2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/core_object.h>
12 #include <openssl/evp.h>
13 #include <openssl/ui.h>
14 #include <openssl/decoder.h>
15 #include <openssl/safestack.h>
16 #include "crypto/evp.h"
17 #include "encoder_local.h"
19 int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
20 const unsigned char *kstr,
23 return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
26 int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
27 const UI_METHOD *ui_method,
30 return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
33 int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
34 pem_password_cb *cb, void *cbarg)
36 return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
39 int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
40 OSSL_PASSPHRASE_CALLBACK *cb,
43 return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
47 * Support for OSSL_DECODER_CTX_new_by_EVP_PKEY:
48 * The construct data, and collecting keymgmt information for it
51 DEFINE_STACK_OF(EVP_KEYMGMT)
53 struct decoder_EVP_PKEY_data_st {
54 char *object_type; /* recorded object data type, may be NULL */
55 void **object; /* Where the result should end up */
56 STACK_OF(EVP_KEYMGMT) *keymgmts; /* The EVP_KEYMGMTs we handle */
59 static int decoder_construct_EVP_PKEY(OSSL_DECODER_INSTANCE *decoder_inst,
60 const OSSL_PARAM *params,
63 struct decoder_EVP_PKEY_data_st *data = construct_data;
64 OSSL_DECODER *decoder =
65 OSSL_DECODER_INSTANCE_decoder(decoder_inst);
66 void *decoderctx = OSSL_DECODER_INSTANCE_decoder_ctx(decoder_inst);
69 * |object_ref| points to a provider reference to an object, its exact
70 * contents entirely opaque to us, but may be passed to any provider
71 * function that expects this (such as OSSL_FUNC_keymgmt_load().
73 * This pointer is considered volatile, i.e. whatever it points at
74 * is assumed to be freed as soon as this function returns.
76 void *object_ref = NULL;
77 size_t object_ref_sz = 0;
80 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
82 char *object_type = NULL;
84 if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
86 OPENSSL_free(data->object_type);
87 data->object_type = object_type;
91 * For stuff that should end up in an EVP_PKEY, we only accept an object
92 * reference for the moment. This enforces that the key data itself
93 * remains with the provider.
95 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
96 if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING)
99 object_ref_sz = p->data_size;
101 /* We may have reached one of the goals, let's find out! */
102 end_i = sk_EVP_KEYMGMT_num(data->keymgmts);
103 for (i = 0; end_i; i++) {
104 EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
107 * There are two ways to find a matching KEYMGMT:
109 * 1. If the object data type (recorded in |data->object_type|)
110 * is defined, by checking it using EVP_KEYMGMT_is_a().
111 * 2. If the object data type is NOT defined, by comparing the
112 * EVP_KEYMGMT and OSSL_DECODER method numbers. Since
113 * EVP_KEYMGMT and OSSL_DECODE operate with the same
114 * namemap, we know that the method numbers must match.
116 * This allows individual decoders to specify variants of keys,
117 * such as a DER to RSA decoder finding a RSA-PSS key, without
118 * having to decode the exact same DER blob into the exact same
119 * internal structure twice. This is, of course, entirely at the
120 * discretion of the decoder implementations.
122 if (data->object_type != NULL
123 ? EVP_KEYMGMT_is_a(keymgmt, data->object_type)
124 : EVP_KEYMGMT_number(keymgmt) == OSSL_DECODER_number(decoder)) {
125 EVP_PKEY *pkey = NULL;
126 void *keydata = NULL;
127 const OSSL_PROVIDER *keymgmt_prov =
128 EVP_KEYMGMT_provider(keymgmt);
129 const OSSL_PROVIDER *decoder_prov =
130 OSSL_DECODER_provider(decoder);
133 * If the EVP_KEYMGMT and the OSSL_DECODER are from the
134 * same provider, we assume that the KEYMGMT has a key loading
135 * function that can handle the provider reference we hold.
137 * Otherwise, we export from the decoder and import the
138 * result in the keymgmt.
140 if (keymgmt_prov == decoder_prov) {
141 keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
143 struct evp_keymgmt_util_try_import_data_st import_data;
145 import_data.keymgmt = keymgmt;
146 import_data.keydata = NULL;
147 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
150 * No need to check for errors here, the value of
151 * |import_data.keydata| is as much an indicator.
153 (void)decoder->export_object(decoderctx,
154 object_ref, object_ref_sz,
155 &evp_keymgmt_util_try_import,
157 keydata = import_data.keydata;
158 import_data.keydata = NULL;
163 evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
164 evp_keymgmt_freedata(keymgmt, keydata);
166 *data->object = pkey;
172 * We successfully looked through, |*ctx->object| determines if we
173 * actually found something.
175 return (*data->object != NULL);
178 static void decoder_clean_EVP_PKEY_construct_arg(void *construct_data)
180 struct decoder_EVP_PKEY_data_st *data = construct_data;
183 sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
184 OPENSSL_free(data->object_type);
189 DEFINE_STACK_OF_CSTRING()
191 struct collected_data_st {
192 struct decoder_EVP_PKEY_data_st *process_data;
193 STACK_OF(OPENSSL_CSTRING) *names;
194 OSSL_DECODER_CTX *ctx;
196 unsigned int error_occured:1;
199 static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg)
201 struct collected_data_st *data = arg;
203 if (data->error_occured)
206 data->error_occured = 1; /* Assume the worst */
208 if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */)
210 if (sk_EVP_KEYMGMT_push(data->process_data->keymgmts, keymgmt) <= 0) {
211 EVP_KEYMGMT_free(keymgmt); /* ref-- */
215 data->error_occured = 0; /* All is good now */
218 static void collect_name(const char *name, void *arg)
220 struct collected_data_st *data = arg;
222 if (data->error_occured)
225 data->error_occured = 1; /* Assume the worst */
227 if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
230 data->error_occured = 0; /* All is good now */
233 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
235 struct collected_data_st *data = arg;
238 if (data->error_occured)
241 data->error_occured = 1; /* Assume the worst */
242 if (data->names == NULL)
245 end_i = sk_OPENSSL_CSTRING_num(data->names);
246 for (i = 0; i < end_i; i++) {
247 const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
249 if (!OSSL_DECODER_is_a(decoder, name))
251 (void)OSSL_DECODER_CTX_add_decoder(data->ctx, decoder);
254 data->error_occured = 0; /* All is good now */
257 OSSL_DECODER_CTX *OSSL_DECODER_CTX_new_by_EVP_PKEY(EVP_PKEY **pkey,
258 const char *input_type,
260 const char *propquery)
262 OSSL_DECODER_CTX *ctx = NULL;
263 struct collected_data_st *data = NULL;
266 if ((ctx = OSSL_DECODER_CTX_new()) == NULL
267 || (data = OPENSSL_zalloc(sizeof(*data))) == NULL
268 || (data->process_data =
269 OPENSSL_zalloc(sizeof(*data->process_data))) == NULL
270 || (data->process_data->keymgmts
271 = sk_EVP_KEYMGMT_new_null()) == NULL
272 || (data->names = sk_OPENSSL_CSTRING_new_null()) == NULL) {
273 ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
276 data->process_data->object = (void **)pkey;
278 OSSL_DECODER_CTX_set_input_type(ctx, input_type);
280 /* First, find all keymgmts to form goals */
281 EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, data);
283 if (data->error_occured)
286 /* Then, we collect all the keymgmt names */
287 end_i = sk_EVP_KEYMGMT_num(data->process_data->keymgmts);
288 for (i = 0; i < end_i; i++) {
289 EVP_KEYMGMT *keymgmt =
290 sk_EVP_KEYMGMT_value(data->process_data->keymgmts, i);
292 EVP_KEYMGMT_names_do_all(keymgmt, collect_name, data);
294 if (data->error_occured)
299 * Finally, find all decoders that have any keymgmt of the collected
302 OSSL_DECODER_do_all_provided(libctx, collect_decoder, data);
304 if (data->error_occured)
307 /* If we found no decoders to match the keymgmts, we err */
308 if (OSSL_DECODER_CTX_num_decoders(ctx) == 0)
311 /* Finally, collect extra decoders based on what we already have */
312 (void)OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery);
314 if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_EVP_PKEY)
315 || !OSSL_DECODER_CTX_set_construct_data(ctx, data->process_data)
316 || !OSSL_DECODER_CTX_set_cleanup(ctx,
317 decoder_clean_EVP_PKEY_construct_arg))
320 data->process_data = NULL;
323 decoder_clean_EVP_PKEY_construct_arg(data->process_data);
324 sk_OPENSSL_CSTRING_free(data->names);