2e07d0d7cc9152beb69f35bc205d16d8913b6437
[openssl.git] / crypto / encode_decode / decoder_pkey.c
1 /*
2  * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/evp.h>
13 #include <openssl/ui.h>
14 #include <openssl/decoder.h>
15 #include <openssl/safestack.h>
16 #include "crypto/evp.h"
17 #include "crypto/decoder.h"
18 #include "encoder_local.h"
19
20 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
21                                     const unsigned char *kstr,
22                                     size_t klen)
23 {
24     return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
25 }
26
27 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
28                                        const UI_METHOD *ui_method,
29                                        void *ui_data)
30 {
31     return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
32 }
33
34 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
35                                          pem_password_cb *cb, void *cbarg)
36 {
37     return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
38 }
39
40 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
41                                        OSSL_PASSPHRASE_CALLBACK *cb,
42                                        void *cbarg)
43 {
44     return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
45 }
46
47 /*
48  * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY:
49  * The construct data, and collecting keymgmt information for it
50  */
51
52 DEFINE_STACK_OF(EVP_KEYMGMT)
53
54 struct decoder_EVP_PKEY_data_st {
55     char *object_type;           /* recorded object data type, may be NULL */
56     void **object;               /* Where the result should end up */
57     STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */
58 };
59
60 static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst,
61                                       const OSSL_PARAM *params,
62                                       void *construct_data)
63 {
64     struct decoder_EVP_PKEY_data_st *data = construct_data;
65     OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
66     void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
67     size_t i, end_i;
68     /*
69      * |object_ref| points to a provider reference to an object, its exact
70      * contents entirely opaque to us, but may be passed to any provider
71      * function that expects this (such as OSSL_FUNC_keymgmt_load().
72      *
73      * This pointer is considered volatile, i.e. whatever it points at
74      * is assumed to be freed as soon as this function returns.
75      */
76     void *object_ref = NULL;
77     size_t object_ref_sz = 0;
78     const OSSL_PARAM *p;
79
80     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
81     if (p != NULL) {
82         char *object_type = NULL;
83
84         if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
85             return 0;
86         OPENSSL_free(data->object_type);
87         data->object_type = object_type;
88     }
89
90     /*
91      * For stuff that should end up in an EVP_PKEY, we only accept an object
92      * reference for the moment.  This enforces that the key data itself
93      * remains with the provider.
94      */
95     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
96     if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
97         return 0;
98     object_ref = p->data;
99     object_ref_sz = p->data_size;
100
101     /* We may have reached one of the goals, let's find out! */
102     end_i = sk_EVP_KEYMGMT_num(data->keymgmts);
103     for (i = 0; end_i; i++) {
104         EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
105
106         /*
107          * There are two ways to find a matching KEYMGMT:
108          *
109          * 1.  If the object data type (recorded in |data->object_type|)
110          *     is defined, by checking it using EVP_KEYMGMT_is_a().
111          * 2.  If the object data type is NOT defined, by comparing the
112          *     EVP_KEYMGMT and OSSL_DECODER method numbers.  Since
113          *     EVP_KEYMGMT and OSSL_DECODE operate with the same
114          *     namemap, we know that the method numbers must match.
115          *
116          * This allows individual decoders to specify variants of keys,
117          * such as a DER to RSA decoder finding a RSA-PSS key, without
118          * having to decode the exact same DER blob into the exact same
119          * internal structure twice.  This is, of course, entirely at the
120          * discretion of the decoder implementations.
121          */
122         if (data->object_type != NULL
123             ? EVP_KEYMGMT_is_a(keymgmt, data->object_type)
124             : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) {
125             EVP_PKEY *pkey = NULL;
126             void *keydata = NULL;
127             const OSSL_PROVIDER *keymgmt_prov =
128                 EVP_KEYMGMT_provider(keymgmt);
129             const OSSL_PROVIDER *decoder_prov =
130                 OSSL_DECODER_provider(decoder);
131
132             /*
133              * If the EVP_KEYMGMT and the OSSL_DECODER are from the
134              * same provider, we assume that the KEYMGMT has a key loading
135              * function that can handle the provider reference we hold.
136              *
137              * Otherwise, we export from the decoder and import the
138              * result in the keymgmt.
139              */
140             if (keymgmt_prov == decoder_prov) {
141                 keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
142             } else {
143                 struct evp_keymgmt_util_try_import_data_st import_data;
144
145                 import_data.keymgmt = keymgmt;
146                 import_data.keydata = NULL;
147                 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
148
149                 /*
150                  * No need to check for errors here, the value of
151                  * |import_data.keydata| is as much an indicator.
152                  */
153                 (void)decoder->export_object(decoderctx,
154                                              object_ref, object_ref_sz,
155                                              &evp_keymgmt_util_try_import,
156                                              &import_data);
157                 keydata = import_data.keydata;
158                 import_data.keydata = NULL;
159             }
160
161             if (keydata != NULL
162                 && (pkey =
163                     evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
164                 evp_keymgmt_freedata(keymgmt, keydata);
165
166             *data->object = pkey;
167
168             break;
169         }
170     }
171     /*
172      * We successfully looked through, |*ctx->object| determines if we
173      * actually found something.
174      */
175     return (*data->object != NULL);
176 }
177
178 static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data)
179 {
180     struct decoder_EVP_PKEY_data_st *data = construct_data;
181
182     if (data != NULL) {
183         sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
184         OPENSSL_free(data->object_type);
185         OPENSSL_free(data);
186     }
187 }
188
189 struct collected_data_st {
190     struct decoder_EVP_PKEY_data_st *process_data;
191     STACK_OF(OPENSSL_CSTRING) *names;
192     OSSL_DECODER_CTX *ctx;
193
194     unsigned int error_occured:1;
195 };
196
197 static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg)
198 {
199     struct collected_data_st *data = arg;
200
201     if (data->error_occured)
202         return;
203
204     data->error_occured = 1;         /* Assume the worst */
205
206     if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
207         return;
208     if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) {
209         EVP_KEYMGMT_free(keymgmt);   /* ref-- */
210         return;
211     }
212
213     data->error_occured = 0;         /* All is good now */
214 }
215
216 static void collect_name(const char *name, void *arg)
217 {
218     struct collected_data_st *data = arg;
219
220     if (data->error_occured)
221         return;
222
223     data->error_occured = 1;         /* Assume the worst */
224
225     if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
226         return;
227
228     data->error_occured = 0;         /* All is good now */
229 }
230
231 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
232 {
233     struct collected_data_st *data = arg;
234     size_t i, end_i;
235
236     if (data->error_occured)
237         return;
238
239     data->error_occured = 1;         /* Assume the worst */
240     if (data->names == NULL)
241         return;
242
243     end_i = sk_OPENSSL_CSTRING_num(data->names);
244     for (i = 0; i < end_i; i++) {
245         const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
246
247         if (!OSSL_DECODER_is_a(decoder, name))
248             continue;
249         (void)OSSL_DECODER_CTX_add_decoder(data->ctx, decoder);
250     }
251
252     data->error_occured = 0;         /* All is good now */
253 }
254
255 int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx,
256                                         EVP_PKEY **pkey,
257                                         OPENSSL_CTX *libctx,
258                                         const char *propquery)
259 {
260     struct collected_data_st *data = NULL;
261     size_t i, end_i;
262     int ok = 0;
263
264     if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL
265         || (data->process_data =
266             OPENSSL_zalloc(sizeof(*data->process_data))) == NULL
267         || (data->process_data->keymgmts
268             = sk_EVP_KEYMGMT_new_null()) == NULL
269         || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
270         ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
271         goto err;
272     }
273     data->process_data->object = (void **)pkey;
274     data->ctx = ctx;
275
276     /* First, find all keymgmts to form goals */
277     EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data);
278
279     if (data->error_occured)
280         goto err;
281
282     /* Then, we collect all the keymgmt names */
283     end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts);
284     for (i = 0; i < end_i; i++) {
285         EVP_KEYMGMT *keymgmt =
286             sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i);
287
288         EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data);
289
290         if (data->error_occured)
291             goto err;
292     }
293
294     /*
295      * Finally, find all decoders that have any keymgmt of the collected
296      * keymgmt names
297      */
298     OSSL_DECODER_do_all_provided(libctx, collect_decoder, data);
299
300     if (data->error_occured)
301         goto err;
302
303     if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
304         if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY)
305             || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data)
306             || !OSSL_DECODER_CTX_set_cleanup(ctx,
307                                              decoder_clean_EVP_PKEY_construct_arg))
308             goto err;
309
310         data->process_data = NULL; /* Avoid it being freed */
311     }
312
313     ok = 1;
314  err:
315     if (data != NULL) {
316         decoder_clean_EVP_PKEY_construct_arg(data->process_data);
317         sk_OPENSSL_CSTRING_free(data->names);
318         OPENSSL_free(data);
319     }
320     return ok;
321 }
322
323 OSSL_DECODER_CTX *OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey,
324                                                    const char *input_type,
325                                                    OPENSSL_CTX *libctx,
326                                                    const char *propquery)
327 {
328     OSSL_DECODER_CTX *ctx = NULL;
329
330     if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
331         ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
332         return NULL;
333     }
334     if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
335         && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, libctx, propquery)
336         && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery))
337         return ctx;
338
339     OSSL_DECODER_CTX_free(ctx);
340     return NULL;
341 }