2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/provider.h>
13 #include <openssl/evp.h>
14 #include <openssl/ui.h>
15 #include <openssl/decoder.h>
16 #include <openssl/safestack.h>
17 #include "crypto/evp.h"
18 #include "crypto/decoder.h"
19 #include "encoder_local.h"
20 #include "e_os.h" /* strcasecmp on Windows */
22 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
23 const unsigned char *kstr,
26 return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
29 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
30 const UI_METHOD *ui_method,
33 return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
36 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
37 pem_password_cb *cb, void *cbarg)
39 return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
42 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
43 OSSL_PASSPHRASE_CALLBACK *cb,
46 return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
50 * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY:
51 * The construct data, and collecting keymgmt information for it
54 DEFINE_STACK_OF(EVP_KEYMGMT)
56 struct decoder_EVP_PKEY_data_st {
57 char *object_type; /* recorded object data type, may be NULL */
58 void **object; /* Where the result should end up */
59 STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */
62 static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst,
63 const OSSL_PARAM *params,
66 struct decoder_EVP_PKEY_data_st *data = construct_data;
67 OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
68 void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
71 * |object_ref| points to a provider reference to an object, its exact
72 * contents entirely opaque to us, but may be passed to any provider
73 * function that expects this (such as OSSL_FUNC_keymgmt_load().
75 * This pointer is considered volatile, i.e. whatever it points at
76 * is assumed to be freed as soon as this function returns.
78 void *object_ref = NULL;
79 size_t object_ref_sz = 0;
82 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
84 char *object_type = NULL;
86 if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
88 OPENSSL_free(data->object_type);
89 data->object_type = object_type;
93 * For stuff that should end up in an EVP_PKEY, we only accept an object
94 * reference for the moment. This enforces that the key data itself
95 * remains with the provider.
97 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
98 if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
100 object_ref = p->data;
101 object_ref_sz = p->data_size;
103 /* We may have reached one of the goals, let's find out! */
104 end_i = sk_EVP_KEYMGMT_num(data->keymgmts);
105 for (i = 0; end_i; i++) {
106 EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
109 * There are two ways to find a matching KEYMGMT:
111 * 1. If the object data type (recorded in |data->object_type|)
112 * is defined, by checking it using EVP_KEYMGMT_is_a().
113 * 2. If the object data type is NOT defined, by comparing the
114 * EVP_KEYMGMT and OSSL_DECODER method numbers. Since
115 * EVP_KEYMGMT and OSSL_DECODE operate with the same
116 * namemap, we know that the method numbers must match.
118 * This allows individual decoders to specify variants of keys,
119 * such as a DER to RSA decoder finding a RSA-PSS key, without
120 * having to decode the exact same DER blob into the exact same
121 * internal structure twice. This is, of course, entirely at the
122 * discretion of the decoder implementations.
124 if (data->object_type != NULL
125 ? EVP_KEYMGMT_is_a(keymgmt, data->object_type)
126 : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) {
127 EVP_PKEY *pkey = NULL;
128 void *keydata = NULL;
129 const OSSL_PROVIDER *keymgmt_prov =
130 EVP_KEYMGMT_provider(keymgmt);
131 const OSSL_PROVIDER *decoder_prov =
132 OSSL_DECODER_provider(decoder);
135 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
136 * same provider, we assume that the KEYMGMT has a key loading
137 * function that can handle the provider reference we hold.
139 * Otherwise, we export from the decoder and import the
140 * result in the keymgmt.
142 if (keymgmt_prov == decoder_prov) {
143 keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
145 struct evp_keymgmt_util_try_import_data_st import_data;
147 import_data.keymgmt = keymgmt;
148 import_data.keydata = NULL;
149 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
152 * No need to check for errors here, the value of
153 * |import_data.keydata| is as much an indicator.
155 (void)decoder->export_object(decoderctx,
156 object_ref, object_ref_sz,
157 &evp_keymgmt_util_try_import,
159 keydata = import_data.keydata;
160 import_data.keydata = NULL;
165 evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
166 evp_keymgmt_freedata(keymgmt, keydata);
168 *data->object = pkey;
174 * We successfully looked through, |*ctx->object| determines if we
175 * actually found something.
177 return (*data->object != NULL);
180 static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data)
182 struct decoder_EVP_PKEY_data_st *data = construct_data;
185 sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
186 OPENSSL_free(data->object_type);
191 struct collected_data_st {
192 struct decoder_EVP_PKEY_data_st *process_data;
194 STACK_OF(OPENSSL_CSTRING) *names;
195 OSSL_DECODER_CTX *ctx;
197 unsigned int error_occured:1;
200 static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg)
202 struct collected_data_st *data = arg;
204 if (data->keytype != NULL && !EVP_KEYMGMT_is_a(keymgmt, data->keytype))
206 if (data->error_occured)
209 data->error_occured = 1; /* Assume the worst */
211 if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
213 if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) {
214 EVP_KEYMGMT_free(keymgmt); /* ref-- */
218 data->error_occured = 0; /* All is good now */
221 static void collect_name(const char *name, void *arg)
223 struct collected_data_st *data = arg;
225 if (data->error_occured)
228 data->error_occured = 1; /* Assume the worst */
230 if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
233 data->error_occured = 0; /* All is good now */
237 * The input structure check is only done on the initial decoder
240 static int collect_decoder_check_input_structure(OSSL_DECODER_CTX *ctx,
241 OSSL_DECODER_INSTANCE *di)
243 int di_is_was_set = 0;
245 OSSL_DECODER_INSTANCE_get_input_structure(di, &di_is_was_set);
248 * If caller didn't give an input structure name, the decoder is accepted
249 * unconditionally with regards to the input structure.
251 if (ctx->input_structure == NULL)
254 * If the caller did give an input structure name, the decoder must have
255 * a matching input structure to be accepted.
258 && strcasecmp(ctx->input_structure, di_is) == 0)
263 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
265 struct collected_data_st *data = arg;
267 const OSSL_PROVIDER *prov = OSSL_DECODER_provider(decoder);
268 void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
269 void *decoderctx = NULL;
271 if (data->error_occured)
274 data->error_occured = 1; /* Assume the worst */
275 if (data->names == NULL)
278 end_i = sk_OPENSSL_CSTRING_num(data->names);
279 for (i = 0; i < end_i; i++) {
280 const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
281 OSSL_DECODER_INSTANCE *di = NULL;
283 if (OSSL_DECODER_is_a(decoder, name)
285 * Either the caller didn't give a selection, or if they did,
286 * the decoder must tell us if it supports that selection to
287 * be accepted. If the decoder doesn't have |does_selection|,
288 * it's seen as taking anything.
290 && (decoder->does_selection == NULL
291 || decoder->does_selection(provctx, data->ctx->selection))
292 && (decoderctx = decoder->newctx(provctx)) != NULL
293 && (di = ossl_decoder_instance_new(decoder, decoderctx)) != NULL) {
294 /* If successful so far, don't free these directly */
297 if (collect_decoder_check_input_structure(data->ctx, di)
298 && ossl_decoder_ctx_add_decoder_inst(data->ctx, di))
299 di = NULL; /* If successfully added, don't free it */
302 /* Free what can be freed */
303 ossl_decoder_instance_free(di);
304 decoder->freectx(decoderctx);
307 data->error_occured = 0; /* All is good now */
310 int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx,
311 EVP_PKEY **pkey, const char *keytype,
312 OSSL_LIB_CTX *libctx,
313 const char *propquery)
315 struct collected_data_st *data = NULL;
319 if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL
320 || (data->process_data =
321 OPENSSL_zalloc(sizeof(*data->process_data))) == NULL
322 || (data->process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL
323 || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
324 ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
327 data->process_data->object = (void **)pkey;
329 data->keytype = keytype;
331 /* First, find all keymgmts to form goals */
332 EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data);
334 if (data->error_occured)
337 /* Then, we collect all the keymgmt names */
338 end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts);
339 for (i = 0; i < end_i; i++) {
340 EVP_KEYMGMT *keymgmt =
341 sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i);
343 EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data);
345 if (data->error_occured)
350 * Finally, find all decoders that have any keymgmt of the collected
353 OSSL_DECODER_do_all_provided(libctx, collect_decoder, data);
355 if (data->error_occured)
358 if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
359 if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY)
360 || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data)
361 || !OSSL_DECODER_CTX_set_cleanup(ctx,
362 decoder_clean_EVP_PKEY_construct_arg))
365 data->process_data = NULL; /* Avoid it being freed */
371 decoder_clean_EVP_PKEY_construct_arg(data->process_data);
372 sk_OPENSSL_CSTRING_free(data->names);
379 OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey,
380 const char *input_type,
381 const char *input_structure,
382 const char *keytype, int selection,
383 OSSL_LIB_CTX *libctx, const char *propquery)
385 OSSL_DECODER_CTX *ctx = NULL;
387 if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
388 ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
391 if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
392 && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure)
393 && OSSL_DECODER_CTX_set_selection(ctx, selection)
394 && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, keytype,
396 && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery))
399 OSSL_DECODER_CTX_free(ctx);