crypto/encode_decode/decoder_pkey.c

   1 /*
   2  * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/core_names.h>
  11 #include <openssl/core_object.h>
  12 #include <openssl/evp.h>
  13 #include <openssl/ui.h>
  14 #include <openssl/decoder.h>
  15 #include <openssl/safestack.h>
  16 #include "crypto/evp.h"
  17 #include "crypto/decoder.h"
  18 #include "encoder_local.h"
  19
  20 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
  21                                     const unsigned char *kstr,
  22                                     size_t klen)
  23 {
  24     return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
  25 }
  26
  27 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
  28                                        const UI_METHOD *ui_method,
  29                                        void *ui_data)
  30 {
  31     return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
  32 }
  33
  34 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
  35                                          pem_password_cb *cb, void *cbarg)
  36 {
  37     return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
  38 }
  39
  40 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
  41                                        OSSL_PASSPHRASE_CALLBACK *cb,
  42                                        void *cbarg)
  43 {
  44     return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
  45 }
  46
  47 /*
  48  * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY:
  49  * The construct data, and collecting keymgmt information for it
  50  */
  51
  52 DEFINE_STACK_OF(EVP_KEYMGMT)
  53
  54 struct decoder_EVP_PKEY_data_st {
  55     char *object_type;           /* recorded object data type, may be NULL */
  56     void **object;               /* Where the result should end up */
  57     STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */
  58 };
  59
  60 static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst,
  61                                       const OSSL_PARAM *params,
  62                                       void *construct_data)
  63 {
  64     struct decoder_EVP_PKEY_data_st *data = construct_data;
  65     OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
  66     void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
  67     size_t i, end_i;
  68     /*
  69      * |object_ref| points to a provider reference to an object, its exact
  70      * contents entirely opaque to us, but may be passed to any provider
  71      * function that expects this (such as OSSL_FUNC_keymgmt_load().
  72      *
  73      * This pointer is considered volatile, i.e. whatever it points at
  74      * is assumed to be freed as soon as this function returns.
  75      */
  76     void *object_ref = NULL;
  77     size_t object_ref_sz = 0;
  78     const OSSL_PARAM *p;
  79
  80     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
  81     if (p != NULL) {
  82         char *object_type = NULL;
  83
  84         if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
  85             return 0;
  86         OPENSSL_free(data->object_type);
  87         data->object_type = object_type;
  88     }
  89
  90     /*
  91      * For stuff that should end up in an EVP_PKEY, we only accept an object
  92      * reference for the moment.  This enforces that the key data itself
  93      * remains with the provider.
  94      */
  95     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
  96     if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
  97         return 0;
  98     object_ref = p->data;
  99     object_ref_sz = p->data_size;
 100
 101     /* We may have reached one of the goals, let's find out! */
 102     end_i = sk_EVP_KEYMGMT_num(data->keymgmts);
 103     for (i = 0; end_i; i++) {
 104         EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
 105
 106         /*
 107          * There are two ways to find a matching KEYMGMT:
 108          *
 109          * 1.  If the object data type (recorded in |data->object_type|)
 110          *     is defined, by checking it using EVP_KEYMGMT_is_a().
 111          * 2.  If the object data type is NOT defined, by comparing the
 112          *     EVP_KEYMGMT and OSSL_DECODER method numbers.  Since
 113          *     EVP_KEYMGMT and OSSL_DECODE operate with the same
 114          *     namemap, we know that the method numbers must match.
 115          *
 116          * This allows individual decoders to specify variants of keys,
 117          * such as a DER to RSA decoder finding a RSA-PSS key, without
 118          * having to decode the exact same DER blob into the exact same
 119          * internal structure twice.  This is, of course, entirely at the
 120          * discretion of the decoder implementations.
 121          */
 122         if (data->object_type != NULL
 123             ? EVP_KEYMGMT_is_a(keymgmt, data->object_type)
 124             : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) {
 125             EVP_PKEY *pkey = NULL;
 126             void *keydata = NULL;
 127             const OSSL_PROVIDER *keymgmt_prov =
 128                 EVP_KEYMGMT_provider(keymgmt);
 129             const OSSL_PROVIDER *decoder_prov =
 130                 OSSL_DECODER_provider(decoder);
 131
 132             /*
 133              * If the EVP_KEYMGMT and the OSSL_DECODER are from the
 134              * same provider, we assume that the KEYMGMT has a key loading
 135              * function that can handle the provider reference we hold.
 136              *
 137              * Otherwise, we export from the decoder and import the
 138              * result in the keymgmt.
 139              */
 140             if (keymgmt_prov == decoder_prov) {
 141                 keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
 142             } else {
 143                 struct evp_keymgmt_util_try_import_data_st import_data;
 144
 145                 import_data.keymgmt = keymgmt;
 146                 import_data.keydata = NULL;
 147                 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
 148
 149                 /*
 150                  * No need to check for errors here, the value of
 151                  * |import_data.keydata| is as much an indicator.
 152                  */
 153                 (void)decoder->export_object(decoderctx,
 154                                              object_ref, object_ref_sz,
 155                                              &evp_keymgmt_util_try_import,
 156                                              &import_data);
 157                 keydata = import_data.keydata;
 158                 import_data.keydata = NULL;
 159             }
 160
 161             if (keydata != NULL
 162                 && (pkey =
 163                     evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
 164                 evp_keymgmt_freedata(keymgmt, keydata);
 165
 166             *data->object = pkey;
 167
 168             break;
 169         }
 170     }
 171     /*
 172      * We successfully looked through, |*ctx->object| determines if we
 173      * actually found something.
 174      */
 175     return (*data->object != NULL);
 176 }
 177
 178 static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data)
 179 {
 180     struct decoder_EVP_PKEY_data_st *data = construct_data;
 181
 182     if (data != NULL) {
 183         sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
 184         OPENSSL_free(data->object_type);
 185         OPENSSL_free(data);
 186     }
 187 }
 188
 189 struct collected_data_st {
 190     struct decoder_EVP_PKEY_data_st *process_data;
 191     const char *keytype;
 192     STACK_OF(OPENSSL_CSTRING) *names;
 193     OSSL_DECODER_CTX *ctx;
 194
 195     unsigned int error_occured:1;
 196 };
 197
 198 static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg)
 199 {
 200     struct collected_data_st *data = arg;
 201
 202     if (data->keytype != NULL && !EVP_KEYMGMT_is_a(keymgmt, data->keytype))
 203         return;
 204     if (data->error_occured)
 205         return;
 206
 207     data->error_occured = 1;         /* Assume the worst */
 208
 209     if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
 210         return;
 211     if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) {
 212         EVP_KEYMGMT_free(keymgmt);   /* ref-- */
 213         return;
 214     }
 215
 216     data->error_occured = 0;         /* All is good now */
 217 }
 218
 219 static void collect_name(const char *name, void *arg)
 220 {
 221     struct collected_data_st *data = arg;
 222
 223     if (data->error_occured)
 224         return;
 225
 226     data->error_occured = 1;         /* Assume the worst */
 227
 228     if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
 229         return;
 230
 231     data->error_occured = 0;         /* All is good now */
 232 }
 233
 234 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
 235 {
 236     struct collected_data_st *data = arg;
 237     size_t i, end_i;
 238
 239     if (data->error_occured)
 240         return;
 241
 242     data->error_occured = 1;         /* Assume the worst */
 243     if (data->names == NULL)
 244         return;
 245
 246     end_i = sk_OPENSSL_CSTRING_num(data->names);
 247     for (i = 0; i < end_i; i++) {
 248         const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
 249
 250         if (!OSSL_DECODER_is_a(decoder, name))
 251             continue;
 252         (void)OSSL_DECODER_CTX_add_decoder(data->ctx, decoder);
 253     }
 254
 255     data->error_occured = 0;         /* All is good now */
 256 }
 257
 258 int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx,
 259                                         EVP_PKEY **pkey, const char *keytype,
 260                                         OPENSSL_CTX *libctx,
 261                                         const char *propquery)
 262 {
 263     struct collected_data_st *data = NULL;
 264     size_t i, end_i;
 265     int ok = 0;
 266
 267     if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL
 268         || (data->process_data =
 269             OPENSSL_zalloc(sizeof(*data->process_data))) == NULL
 270         || (data->process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL
 271         || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
 272         ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
 273         goto err;
 274     }
 275     data->process_data->object = (void **)pkey;
 276     data->ctx = ctx;
 277     data->keytype = keytype;
 278
 279     /* First, find all keymgmts to form goals */
 280     EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data);
 281
 282     if (data->error_occured)
 283         goto err;
 284
 285     /* Then, we collect all the keymgmt names */
 286     end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts);
 287     for (i = 0; i < end_i; i++) {
 288         EVP_KEYMGMT *keymgmt =
 289             sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i);
 290
 291         EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data);
 292
 293         if (data->error_occured)
 294             goto err;
 295     }
 296
 297     /*
 298      * Finally, find all decoders that have any keymgmt of the collected
 299      * keymgmt names
 300      */
 301     OSSL_DECODER_do_all_provided(libctx, collect_decoder, data);
 302
 303     if (data->error_occured)
 304         goto err;
 305
 306     if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
 307         if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY)
 308             || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data)
 309             || !OSSL_DECODER_CTX_set_cleanup(ctx,
 310                                              decoder_clean_EVP_PKEY_construct_arg))
 311             goto err;
 312
 313         data->process_data = NULL; /* Avoid it being freed */
 314     }
 315
 316     ok = 1;
 317  err:
 318     if (data != NULL) {
 319         decoder_clean_EVP_PKEY_construct_arg(data->process_data);
 320         sk_OPENSSL_CSTRING_free(data->names);
 321         OPENSSL_free(data);
 322     }
 323     return ok;
 324 }
 325
 326 OSSL_DECODER_CTX *
 327 OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey,
 328                                  const char *input_type, const char *keytype,
 329                                  OPENSSL_CTX *libctx, const char *propquery)
 330 {
 331     OSSL_DECODER_CTX *ctx = NULL;
 332
 333     if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
 334         ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
 335         return NULL;
 336     }
 337     if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
 338         && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, keytype,
 339                                                libctx, propquery)
 340         && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery))
 341         return ctx;
 342
 343     OSSL_DECODER_CTX_free(ctx);
 344     return NULL;
 345 }