292,7 +292,7 @@ int cms_main(int argc, char **argv) int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; - int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; + int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_UNDEF; size_t secret_keylen = 0, secret_keyidlen = 0; unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; unsigned char *secret_key = NULL, *secret_keyid = NULL; @@ -611,7 +611,8 @@ int cms_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) goto end; - cert = load_cert(opt_arg(), "recipient certificate file"); + cert = load_cert(opt_arg(), FORMAT_UNDEF, + "recipient certificate file"); if (cert == NULL) goto end; sk_X509_push(encerts, cert); @@ -810,7 +811,8 @@ int cms_main(int argc, char **argv) if ((encerts = sk_X509_new_null()) == NULL) goto end; while (*argv) { - if ((cert = load_cert(*argv, "recipient certificate file")) == NULL) + if ((cert = load_cert(*argv, FORMAT_UNDEF, + "recipient certificate file")) == NULL) goto end; sk_X509_push(encerts, cert); cert = NULL; @@ -826,7 +828,7 @@ int cms_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -834,7 +836,7 @@ int cms_main(int argc, char **argv) } if (originatorfile != NULL) { - if ((originator = load_cert(originatorfile, + if ((originator = load_cert(originatorfile, FORMAT_UNDEF, "originator certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -842,7 +844,7 @@ int cms_main(int argc, char **argv) } if (operation == SMIME_SIGN_RECEIPT) { - if ((signer = load_cert(signerfile, + if ((signer = load_cert(signerfile, FORMAT_UNDEF, "receipt signer certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -1048,7 +1050,7 @@ int cms_main(int argc, char **argv) signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, "signer certificate"); + signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) { ret = 2; goto end; diff --git a/apps/crl.c b/apps/crl.c index 8f1babde6f..8904cc08c7 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -88,7 +88,7 @@ int crl_main(int argc, char **argv) const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog; OPTION_CHOICE o; int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF; int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0; int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0; int i; @@ -211,7 +211,7 @@ int crl_main(int argc, char **argv) if (!opt_md(digestname, &digest)) goto opthelp; } - x = load_crl(infile, 1, "CRL"); + x = load_crl(infile, informat, 1, "CRL"); if (x == NULL) goto end; @@ -256,7 +256,7 @@ int crl_main(int argc, char **argv) BIO_puts(bio_err, "Missing CRL signing key\n"); goto end; } - newcrl = load_crl(crldiff, 0, "other CRL"); + newcrl = load_crl(crldiff, informat, 0, "other CRL"); if (!newcrl) goto end; pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); diff --git a/apps/dgst.c b/apps/dgst.c index fcc7fc8679..15f9e2e685 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -105,7 +105,7 @@ int dgst_main(int argc, char **argv) const char *sigfile = NULL; const char *md_name = NULL; OPTION_CHOICE o; - int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; + int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0; int xoflen = 0; unsigned char *buf = NULL, *sigbuf = NULL; diff --git a/apps/dsa.c b/apps/dsa.c index c00673a8ac..abb422132a 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -83,7 +83,7 @@ int dsa_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0; int modulus = 0, pubin = 0, pubout = 0, ret = 1; int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH; int private = 0; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index c78d28ecb1..d7fb736b98 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -69,7 +69,7 @@ int dsaparam_main(int argc, char **argv) EVP_PKEY *params = NULL, *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; int numbits = -1, num = 0, genkey = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0; int ret = 1, i, text = 0, private = 0; char *infile = NULL, *outfile = NULL, *prog; OPTION_CHOICE o; @@ -181,7 +181,7 @@ int dsaparam_main(int argc, char **argv) goto end; } } else { - params = load_keyparams(infile, 1, "DSA", "DSA parameters"); + params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters"); } if (params == NULL) { /* Error message should already have been displayed */ diff --git a/apps/ec.c b/apps/ec.c index 379c6b6132..e3ce437076 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -73,7 +73,7 @@ int ec_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0; int check = 0; char *asn1_encoding = NULL; diff --git a/apps/ecparam.c b/apps/ecparam.c index e9e36d1d8b..a801ad69bf 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -240,7 +240,7 @@ int ecparam_main(int argc, char **argv) goto end; } } else { - params_key = load_keyparams(infile, 1, "EC", "EC parameters"); + params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters"); if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC")) goto end; if (point_format diff --git a/apps/gendsa.c b/apps/gendsa.c index 6d1c91d230..f4bd0fe09e 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -121,7 +121,7 @@ int gendsa_main(int argc, char **argv) goto end; } - pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters"); + pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters"); out = bio_open_owner(outfile, FORMAT_PEM, private); if (out == NULL) diff --git a/apps/include/apps.h b/apps/include/apps.h index a8556b8132..207ed41bc7 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -108,18 +108,19 @@ char *get_passwd(const char *pass, const char *desc); int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); int add_oid_section(CONF *conf); X509_REQ *load_csr(const char *file, int format, const char *desc); -X509 *load_cert_pass(const char *uri, int maybe_stdin, +X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc); -#define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc) -X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc); +#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc) +X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, + const char *desc); void cleanse(char *str); void clear_free(char *str); EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); -EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype, - const char *desc); +EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, + const char *keytype, const char *desc); char *next_item(char *opt); /* in list separated by comma and/or space */ int load_cert_certs(const char *uri, X509 **pcert, STACK_OF(X509) **pcerts, @@ -133,13 +134,13 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, const char *pass, const char *desc); int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc); -int load_key_certs_crls(const char *uri, int maybe_stdin, +int load_key_certs_crls(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, EVP_PKEY **pparams, X509 **pcert, STACK_OF(X509) **pcerts, X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls); -int load_key_cert_crl(const char *uri, int maybe_stdin, +int load_key_cert_crl(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, X509 **pcert, X509_CRL **pcrl); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index bfd938b555..f0a9ffc93a 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "s_apps.h" #include "apps.h" @@ -478,7 +479,7 @@ CONF *app_load_config_modules(const char *configfile) #define IS_HTTPS(uri) ((uri) != NULL \ && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) -X509 *load_cert_pass(const char *uri, int maybe_stdin, +X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc) { X509 *cert = NULL; @@ -490,7 +491,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, else if (IS_HTTP(uri)) cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */); else - (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, NULL, NULL, NULL, &cert, NULL, NULL, NULL); if (cert == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -499,7 +500,8 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, return cert; } -X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc) +X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, + const char *desc) { X509_CRL *crl = NULL; @@ -510,7 +512,7 @@ X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc) else if (IS_HTTP(uri)) crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */); else - (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, NULL, NULL, NULL, NULL, NULL, &crl, NULL); if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -524,6 +526,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) X509_REQ *req = NULL; BIO *in; + if (format == FORMAT_UNDEF) + format = FORMAT_PEM; if (desc == NULL) desc = "CSR"; in = bio_open_default(file, 'r', format); @@ -570,7 +574,7 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin, if (format == FORMAT_ENGINE) { uri = allocated_uri = make_engine_uri(e, uri, desc); } - (void)load_key_certs_crls(uri, may_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, may_stdin, pass, desc, &pkey, NULL, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); @@ -589,22 +593,22 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, if (format == FORMAT_ENGINE) { uri = allocated_uri = make_engine_uri(e, uri, desc); } - (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, NULL, &pkey, NULL, NULL, NULL, NULL, NULL); OPENSSL_free(allocated_uri); return pkey; } -EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype, - const char *desc) +EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, + const char *keytype, const char *desc) { EVP_PKEY *params = NULL; if (desc == NULL) desc = "key parameters"; - (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc, + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, NULL, NULL, ¶ms, NULL, NULL, NULL, NULL); if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) { BIO_printf(bio_err, @@ -698,7 +702,8 @@ int load_cert_certs(const char *uri, return ret; } pass_string = get_passwd(pass, desc); - ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL, + ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc, + NULL, NULL, NULL, pcert, pcerts, NULL, NULL); clear_free(pass_string); @@ -800,7 +805,8 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, const char *pass, const char *desc) { int was_NULL = *certs == NULL; - int ret = load_key_certs_crls(uri, maybe_stdin, pass, desc, NULL, NULL, + int ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, + pass, desc, NULL, NULL, NULL, NULL, certs, NULL, NULL); if (!ret && was_NULL) { @@ -818,7 +824,8 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc) { int was_NULL = *crls == NULL; - int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, NULL, + int ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, + NULL, NULL, NULL, NULL, NULL, NULL, crls); if (!ret && was_NULL) { @@ -828,6 +835,17 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, return ret; } +static const char *format2string(int format) +{ + switch(format) { + case FORMAT_PEM: + return "PEM"; + case FORMAT_ASN1: + return "DER"; + } + return NULL; +} + /* Set type expectation, but clear it if objects of different types expected. */ #define SET_EXPECT(val) expect = expect < 0 ? val : (expect == val ? val : 0); /* @@ -843,7 +861,7 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, * In any case (also on error) the caller is responsible for freeing all members * of *pcerts and *pcrls (as far as they are not NULL). */ -int load_key_certs_crls(const char *uri, int maybe_stdin, +int load_key_certs_crls(const char *uri, int format, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, EVP_PKEY **pparams, @@ -863,6 +881,9 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, pcrls != NULL ? "CRLs" : NULL; int cnt_expectations = 0; int expect = -1; + const char *input_type; + OSSL_PARAM itp[2]; + const OSSL_PARAM *params = NULL; /* TODO make use of the engine reference 'eng' when loading pkeys */ if (ppkey != NULL) { @@ -915,6 +936,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, uidata.password = pass; uidata.prompt_info = uri; + if ((input_type = format2string(format)) != NULL) { + itp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, + (char *)input_type, 0); + itp[1] = OSSL_PARAM_construct_end(); + params = itp; + } + if (uri == NULL) { BIO *bio; @@ -927,12 +955,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, bio = BIO_new_fp(stdin, 0); if (bio != NULL) { ctx = OSSL_STORE_attach(bio, "file", libctx, propq, - get_ui_method(), &uidata, NULL, NULL); + get_ui_method(), &uidata, params, + NULL, NULL); BIO_free(bio); } } else { ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata, - NULL, NULL); + params, NULL, NULL); } if (ctx == NULL) { BIO_printf(bio_err, "Could not open file or uri for loading"); @@ -2322,7 +2351,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) DIST_POINT *dp = sk_DIST_POINT_value(crldp, i); urlptr = get_dp_url(dp); if (urlptr != NULL) - return load_crl(urlptr, 0, "CRL via CDP"); + return load_crl(urlptr, FORMAT_UNDEF, 0, "CRL via CDP"); } return NULL; } diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 6824567c70..0bb4b6c436 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1019,7 +1019,8 @@ int load_excert(SSL_EXCERT **pexc) BIO_printf(bio_err, "Missing filename\n"); return 0; } - exc->cert = load_cert(exc->certfile, "Server Certificate"); + exc->cert = load_cert(exc->certfile, exc->certform, + "Server Certificate"); if (exc->cert == NULL) return 0; if (exc->keyfile != NULL) { diff --git a/apps/ocsp.c b/apps/ocsp.c index d59cd1eb59..355b4127c8 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -402,7 +402,7 @@ int ocsp_main(int argc, char **argv) path = opt_arg(); break; case OPT_ISSUER: - issuer = load_cert(opt_arg(), "issuer certificate"); + issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate"); if (issuer == NULL) goto end; if (issuers == NULL) { @@ -414,7 +414,7 @@ int ocsp_main(int argc, char **argv) break; case OPT_CERT: X509_free(cert); - cert = load_cert(opt_arg(), "certificate"); + cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate"); if (cert == NULL) goto end; if (cert_id_md == NULL) @@ -565,7 +565,7 @@ int ocsp_main(int argc, char **argv) if (rsignfile != NULL) { if (rkeyfile == NULL) rkeyfile = rsignfile; - rsigner = load_cert(rsignfile, "responder certificate"); + rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate"); if (rsigner == NULL) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; @@ -581,7 +581,7 @@ int ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto end; } - rkey = load_key(rkeyfile, FORMAT_PEM, 0, passin, NULL, + rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL, "responder private key"); if (rkey == NULL) goto end; @@ -661,7 +661,7 @@ redo_accept: if (signfile != NULL) { if (keyfile == NULL) keyfile = signfile; - signer = load_cert(signfile, "signer certificate"); + signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) { BIO_printf(bio_err, "Error loading signer certificate\n"); goto end; @@ -671,7 +671,7 @@ redo_accept: "signer certificates")) goto end; } - key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, + key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL, "signer private key"); if (key == NULL) goto end; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index d7cb2d6672..6b09b909eb 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -83,7 +83,7 @@ int pkcs8_main(int argc, char **argv) char *passin = NULL, *passout = NULL, *p8pass = NULL; OPTION_CHOICE o; int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; int private = 0, traditional = 0; #ifndef OPENSSL_NO_SCRYPT long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; @@ -214,7 +214,8 @@ int pkcs8_main(int argc, char **argv) if ((pbe_nid == -1) && cipher == NULL) cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - in = bio_open_default(infile, 'r', informat); + in = bio_open_default(infile, 'r', + informat == FORMAT_UNDEF ? FORMAT_PEM : informat); if (in == NULL) goto end; out = bio_open_owner(outfile, outformat, private); @@ -298,7 +299,7 @@ int pkcs8_main(int argc, char **argv) } if (nocrypt) { - if (informat == FORMAT_PEM) { + if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) { p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL); } else if (informat == FORMAT_ASN1) { p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); @@ -307,7 +308,7 @@ int pkcs8_main(int argc, char **argv) goto end; } } else { - if (informat == FORMAT_PEM) { + if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) { p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); } else if (informat == FORMAT_ASN1) { p8 = d2i_PKCS8_bio(in, NULL); diff --git a/apps/pkey.c b/apps/pkey.c index d7e32b6e58..ddc3414d0c 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -75,7 +75,7 @@ int pkey_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog; OPTION_CHOICE o; - int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM; int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; int private = 0, traditional = 0, check = 0, pub_check = 0; #ifndef OPENSSL_NO_EC diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 3a26ec5ca7..0424e556c1 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -111,7 +111,8 @@ int pkeyutl_main(int argc, char **argv) char hexdump = 0, asn1parse = 0, rev = 0, *prog; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; OPTION_CHOICE o; - int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM; + int buf_inlen = 0, siglen = -1; + int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF; int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; int engine_impl = 0; int ret = 1, rv = -1; @@ -555,7 +556,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, break; case KEY_CERT: - x = load_cert(keyfile, "Certificate"); + x = load_cert(keyfile, keyform, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/req.c b/apps/req.c index 6817a8bd54..d41b992e6d 100644 --- a/apps/req.c +++ b/apps/req.c @@ -256,7 +256,7 @@ int req_main(int argc, char **argv) int days = UNSET_DAYS; int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; int pkey_type = -1; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey_len = -1; @@ -762,7 +762,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Ignoring -CAkey option since no -CA option is given\n"); } else { - if ((CAkey = load_key(CAkeyfile, FORMAT_PEM, + if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, "issuer private key")) == NULL) goto end; } @@ -777,7 +777,7 @@ int req_main(int argc, char **argv) "Need to give the -CAkey option if using -CA\n"); goto end; } - if ((CAcert = load_cert_pass(CAfile, 1, passin, + if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin, "issuer certificate")) == NULL) goto end; if (!X509_check_private_key(CAcert, CAkey)) { diff --git a/apps/rsa.c b/apps/rsa.c index 0ff6cf3266..83fd8350df 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -96,7 +96,7 @@ int rsa_main(int argc, char **argv) char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; int private = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, check = 0; int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1; int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH; OPTION_CHOICE o; @@ -204,7 +204,7 @@ int rsa_main(int argc, char **argv) } if (pubin) { - int tmpformat = -1; + int tmpformat = FORMAT_UNDEF; if (pubin == 2) { if (informat == FORMAT_PEM) diff --git a/apps/rsautl.c b/apps/rsautl.c index a8911ff206..c2bc1af89b 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -81,7 +81,7 @@ int rsautl_main(int argc, char **argv) char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING; size_t rsa_inlen, rsa_outlen = 0; - int keyformat = FORMAT_PEM, keysize, ret = 1, rv; + int keyformat = FORMAT_UNDEF, keysize, ret = 1, rv; int hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0; OPTION_CHOICE o; @@ -196,7 +196,7 @@ int rsautl_main(int argc, char **argv) break; case KEY_CERT: - x = load_cert(keyfile, "Certificate"); + x = load_cert(keyfile, FORMAT_UNDEF, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); diff --git a/apps/s_client.c b/apps/s_client.c index 3c62739698..1aa7a3b7de 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -815,15 +815,15 @@ int s_client_main(int argc, char **argv) struct timeval timeout, *timeoutp; fd_set readfds, writefds; int noCApath = 0, noCAfile = 0, noCAstore = 0; - int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; - int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; + int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_UNDEF; + int key_format = FORMAT_UNDEF, crlf = 0, full_log = 1, mbuf_len = 0; int prexit = 0; int sdebug = 0; int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0; int sbuf_len, sbuf_off, cmdletters = 1; int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0; - int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; + int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) int at_eof = 0; @@ -1620,7 +1620,8 @@ int s_client_main(int argc, char **argv) } if (cert_file != NULL) { - cert = load_cert_pass(cert_file, 1, pass, "client certificate"); + cert = load_cert_pass(cert_file, cert_format, 1, pass, + "client certificate"); if (cert == NULL) goto end; } @@ -1632,7 +1633,7 @@ int s_client_main(int argc, char **argv) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, 0, "CRL"); + crl = load_crl(crl_file, crl_format, 0, "CRL"); if (crl == NULL) goto end; crls = sk_X509_CRL_new_null(); diff --git a/apps/s_server.c b/apps/s_server.c index 6adee7ec6d..5d9e8cd568 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -978,11 +978,11 @@ int s_server_main(int argc, char *argv[]) int no_dhe = 0; int nocert = 0, ret = 1; int noCApath = 0, noCAfile = 0, noCAstore = 0; - int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; - int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; + int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF; + int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF; int rev = 0, naccept = -1, sdebug = 0; int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0; - int state = 0, crl_format = FORMAT_PEM, crl_download = 0; + int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0; char *host = NULL; char *port = OPENSSL_strdup(PORT); unsigned char *context = NULL; @@ -1688,7 +1688,8 @@ int s_server_main(int argc, char *argv[]) if (s_key == NULL) goto end; - s_cert = load_cert_pass(s_cert_file, 1, pass, "server certificate"); + s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass, + "server certificate"); if (s_cert == NULL) goto end; @@ -1704,7 +1705,7 @@ int s_server_main(int argc, char *argv[]) if (s_key2 == NULL) goto end; - s_cert2 = load_cert_pass(s_cert_file2, 1, pass, + s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass, "second server certificate"); if (s_cert2 == NULL) @@ -1727,7 +1728,7 @@ int s_server_main(int argc, char *argv[]) if (crl_file != NULL) { X509_CRL *crl; - crl = load_crl(crl_file, 0, "CRL"); + crl = load_crl(crl_file, crl_format, 0, "CRL"); if (crl == NULL) goto end; crls = sk_X509_CRL_new_null(); @@ -1749,7 +1750,7 @@ int s_server_main(int argc, char *argv[]) if (s_dkey == NULL) goto end; - s_dcert = load_cert_pass(s_dcert_file, 1, dpass, + s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass, "second server certificate"); if (s_dcert == NULL) { @@ -1975,9 +1976,9 @@ int s_server_main(int argc, char *argv[]) EVP_PKEY *dhpkey = NULL; if (dhfile != NULL) - dhpkey = load_keyparams(dhfile, 0, "DH", "DH parameters"); + dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters"); else if (s_cert_file != NULL) - dhpkey = load_keyparams(s_cert_file, 0, "DH", "DH parameters"); + dhpkey = load_keyparams(s_cert_file, FORMAT_UNDEF, 0, "DH", "DH parameters"); if (dhpkey != NULL) { BIO_printf(bio_s_out, "Setting temp DH parameters\n"); @@ -2009,7 +2010,8 @@ int s_server_main(int argc, char *argv[]) if (ctx2 != NULL) { if (dhfile != NULL) { - EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, 0, "DH", + EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, FORMAT_UNDEF, + 0, "DH", "DH parameters"); if (dhpkey2 != NULL) { diff --git a/apps/smime.c b/apps/smime.c index 011dc99c4b..ea71121fb4 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -151,7 +151,7 @@ int smime_main(int argc, char **argv) int noCApath = 0, noCAfile = 0, noCAstore = 0; int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = - FORMAT_PEM; + FORMAT_UNDEF; int vpmtouched = 0, rv = 0; ENGINE *e = NULL; const char *mime_eol = "\n"; @@ -449,7 +449,8 @@ int smime_main(int argc, char **argv) if (encerts == NULL) goto end; while (*argv != NULL) { - cert = load_cert(*argv, "recipient certificate file"); + cert = load_cert(*argv, FORMAT_UNDEF, + "recipient certificate file"); if (cert == NULL) goto end; sk_X509_push(encerts, cert); @@ -466,7 +467,7 @@ int smime_main(int argc, char **argv) } if (recipfile != NULL && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, + if ((recip = load_cert(recipfile, FORMAT_UNDEF, "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; @@ -573,7 +574,7 @@ int smime_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, "signer certificate"); + signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) goto end; key = load_key(keyfile, keyform, 0, passin, e, "signing key"); diff --git a/apps/spkac.c b/apps/spkac.c index 9c12504b90..adc6f7372c 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -67,7 +67,7 @@ int spkac_main(int argc, char **argv) char *spkstr = NULL, *prog; const char *spkac = "SPKAC", *spksect = "default"; int i, ret = 1, verify = 0, noout = 0, pubkey = 0; - int keyformat = FORMAT_PEM; + int keyformat = FORMAT_UNDEF; OPTION_CHOICE o; prog = opt_init(argc, argv, spkac_options); diff --git a/apps/storeutl.c b/apps/storeutl.c index 3e7ab32b7a..1368caae92 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -358,7 +358,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, int ret = 1, items = 0; if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata, - NULL, NULL)) + NULL, NULL, NULL)) == NULL) { BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri); ERR_print_errors(bio_err); diff --git a/apps/verify.c b/apps/verify.c index d66f137258..acf80c65c4 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -253,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file, STACK_OF(X509) *chain = NULL; int num_untrusted; - x = load_cert(file, "certificate file"); + x = load_cert(file, FORMAT_UNDEF, "certificate file"); if (x == NULL) goto end; diff --git a/apps/x509.c b/apps/x509.c index a9c5d41096..9632d72260 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -266,9 +266,9 @@ int x509_main(int argc, char **argv) char *prog; int days = UNSET_DAYS; /* not explicitly set */ int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0; - int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; + int CAformat = FORMAT_UNDEF, CAkeyformat = FORMAT_UNDEF; int fingerprint = 0, reqfile = 0, checkend = 0; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF; int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; int noout = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; @@ -719,7 +719,7 @@ int x509_main(int argc, char **argv) } } } else { - x = load_cert_pass(infile, 1, passin, "certificate"); + x = load_cert_pass(infile, informat, 1, passin, "certificate"); if (x == NULL) goto end; } @@ -734,7 +734,7 @@ int x509_main(int argc, char **argv) goto end; if (CAfile != NULL) { - xca = load_cert_pass(CAfile, 1, passin, "CA certificate"); + xca = load_cert_pass(CAfile, CAformat, 1, passin, "CA certificate"); if (xca == NULL) goto end; } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index e5b740f214..3faca8d0ec 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -55,7 +55,7 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x, return NULL; if ((ctx = OSSL_STORE_attach(bp, "file", libctx, propq, ui_method, u, - NULL, NULL)) == NULL) + NULL, NULL, NULL)) == NULL) goto err; #ifndef OPENSSL_NO_SECURE_HEAP # ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index e7f5860604..158b7be79d 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -32,9 +32,37 @@ static int ossl_store_close_it(OSSL_STORE_CTX *ctx); +static int loader_set_params(OSSL_STORE_LOADER *loader, + OSSL_STORE_LOADER_CTX *loader_ctx, + const OSSL_PARAM params[], const char *propq) +{ + if (params != NULL) { + if (!loader->p_set_ctx_params(loader_ctx, params)) + return 0; + } + + if (propq != NULL) { + OSSL_PARAM propp[2]; + + if (OSSL_PARAM_locate_const(params, + OSSL_STORE_PARAM_PROPERTIES) != NULL) + /* use the propq from params */ + return 1; + + propp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_PROPERTIES, + (char *)propq, 0); + propp[1] = OSSL_PARAM_construct_end(); + + if (!loader->p_set_ctx_params(loader_ctx, propp)) + return 0; + } + return 1; +} + OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { @@ -103,18 +131,11 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, if (loader_ctx == NULL) { OSSL_STORE_LOADER_free(fetched_loader); fetched_loader = NULL; - } else if (propq != NULL) { - OSSL_PARAM params[2]; - - params[0] = OSSL_PARAM_construct_utf8_string( - OSSL_STORE_PARAM_PROPERTIES, (char *)propq, 0); - params[1] = OSSL_PARAM_construct_end(); - - if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { - (void)fetched_loader->p_close(loader_ctx); - OSSL_STORE_LOADER_free(fetched_loader); - fetched_loader = NULL; - } + } else if(!loader_set_params(fetched_loader, loader_ctx, + params, propq)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; } loader = fetched_loader; } @@ -187,8 +208,8 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { - return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, post_process, - post_process_data); + return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, NULL, + post_process, post_process_data); } #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -927,6 +948,7 @@ const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion) OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { @@ -957,19 +979,11 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, || (loader_ctx = fetched_loader->p_attach(provctx, cbio)) == NULL) { OSSL_STORE_LOADER_free(fetched_loader); fetched_loader = NULL; - } else if (propq != NULL) { - OSSL_PARAM params[] = { - OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, - NULL, 0), - OSSL_PARAM_END - }; - - params[0].data = (void *)propq; - if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { - (void)fetched_loader->p_close(loader_ctx); - OSSL_STORE_LOADER_free(fetched_loader); - fetched_loader = NULL; - } + } else if (!loader_set_params(fetched_loader, loader_ctx, + params, propq)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; } loader = fetched_loader; ossl_core_bio_free(cbio); diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c index caccf38412..b9feb038b8 100644 --- a/crypto/x509/by_store.c +++ b/crypto/x509/by_store.c @@ -21,7 +21,8 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri, OSSL_STORE_CTX *ctx = NULL; X509_STORE *xstore = X509_LOOKUP_get_store(lctx); - if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, NULL)) == NULL) + if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, + NULL, NULL)) == NULL) return 0; /* diff --git a/doc/man3/OSSL_STORE_attach.pod b/doc/man3/OSSL_STORE_attach.pod index 9ad53af81a..f272961bac 100644 --- a/doc/man3/OSSL_STORE_attach.pod +++ b/doc/man3/OSSL_STORE_attach.pod @@ -11,6 +11,7 @@ OSSL_STORE_attach - Functions to read objects from a BIO OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index 3d6d03a990..39a795b0ef 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -24,6 +24,7 @@ OSSL_STORE_error, OSSL_STORE_close OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); @@ -68,6 +69,8 @@ B with all necessary internal information. The given I and I will be reused by all functions that use B when interaction is needed, for instance to provide a password. +The auxiliary B parameters in I can be set to further +modify the store operation. The given I and I will be reused by OSSL_STORE_load() to manipulate or drop the value to be returned. The I function drops values by returning NULL, which @@ -76,7 +79,7 @@ the next object, until I returns something other than NULL, or the end of data is reached as indicated by OSSL_STORE_eof(). OSSL_STORE_open() is similar to OSSL_STORE_open_ex() but uses NULL for -the library context I and property query I. +the I, the library context I and property query I. OSSL_STORE_ctrl() takes a B, and command number I and more arguments not specified here. diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 708f79d480..02476560f0 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -545,6 +545,8 @@ extern "C" { /* You may want to pass properties for the provider implementation to use */ #define OSSL_STORE_PARAM_PROPERTIES "properties" /* utf8_string */ +/* OSSL_DECODER input type if a decoder is used by the store */ +#define OSSL_STORE_PARAM_INPUT_TYPE "input-type" /* UTF8_STRING */ # ifdef __cplusplus } diff --git a/include/openssl/store.h b/include/openssl/store.h index f0c20e56fe..d5703d5040 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -59,6 +59,7 @@ OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data, OSSL_STORE_CTX * OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); @@ -131,6 +132,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx); OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme, OSSL_LIB_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[], OSSL_STORE_post_process_info_fn post_process, void *post_process_data); diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index a7ee231b15..fc8d6362df 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -452,7 +452,7 @@ a7f16a6480f5051d1197b992e042a73535d0922bdd3c962d2a96af780994e858 providers/impl 1cb6ec2efb7b2bb131622aa95e245273f5967065eb0018392ed4ced50d0813b7 providers/implementations/signature/mac_legacy.c 25fe1a61578d54c3e67b60646f3fd3d0a47ff1d4cd620ef1f1fca3341f2662a2 providers/implementations/signature/rsa.c c0a862433e5da909cf0c614d3f982765b67821c7a4cc6257ceb8c490b4dcf732 providers/implementations/signature/sm2sig.c -c63cb744c26af304cf00006071d3ebd9325a4d65913b75a2bcb1d2e104c734fd providers/implementations/storemgmt/file_store.c +e2750b310565e74617310566c1ccfbd75559521117fd8936540fff54dd304902 providers/implementations/storemgmt/file_store.c 291288936fe321e3e85048366f790f6b7983561cd8f80eec4c0e01d7c43614ab providers/implementations/storemgmt/file_store_der2obj.c 04ea01e48b8fee822acb376ab8679b4c627b32ab75c137bf23ebb4fe2a1c0703 providers/prov_running.c 53a1e913fcc4a4e8e84009229cba60b9e29c7dc6536182fd290478331fad44b4 ssl/record/tls_pad.c diff --git a/providers/fips.checksum b/providers/fips.checksum index ff7a1c2c78..e28929484f 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -b998b19b940b606688e4711014407c48c3fca4c58b2fdc60ac64c1cef94861c1 providers/fips-sources.checksums +de031c8fbe10ee9b6447dd230956217e599cf923ff36a1026b515c2a22158b37 providers/fips-sources.checksums diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 033efb40ac..b9bb3b36c0 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -149,15 +149,11 @@ static OSSL_DECODER_CLEANUP file_load_cleanup; * */ static struct file_ctx_st *file_open_stream(BIO *source, const char *uri, - const char *input_type, void *provctx) { struct file_ctx_st *ctx; - if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL - || (input_type != NULL - && (ctx->_.file.input_type = - OPENSSL_strdup(input_type)) == NULL)) { + if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); goto err; } @@ -285,7 +281,7 @@ static void *file_open(void *provctx, const char *uri) if (S_ISDIR(st.st_mode)) ctx = file_open_dir(path, uri, provctx); else if ((bio = BIO_new_file(path, "rb")) == NULL - || (ctx = file_open_stream(bio, uri, NULL, provctx)) == NULL) + || (ctx = file_open_stream(bio, uri, provctx)) == NULL) BIO_free_all(bio); return ctx; @@ -299,7 +295,7 @@ void *file_attach(void *provctx, OSSL_CORE_BIO *cin) if (new_bio == NULL) return NULL; - ctx = file_open_stream(new_bio, NULL, NULL, provctx); + ctx = file_open_stream(new_bio, NULL, provctx); if (ctx == NULL) BIO_free(new_bio); return ctx; @@ -316,6 +312,7 @@ static const OSSL_PARAM *file_settable_ctx_params(void *provctx) OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_int(OSSL_STORE_PARAM_EXPECT, NULL), OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, NULL, 0), OSSL_PARAM_END }; return known_settable_ctx_params; @@ -329,12 +326,22 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); - if (p != NULL) { - OPENSSL_free(ctx->_.file.propq); - ctx->_.file.propq = NULL; - if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0)) - return 0; + if (ctx->type != IS_DIR) { + /* these parameters are ignored for directories */ + p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); + if (p != NULL) { + OPENSSL_free(ctx->_.file.propq); + ctx->_.file.propq = NULL; + if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0)) + return 0; + } + p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_INPUT_TYPE); + if (p != NULL) { + OPENSSL_free(ctx->_.file.input_type); + ctx->_.file.input_type = NULL; + if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.input_type, 0)) + return 0; + } } p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_EXPECT); if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->expected_type)) diff --git a/test/ossl_store_test.c b/test/ossl_store_test.c index 7a5df01647..b9135cfcb3 100644 --- a/test/ossl_store_test.c +++ b/test/ossl_store_test.c @@ -47,7 +47,7 @@ static int test_store_open(void) && TEST_ptr(search = OSSL_STORE_SEARCH_by_alias("nothing")) && TEST_ptr(ui_method= UI_create_method("DummyUI")) && TEST_ptr(sctx = OSSL_STORE_open_ex(input, NULL, NULL, ui_method, - NULL, NULL, NULL)) + NULL, NULL, NULL, NULL)) && TEST_false(OSSL_STORE_find(sctx, NULL)) && TEST_true(OSSL_STORE_find(sctx, search)); UI_destroy_method(ui_method); @@ -75,7 +75,7 @@ static int get_params(const char *uri, const char *type) OSSL_STORE_INFO *info; int ret = 0; - ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL); + ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (!TEST_ptr(ctx)) goto err; @@ -157,7 +157,7 @@ static int test_store_attach_unregistered_scheme(void) && TEST_ptr(provider = OSSL_PROVIDER_load(libctx, "default")) && TEST_ptr(bio = BIO_new_file(input, "r")) && TEST_ptr(store_ctx = OSSL_STORE_attach(bio, "file", libctx, NULL, - NULL, NULL, NULL, NULL)) + NULL, NULL, NULL, NULL, NULL)) && TEST_int_ne(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OSSL_STORE) && TEST_int_ne(ERR_GET_REASON(ERR_peek_error()), OSSL_STORE_R_UNREGISTERED_SCHEME); -- 2.34.1