DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
[openssl.git] / crypto / store / store_result.c
1 /*
2  * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include "e_os.h"
11 #include <string.h>
12
13 #include <openssl/core.h>
14 #include <openssl/core_names.h>
15 #include <openssl/core_object.h>
16 #include <openssl/err.h>
17 #include <openssl/pkcs12.h>
18 #include <openssl/provider.h>
19 #include <openssl/decoder.h>
20 #include <openssl/store.h>
21 #include "internal/provider.h"
22 #include "internal/passphrase.h"
23 #include "crypto/evp.h"
24 #include "crypto/x509.h"
25 #include "store_local.h"
26
27 #ifndef OSSL_OBJECT_PKCS12
28 /*
29  * The object abstraction doesn't know PKCS#12, but we want to indicate
30  * it anyway, so we create our own.  Since the public macros use positive
31  * numbers, negative ones should be fine.  They must never slip out from
32  * this translation unit anyway.
33  */
34 # define OSSL_OBJECT_PKCS12 -1
35 #endif
36
37 /*
38  * ossl_store_handle_load_result() is initially written to be a companion
39  * to our 'file:' scheme provider implementation, but has been made generic
40  * to serve others as well.
41  *
42  * This result handler takes any object abstraction (see provider-object(7))
43  * and does the best it can with it.  If the object is passed by value (not
44  * by reference), the contents are currently expected to be DER encoded.
45  * If an object type is specified, that will be respected; otherwise, this
46  * handler will guess the contents, by trying the following in order:
47  *
48  * 1.  Decode it into an EVP_PKEY, using OSSL_DECODER.
49  * 2.  Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
50  * 3.  Decode it into an X.509 CRL, using d2i_X509_CRL.
51  * 4.  Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
52  *
53  * For the 'file:' scheme implementation, this is division of labor.  Since
54  * the libcrypto <-> provider interface currently doesn't support certain
55  * structures as first class objects, they must be unpacked from DER here
56  * rather than in the provider.  The current exception is asymmetric keys,
57  * which can reside within the provider boundary, most of all thanks to
58  * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
59  * reference.
60  */
61
62 struct extracted_param_data_st {
63     int object_type;
64     const char *data_type;
65     const char *utf8_data;
66     const void *octet_data;
67     size_t octet_data_size;
68     const void *ref;
69     size_t ref_size;
70     const char *desc;
71 };
72
73 static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
74 static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
75                    OSSL_STORE_CTX *, const OSSL_PROVIDER *,
76                    OPENSSL_CTX *, const char *);
77 static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
78                     OPENSSL_CTX *, const char *);
79 static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
80                    OPENSSL_CTX *, const char *);
81 static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
82                       OSSL_STORE_CTX *, OPENSSL_CTX *, const char *);
83
84 #define SET_ERR_MARK() ERR_set_mark()
85 #define CLEAR_ERR_MARK()                                                \
86     do {                                                                \
87         int err = ERR_peek_last_error();                                \
88                                                                         \
89         if (ERR_GET_LIB(err) == ERR_LIB_ASN1                            \
90             && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE   \
91                 || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \
92                 || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))     \
93             ERR_pop_to_mark();                                          \
94         else                                                            \
95             ERR_clear_last_mark();                                      \
96     } while(0)
97 #define RESET_ERR_MARK()                                                \
98     do {                                                                \
99         CLEAR_ERR_MARK();                                               \
100         SET_ERR_MARK();                                                 \
101     } while(0)
102
103 int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
104 {
105     struct ossl_load_result_data_st *cbdata = arg;
106     OSSL_STORE_INFO **v = &cbdata->v;
107     OSSL_STORE_CTX *ctx = cbdata->ctx;
108     const OSSL_PROVIDER *provider =
109         OSSL_STORE_LOADER_provider(ctx->fetched_loader);
110     OPENSSL_CTX *libctx = ossl_provider_library_context(provider);
111     const char *propq = ctx->properties;
112     const OSSL_PARAM *p;
113     struct extracted_param_data_st helper_data;
114
115     memset(&helper_data, 0, sizeof(helper_data));
116     helper_data.object_type = OSSL_OBJECT_UNKNOWN;
117
118     if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
119         && !OSSL_PARAM_get_int(p, &helper_data.object_type))
120         return 0;
121     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
122     if (p != NULL
123         && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
124         return 0;
125     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
126     if (p != NULL
127         && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
128                                             &helper_data.octet_data_size)
129         && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
130         return 0;
131     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
132     if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
133                                                       &helper_data.ref_size))
134         return 0;
135     p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
136     if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
137         return 0;
138
139     /*
140      * The helper functions return 0 on actual errors, otherwise 1, even if
141      * they didn't fill out |*v|.
142      */
143     SET_ERR_MARK();
144     if (!try_name(&helper_data, v))
145         goto err;
146     RESET_ERR_MARK();
147     if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
148         goto err;
149     RESET_ERR_MARK();
150     if (!try_cert(&helper_data, v, libctx, propq))
151         goto err;
152     RESET_ERR_MARK();
153     if (!try_crl(&helper_data, v, libctx, propq))
154         goto err;
155     RESET_ERR_MARK();
156     if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
157         goto err;
158     CLEAR_ERR_MARK();
159
160     return (*v != NULL);
161  err:
162     return 0;
163 }
164
165 static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
166 {
167     if (data->object_type == OSSL_OBJECT_NAME) {
168         char *newname = NULL, *newdesc = NULL;
169
170         if (data->utf8_data == NULL)
171             return 0;
172         if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
173             || (data->desc != NULL
174                 && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
175             || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
176             OPENSSL_free(newname);
177             OPENSSL_free(newdesc);
178             return 0;
179         }
180         OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
181     }
182     return 1;
183 }
184
185 /*
186  * For the rest of the object types, the provider code may not know what
187  * type of data it gave us, so we may need to figure that out on our own.
188  * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
189  * only return 0 on error if the object type is known.
190  */
191
192 static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
193                              OSSL_STORE_CTX *ctx,
194                              const OSSL_PROVIDER *provider,
195                              OPENSSL_CTX *libctx, const char *propq)
196 {
197     EVP_PKEY *pk = NULL;
198     EVP_KEYMGMT *keymgmt = NULL;
199     void *keydata = NULL;
200
201     /* If we have an object reference, we must have a data type */
202     if (data->data_type == NULL)
203         return 0;
204
205     keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
206     if (keymgmt != NULL) {
207         /*
208          * There are two possible cases
209          *
210          * 1.  The keymgmt is from the same provider as the loader,
211          *     so we can use evp_keymgmt_load()
212          * 2.  The keymgmt is from another provider, then we must
213          *     do the export/import dance.
214          */
215         if (EVP_KEYMGMT_provider(keymgmt) == provider) {
216             keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
217         } else {
218             struct evp_keymgmt_util_try_import_data_st import_data;
219             OSSL_FUNC_store_export_object_fn *export_object =
220                 ctx->fetched_loader->p_export_object;
221
222             import_data.keymgmt = keymgmt;
223             import_data.keydata = NULL;
224             import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
225
226             if (export_object != NULL) {
227                 /*
228                  * No need to check for errors here, the value of
229                  * |import_data.keydata| is as much an indicator.
230                  */
231                 (void)export_object(ctx->loader_ctx,
232                                     data->ref, data->ref_size,
233                                     &evp_keymgmt_util_try_import,
234                                     &import_data);
235             }
236
237             keydata = import_data.keydata;
238         }
239     }
240     if (keydata != NULL)
241         pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
242     EVP_KEYMGMT_free(keymgmt);
243
244     return pk;
245 }
246
247 static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
248                                OSSL_STORE_CTX *ctx,
249                                OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
250                                OPENSSL_CTX *libctx, const char *propq)
251 {
252     EVP_PKEY *pk = NULL;
253     OSSL_DECODER_CTX *decoderctx = NULL;
254     BIO *membio =
255         BIO_new_mem_buf(data->octet_data, (int)data->octet_data_size);
256
257     if (membio == NULL)
258         return 0;
259
260     decoderctx =
261         OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", NULL, libctx, propq);
262     (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
263
264     /* No error if this couldn't be decoded */
265     (void)OSSL_DECODER_from_bio(decoderctx, membio);
266
267     OSSL_DECODER_CTX_free(decoderctx);
268     BIO_free(membio);
269
270     return pk;
271 }
272
273 typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
274
275 static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
276                                       store_info_new_fn **store_info_new,
277                                       OSSL_STORE_CTX *ctx,
278                                       OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
279                                       OPENSSL_CTX *libctx, const char *propq)
280 {
281     EVP_PKEY *pk = NULL;
282     const unsigned char *der = data->octet_data, *derp;
283     long der_len = (long)data->octet_data_size;
284
285     SET_ERR_MARK();
286     /* Try PUBKEY first, that's a real easy target */
287     derp = der;
288     pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
289     if (pk != NULL)
290         *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
291     RESET_ERR_MARK();
292
293     /* Try private keys next */
294     if (pk == NULL) {
295         unsigned char *new_der = NULL;
296         X509_SIG *p8 = NULL;
297         PKCS8_PRIV_KEY_INFO *p8info = NULL;
298
299         /* See if it's an encrypted PKCS#8 and decrypt it */
300         derp = der;
301         if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
302             char pbuf[PEM_BUFSIZE];
303             size_t plen = 0;
304
305             if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
306                 ERR_raise(ERR_LIB_OSSL_STORE,
307                           OSSL_STORE_R_BAD_PASSWORD_READ);
308             } else {
309                 const X509_ALGOR *alg = NULL;
310                 const ASN1_OCTET_STRING *oct = NULL;
311                 int len = 0;
312
313                 X509_SIG_get0(p8, &alg, &oct);
314
315                 /*
316                  * No need to check the returned value, |new_der|
317                  * will be NULL on error anyway.
318                  */
319                 PKCS12_pbe_crypt(alg, pbuf, plen,
320                                  oct->data, oct->length,
321                                  &new_der, &len, 0);
322                 der_len = len;
323                 der = new_der;
324             }
325             X509_SIG_free(p8);
326         }
327         RESET_ERR_MARK();
328
329         /*
330          * If the encrypted PKCS#8 couldn't be decrypted,
331          * |der| is NULL
332          */
333         if (der != NULL) {
334             /* Try to unpack an unencrypted PKCS#8, that's easy */
335             derp = der;
336             p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
337             RESET_ERR_MARK();
338             if (p8info != NULL) {
339                 pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
340                 PKCS8_PRIV_KEY_INFO_free(p8info);
341             }
342         }
343
344         if (pk != NULL)
345             *store_info_new = OSSL_STORE_INFO_new_PKEY;
346
347         OPENSSL_free(new_der);
348         der = data->octet_data;
349         der_len = (long)data->octet_data_size;
350     }
351     CLEAR_ERR_MARK();
352
353     return pk;
354 }
355
356 static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
357                    OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
358                    OPENSSL_CTX *libctx, const char *propq)
359 {
360     store_info_new_fn *store_info_new = NULL;
361
362     if (data->object_type == OSSL_OBJECT_UNKNOWN
363         || data->object_type == OSSL_OBJECT_PKEY) {
364         EVP_PKEY *pk = NULL;
365
366         /* Prefer key by reference than key by value */
367         if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
368             pk = try_key_ref(data, ctx, provider, libctx, propq);
369
370             /*
371              * If for some reason we couldn't get a key, it's an error.
372              * It indicates that while decoders could make a key reference,
373              * the keymgmt somehow couldn't handle it, or doesn't have a
374              * OSSL_FUNC_keymgmt_load function.
375              */
376             if (pk == NULL)
377                 return 0;
378         } else if (data->octet_data != NULL) {
379             OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
380             void *cbarg = &ctx->pwdata;
381
382             pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
383
384             /*
385              * Desperate last maneuver, in case the decoders don't support
386              * the data we have, then we try on our own to at least get a
387              * legacy key.
388              * This is the same as der2key_decode() does, but in a limited
389              * way and within the walls of libcrypto.
390              *
391              * TODO Remove this when #legacy keys are gone
392              */
393             if (pk == NULL)
394                 pk = try_key_value_legacy(data, &store_info_new, ctx,
395                                           cb, cbarg, libctx, propq);
396         }
397
398         if (pk != NULL) {
399             data->object_type = OSSL_OBJECT_PKEY;
400
401             if (store_info_new == NULL) {
402                 /*
403                  * We determined the object type for OSSL_STORE_INFO, which
404                  * makes an explicit difference between an EVP_PKEY with just
405                  * (domain) parameters and an EVP_PKEY with actual key
406                  * material.
407                  * The logic is that an EVP_PKEY with actual key material
408                  * always has the public half.
409                  */
410                 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
411                     store_info_new = OSSL_STORE_INFO_new_PKEY;
412                 else if (evp_keymgmt_util_has(pk,
413                                               OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
414                     store_info_new = OSSL_STORE_INFO_new_PUBKEY;
415                 else
416                     store_info_new = OSSL_STORE_INFO_new_PARAMS;
417             }
418             *v = store_info_new(pk);
419         }
420
421         if (*v == NULL)
422             EVP_PKEY_free(pk);
423     }
424
425     return 1;
426 }
427
428 static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
429                     OPENSSL_CTX *libctx, const char *propq)
430 {
431     if (data->object_type == OSSL_OBJECT_UNKNOWN
432         || data->object_type == OSSL_OBJECT_CERT) {
433         X509 *cert;
434
435         /*
436          * In most cases, we can try to interpret the serialized
437          * data as a trusted cert (X509 + X509_AUX) and fall back
438          * to reading it as a normal cert (just X509), but if
439          * |data_type| (the PEM name) specifically declares it as a
440          * trusted cert, then no fallback should be engaged.
441          * |ignore_trusted| tells if the fallback can be used (1)
442          * or not (0).
443          */
444         int ignore_trusted = 1;
445
446         /* If we have a data type, it should be a PEM name */
447         if (data->data_type != NULL
448             && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
449             ignore_trusted = 0;
450
451         cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
452                             data->octet_data_size);
453         if (cert == NULL && ignore_trusted)
454             cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
455                             data->octet_data_size);
456
457         if (cert != NULL)
458             /* We determined the object type */
459             data->object_type = OSSL_OBJECT_CERT;
460
461         if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
462             X509_free(cert);
463             cert = NULL;
464         }
465
466         if (cert != NULL)
467             *v = OSSL_STORE_INFO_new_CERT(cert);
468         if (*v == NULL)
469             X509_free(cert);
470     }
471
472     return 1;
473 }
474
475 static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
476                    OPENSSL_CTX *libctx, const char *propq)
477 {
478     if (data->object_type == OSSL_OBJECT_UNKNOWN
479         || data->object_type == OSSL_OBJECT_CRL) {
480         X509_CRL *crl;
481
482         crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
483                            data->octet_data_size);
484         if (crl != NULL)
485             /* We determined the object type */
486             data->object_type = OSSL_OBJECT_CRL;
487
488         if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
489             X509_CRL_free(crl);
490             crl = NULL;
491         }
492
493         if (crl != NULL)
494             *v = OSSL_STORE_INFO_new_CRL(crl);
495         if (*v == NULL)
496             X509_CRL_free(crl);
497     }
498
499     return 1;
500 }
501
502 static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
503                       OSSL_STORE_CTX *ctx,
504                       OPENSSL_CTX *libctx, const char *propq)
505 {
506     /* There is no specific object type for PKCS12 */
507     if (data->object_type == OSSL_OBJECT_UNKNOWN) {
508         /* Initial parsing */
509         PKCS12 *p12;
510
511         if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
512                               data->octet_data_size)) != NULL) {
513             char *pass = NULL;
514             char tpass[PEM_BUFSIZE];
515             size_t tpass_len;
516             EVP_PKEY *pkey = NULL;
517             X509 *cert = NULL;
518             STACK_OF(X509) *chain = NULL;
519
520             data->object_type = OSSL_OBJECT_PKCS12;
521
522             if (PKCS12_verify_mac(p12, "", 0)
523                 || PKCS12_verify_mac(p12, NULL, 0)) {
524                 pass = "";
525             } else {
526                 static char prompt_info[] = "PKCS12 import pass phrase";
527                 OSSL_PARAM pw_params[] = {
528                     OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
529                                            prompt_info,
530                                            sizeof(prompt_info) - 1),
531                     OSSL_PARAM_END
532                 };
533
534                 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
535                                             pw_params, 0, &ctx->pwdata)) {
536                     ERR_raise(ERR_LIB_OSSL_STORE,
537                               OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
538                     goto p12_end;
539                 }
540                 pass = tpass;
541                 if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
542                     ERR_raise(ERR_LIB_OSSL_STORE,
543                               OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
544                     goto p12_end;
545                 }
546             }
547
548             if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
549                 STACK_OF(OSSL_STORE_INFO) *infos = NULL;
550                 OSSL_STORE_INFO *osi_pkey = NULL;
551                 OSSL_STORE_INFO *osi_cert = NULL;
552                 OSSL_STORE_INFO *osi_ca = NULL;
553                 int ok = 1;
554
555                 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
556                     if (pkey != NULL) {
557                         if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
558                             /* clearing pkey here avoids case distinctions */
559                             && (pkey = NULL) == NULL
560                             && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
561                             osi_pkey = NULL;
562                         else
563                             ok = 0;
564                     }
565                     if (ok && cert != NULL) {
566                         if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
567                             /* clearing cert here avoids case distinctions */
568                             && (cert = NULL) == NULL
569                             && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
570                             osi_cert = NULL;
571                         else
572                             ok = 0;
573                     }
574                     while (ok && sk_X509_num(chain) > 0) {
575                         X509 *ca = sk_X509_value(chain, 0);
576
577                         if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
578                             && sk_X509_shift(chain) != NULL
579                             && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
580                             osi_ca = NULL;
581                         else
582                             ok = 0;
583                     }
584                 }
585                 EVP_PKEY_free(pkey);
586                 X509_free(cert);
587                 sk_X509_pop_free(chain, X509_free);
588                 OSSL_STORE_INFO_free(osi_pkey);
589                 OSSL_STORE_INFO_free(osi_cert);
590                 OSSL_STORE_INFO_free(osi_ca);
591                 if (!ok) {
592                     sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
593                     infos = NULL;
594                 }
595                 ctx->cached_info = infos;
596             }
597         }
598      p12_end:
599         PKCS12_free(p12);
600         *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
601     }
602
603     return 1;
604 }