2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/evp.h>
13 #include <openssl/ui.h>
14 #include <openssl/decoder.h>
15 #include <openssl/safestack.h>
16 #include "crypto/evp.h"
17 #include "crypto/decoder.h"
18 #include "encoder_local.h"
20 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
21 const unsigned char *kstr,
24 return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
27 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
28 const UI_METHOD *ui_method,
31 return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
34 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
35 pem_password_cb *cb, void *cbarg)
37 return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
40 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
41 OSSL_PASSPHRASE_CALLBACK *cb,
44 return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
48 * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY:
49 * The construct data, and collecting keymgmt information for it
52 DEFINE_STACK_OF(EVP_KEYMGMT)
54 struct decoder_EVP_PKEY_data_st {
55 char *object_type; /* recorded object data type, may be NULL */
56 void **object; /* Where the result should end up */
57 STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */
60 static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst,
61 const OSSL_PARAM *params,
64 struct decoder_EVP_PKEY_data_st *data = construct_data;
65 OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
66 void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
69 * |object_ref| points to a provider reference to an object, its exact
70 * contents entirely opaque to us, but may be passed to any provider
71 * function that expects this (such as OSSL_FUNC_keymgmt_load().
73 * This pointer is considered volatile, i.e. whatever it points at
74 * is assumed to be freed as soon as this function returns.
76 void *object_ref = NULL;
77 size_t object_ref_sz = 0;
80 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
82 char *object_type = NULL;
84 if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
86 OPENSSL_free(data->object_type);
87 data->object_type = object_type;
91 * For stuff that should end up in an EVP_PKEY, we only accept an object
92 * reference for the moment. This enforces that the key data itself
93 * remains with the provider.
95 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
96 if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
99 object_ref_sz = p->data_size;
101 /* We may have reached one of the goals, let's find out! */
102 end_i = sk_EVP_KEYMGMT_num(data->keymgmts);
103 for (i = 0; end_i; i++) {
104 EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
107 * There are two ways to find a matching KEYMGMT:
109 * 1. If the object data type (recorded in |data->object_type|)
110 * is defined, by checking it using EVP_KEYMGMT_is_a().
111 * 2. If the object data type is NOT defined, by comparing the
112 * EVP_KEYMGMT and OSSL_DECODER method numbers. Since
113 * EVP_KEYMGMT and OSSL_DECODE operate with the same
114 * namemap, we know that the method numbers must match.
116 * This allows individual decoders to specify variants of keys,
117 * such as a DER to RSA decoder finding a RSA-PSS key, without
118 * having to decode the exact same DER blob into the exact same
119 * internal structure twice. This is, of course, entirely at the
120 * discretion of the decoder implementations.
122 if (data->object_type != NULL
123 ? EVP_KEYMGMT_is_a(keymgmt, data->object_type)
124 : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) {
125 EVP_PKEY *pkey = NULL;
126 void *keydata = NULL;
127 const OSSL_PROVIDER *keymgmt_prov =
128 EVP_KEYMGMT_provider(keymgmt);
129 const OSSL_PROVIDER *decoder_prov =
130 OSSL_DECODER_provider(decoder);
133 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
134 * same provider, we assume that the KEYMGMT has a key loading
135 * function that can handle the provider reference we hold.
137 * Otherwise, we export from the decoder and import the
138 * result in the keymgmt.
140 if (keymgmt_prov == decoder_prov) {
141 keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
143 struct evp_keymgmt_util_try_import_data_st import_data;
145 import_data.keymgmt = keymgmt;
146 import_data.keydata = NULL;
147 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
150 * No need to check for errors here, the value of
151 * |import_data.keydata| is as much an indicator.
153 (void)decoder->export_object(decoderctx,
154 object_ref, object_ref_sz,
155 &evp_keymgmt_util_try_import,
157 keydata = import_data.keydata;
158 import_data.keydata = NULL;
163 evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
164 evp_keymgmt_freedata(keymgmt, keydata);
166 *data->object = pkey;
172 * We successfully looked through, |*ctx->object| determines if we
173 * actually found something.
175 return (*data->object != NULL);
178 static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data)
180 struct decoder_EVP_PKEY_data_st *data = construct_data;
183 sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
184 OPENSSL_free(data->object_type);
189 struct collected_data_st {
190 struct decoder_EVP_PKEY_data_st *process_data;
192 STACK_OF(OPENSSL_CSTRING) *names;
193 OSSL_DECODER_CTX *ctx;
195 unsigned int error_occured:1;
198 static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg)
200 struct collected_data_st *data = arg;
202 if (data->keytype != NULL && !EVP_KEYMGMT_is_a(keymgmt, data->keytype))
204 if (data->error_occured)
207 data->error_occured = 1; /* Assume the worst */
209 if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
211 if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) {
212 EVP_KEYMGMT_free(keymgmt); /* ref-- */
216 data->error_occured = 0; /* All is good now */
219 static void collect_name(const char *name, void *arg)
221 struct collected_data_st *data = arg;
223 if (data->error_occured)
226 data->error_occured = 1; /* Assume the worst */
228 if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
231 data->error_occured = 0; /* All is good now */
234 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
236 struct collected_data_st *data = arg;
239 if (data->error_occured)
242 data->error_occured = 1; /* Assume the worst */
243 if (data->names == NULL)
246 end_i = sk_OPENSSL_CSTRING_num(data->names);
247 for (i = 0; i < end_i; i++) {
248 const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
250 if (!OSSL_DECODER_is_a(decoder, name))
252 (void)OSSL_DECODER_CTX_add_decoder(data->ctx, decoder);
255 data->error_occured = 0; /* All is good now */
258 int ossl_decoder_ctx_setup_for_EVP_PKEY(OSSL_DECODER_CTX *ctx,
259 EVP_PKEY **pkey, const char *keytype,
261 const char *propquery)
263 struct collected_data_st *data = NULL;
267 if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL
268 || (data->process_data =
269 OPENSSL_zalloc(sizeof(*data->process_data))) == NULL
270 || (data->process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL
271 || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
272 ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
275 data->process_data->object = (void **)pkey;
277 data->keytype = keytype;
279 /* First, find all keymgmts to form goals */
280 EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data);
282 if (data->error_occured)
285 /* Then, we collect all the keymgmt names */
286 end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts);
287 for (i = 0; i < end_i; i++) {
288 EVP_KEYMGMT *keymgmt =
289 sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i);
291 EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data);
293 if (data->error_occured)
298 * Finally, find all decoders that have any keymgmt of the collected
301 OSSL_DECODER_do_all_provided(libctx, collect_decoder, data);
303 if (data->error_occured)
306 if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
307 if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY)
308 || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data)
309 || !OSSL_DECODER_CTX_set_cleanup(ctx,
310 decoder_clean_EVP_PKEY_construct_arg))
313 data->process_data = NULL; /* Avoid it being freed */
319 decoder_clean_EVP_PKEY_construct_arg(data->process_data);
320 sk_OPENSSL_CSTRING_free(data->names);
327 OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey,
328 const char *input_type, const char *keytype,
329 OPENSSL_CTX *libctx, const char *propquery)
331 OSSL_DECODER_CTX *ctx = NULL;
333 if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
334 ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
337 if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
338 && ossl_decoder_ctx_setup_for_EVP_PKEY(ctx, pkey, keytype,
340 && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery))
343 OSSL_DECODER_CTX_free(ctx);