{
DH *dh;
- if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL) {
- DHerr(DH_F_DH_PARAM_DECODE, ERR_R_DH_LIB);
+ if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL)
return 0;
- }
dh->dirty_cnt++;
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
return 1;
{
EC_KEY *eckey;
- if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) {
- ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB);
+ if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL)
return 0;
- }
EVP_PKEY_assign_EC_KEY(pkey, eckey);
return 1;
}
const unsigned char *p = *in;
if ((params = d2i_ECPKPARAMETERS(NULL, &p, len)) == NULL) {
- ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
ECPKPARAMETERS_free(params);
return NULL;
}
if ((group = EC_GROUP_new_from_ecpkparameters(params)) == NULL) {
- ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
ECPKPARAMETERS_free(params);
return NULL;
}
EC_PRIVATEKEY *priv_key = NULL;
const unsigned char *p = *in;
- if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL) {
- ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+ if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL)
return NULL;
- }
if (a == NULL || *a == NULL) {
if ((ret = EC_KEY_new()) == NULL) {
ret = *a;
if (!d2i_ECPKParameters(&ret->group, in, len)) {
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
if (a == NULL || *a != ret)
EC_KEY_free(ret);
else
"curve does not support ecdsa"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
"curve does not support signing"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
- "d2i ecpkparameters failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_DECODE_ERROR), "decode error"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_DISCRIMINANT_IS_ZERO),
"discriminant is zero"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_PASSED_NULL_PARAMETER),
"passed null parameter"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_PEER_KEY_ERROR), "peer key error"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_PKPARAMETERS2GROUP_FAILURE),
- "pkparameters2group failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_ARITHMETIC_FAILURE),
"point arithmetic failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_AT_INFINITY), "point at infinity"},
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
-EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
EC_R_DECODE_ERROR:142:decode error
EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
EC_R_OPERATION_NOT_SUPPORTED:152:operation not supported
EC_R_PASSED_NULL_PARAMETER:134:passed null parameter
EC_R_PEER_KEY_ERROR:149:peer key error
-EC_R_PKPARAMETERS2GROUP_FAILURE:127:pkparameters2group failure
EC_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure
EC_R_POINT_AT_INFINITY:106:point at infinity
EC_R_POINT_COORDINATES_BLIND_FAILURE:163:point coordinates blind failure
EVP_R_INVALID_SECRET_LENGTH:223:invalid secret length
EVP_R_INVALID_SEED_LENGTH:220:invalid seed length
EVP_R_INVALID_VALUE:222:invalid value
-EVP_R_KEYGEN_FAILURE:120:keygen failure
EVP_R_KEYMGMT_EXPORT_FAILURE:205:keymgmt export failure
EVP_R_KEY_SETUP_FAILED:180:key setup failed
EVP_R_LOCKING_NOT_SUPPORTED:213:locking not supported
PKCS12_R_MAC_STRING_SET_ERROR:111:mac string set error
PKCS12_R_MAC_VERIFY_FAILURE:113:mac verify failure
PKCS12_R_PARSE_ERROR:114:parse error
-PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR:115:pkcs12 algor cipherinit error
PKCS12_R_PKCS12_CIPHERFINAL_ERROR:116:pkcs12 cipherfinal error
-PKCS12_R_PKCS12_PBE_CRYPT_ERROR:117:pkcs12 pbe crypt error
PKCS12_R_UNKNOWN_DIGEST_ALGORITHM:118:unknown digest algorithm
PKCS12_R_UNSUPPORTED_PKCS12_MODE:119:unsupported pkcs12 mode
PKCS7_R_CERTIFICATE_VERIFY_ERROR:117:certificate verify error
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_SEED_LENGTH),
"invalid seed length"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_VALUE), "invalid value"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYGEN_FAILURE), "keygen failure"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYMGMT_EXPORT_FAILURE),
"keymgmt export failure"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEY_SETUP_FAILED), "key setup failed"},
cipher = EVP_get_cipherbynid(cipher_nid);
if (!cipher) {
EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_UNKNOWN_CIPHER);
+ ERR_add_error_data(1, OBJ_nid2sn(cipher_nid));
return 0;
}
}
}
}
- if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
- EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_KEYGEN_FAILURE);
- return 0;
- }
- return 1;
+ return keygen(ctx, pass, passlen, param, cipher, md, en_de);
}
DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PBE_CTL, EVP_PBE_CTL, pbe2);
/* Process data */
if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
- algor->parameter, ctx, en_de)) {
- PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
- PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
+ algor->parameter, ctx, en_de))
goto err;
- }
/*
* GOST algorithm specifics:
int outlen = 0;
if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
- &out, &outlen, 0)) {
- PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
- PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+ &out, &outlen, 0))
return NULL;
- }
p = out;
OSSL_TRACE_BEGIN(PKCS12_DECRYPT) {
BIO_printf(trc_out, "\n");
}
if (!parse_pk12(p12, pass, -1, pkey, ocerts)) {
- PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_PARSE_ERROR);
+ int err = ERR_peek_last_error();
+
+ if (ERR_GET_LIB(err) != ERR_LIB_EVP
+ && ERR_GET_REASON(err) != EVP_R_UNSUPPORTED_ALGORITHM)
+ PKCS12err(0, PKCS12_R_PARSE_ERROR);
goto err;
}
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_VERIFY_FAILURE),
"mac verify failure"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PARSE_ERROR), "parse error"},
- {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),
- "pkcs12 algor cipherinit error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_CIPHERFINAL_ERROR),
"pkcs12 cipherfinal error"},
- {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_PBE_CRYPT_ERROR),
- "pkcs12 pbe crypt error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),
"unknown digest algorithm"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNSUPPORTED_PKCS12_MODE),
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
return 0;
- if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
- RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
+ if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL)
return 0;
- }
if (!rsa_param_decode(rsa, alg)) {
RSA_free(rsa);
return 0;
{
RSA *rsa;
- if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
- RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
+ if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL)
return 0;
- }
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
return 1;
}
int err = ERR_peek_last_error(); \
\
if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
- && ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR) \
+ && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \
ERR_pop_to_mark(); \
else \
ERR_clear_last_mark(); \
const unsigned char *der = data->octet_data, *derp;
long der_len = (long)data->octet_data_size;
+ SET_ERR_MARK();
/* Try PUBKEY first, that's a real easy target */
derp = der;
pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
if (pk != NULL)
*store_info_new = OSSL_STORE_INFO_new_PUBKEY;
+ RESET_ERR_MARK();
/* Try private keys next */
if (pk == NULL) {
}
X509_SIG_free(p8);
}
+ RESET_ERR_MARK();
/*
* If the encrypted PKCS#8 couldn't be decrypted,
/* Try to unpack an unencrypted PKCS#8, that's easy */
derp = der;
p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
+ RESET_ERR_MARK();
if (p8info != NULL) {
pk = EVP_PKCS82PKEY_with_libctx(p8info, libctx, propq);
PKCS8_PRIV_KEY_INFO_free(p8info);
pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL,
&derp, der_len,
libctx, NULL);
+ RESET_ERR_MARK();
}
}
if (pk == NULL) {
derp = der;
pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len);
+ RESET_ERR_MARK();
if (pk != NULL)
*store_info_new = OSSL_STORE_INFO_new_PARAMS;
}
+ CLEAR_ERR_MARK();
return pk;
}
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
-# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
# define EC_R_DECODE_ERROR 142
# define EC_R_DISCRIMINANT_IS_ZERO 118
# define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
# define EC_R_OPERATION_NOT_SUPPORTED 152
# define EC_R_PASSED_NULL_PARAMETER 134
# define EC_R_PEER_KEY_ERROR 149
-# define EC_R_PKPARAMETERS2GROUP_FAILURE 127
# define EC_R_POINT_ARITHMETIC_FAILURE 155
# define EC_R_POINT_AT_INFINITY 106
# define EC_R_POINT_COORDINATES_BLIND_FAILURE 163
# define EVP_R_INVALID_SECRET_LENGTH 223
# define EVP_R_INVALID_SEED_LENGTH 220
# define EVP_R_INVALID_VALUE 222
-# define EVP_R_KEYGEN_FAILURE 120
# define EVP_R_KEYMGMT_EXPORT_FAILURE 205
# define EVP_R_KEY_SETUP_FAILED 180
# define EVP_R_LOCKING_NOT_SUPPORTED 213
# define PKCS12_R_MAC_STRING_SET_ERROR 111
# define PKCS12_R_MAC_VERIFY_FAILURE 113
# define PKCS12_R_PARSE_ERROR 114
-# define PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR 115
# define PKCS12_R_PKCS12_CIPHERFINAL_ERROR 116
-# define PKCS12_R_PKCS12_PBE_CRYPT_ERROR 117
# define PKCS12_R_UNKNOWN_DIGEST_ALGORITHM 118
# define PKCS12_R_UNSUPPORTED_PKCS12_MODE 119
long new_der_len;
EVP_PKEY *pkey = NULL;
void *key = NULL;
- int ok = 0;
+ int err, ok = 0;
+ ERR_set_mark();
if (!read_der(ctx->provctx, cin, &der, &der_len))
- return 0;
+ goto err;
/*
* Opportunistic attempt to decrypt. If it doesn't work, we try to
derp = der;
pkey = d2i_KeyParams(ctx->desc->type, NULL, &derp, der_len);
}
+ err:
+ /*
+ * Prune low-level ASN.1 parse errors from error queue, assuming that
+ * this is called by decoder_process() in a loop trying several formats.
+ */
+ err = ERR_peek_last_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_ASN1
+ && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
if (pkey != NULL) {
/*
#include <openssl/core_object.h>
#include <openssl/bio.h>
#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/asn1err.h>
#include <openssl/params.h>
#include "internal/asn1.h"
#include "prov/bio.h"
*/
BIO *in = (BIO *)cin;
BUF_MEM *mem = NULL;
- int ok = (asn1_d2i_read_bio(in, &mem) >= 0);
+ int err, ok;
+ ERR_set_mark();
+ ok = (asn1_d2i_read_bio(in, &mem) >= 0);
+ /*
+ * Prune low-level ASN.1 parse errors from error queue, assuming that
+ * this is called by decoder_process() in a loop trying several formats.
+ */
+ err = ERR_peek_last_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_ASN1
+ && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
if (ok) {
OSSL_PARAM params[3];
int object_type = OSSL_OBJECT_UNKNOWN;
setup("test_x509");
-plan tests => 12;
+plan tests => 14;
require_ok(srctop_file('test','recipes','tconversion.pl'));
close(DATA);
return m/2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678/;
}
+
+sub test_errors { # actually tests diagnostics of OSSL_STORE
+ my ($expected, $cert, @opts) = @_;
+ my $infile = srctop_file('test', 'certs', $cert);
+ my @args = qw(openssl x509 -in);
+ push(@args, "$infile", @opts);
+ my $tmpfile = 'out.txt';
+ my $res = !run(app([@args], stderr => $tmpfile));
+ my $found = 0;
+ open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
+ while(<$in>) {
+ print; # this may help debugging
+ $res &&= !m/asn1 encoding/; # output must not include ASN.1 parse errors
+ $found = 1 if m/$expected/; # output must include $expected
+ }
+ close $in;
+ unlink $tmpfile;
+ return $res && $found;
+}
+
+ok(test_errors("Can't open any-dir/", "root-cert.pem", '-out', 'any-dir/'),
+ "load root-cert errors");
+ok(test_errors("RC2-40-CBC", "v3-certs-RC2.p12", '-passin', 'pass:v3-certs'),
+ "load v3-certs-RC2 no asn1 errors");