PROV: Update the DER to RSA deserializer to handle encrypted PKCS#8

[openssl.git] / providers / implementations / serializers / deserialize_der2rsa.c

diff --git a/providers/implementations/serializers/deserialize_der2rsa.c b/providers/implementations/serializers/deserialize_der2rsa.c
index 9b586324757e8ef2414baea3000f1991a29a7fd3..6854c7efcbdbc111131715c6a63ed35df2c5f4aa 100644 (file)
--- a/providers/implementations/serializers/deserialize_der2rsa.c
+++ b/providers/implementations/serializers/deserialize_der2rsa.c
@@ -26,6 +26,8 @@ static OSSL_FUNC_deserializer_newctx_fn der2rsa_newctx;
 static OSSL_FUNC_deserializer_freectx_fn der2rsa_freectx;
 static OSSL_FUNC_deserializer_gettable_params_fn der2rsa_gettable_params;
 static OSSL_FUNC_deserializer_get_params_fn der2rsa_get_params;
+static OSSL_FUNC_deserializer_settable_ctx_params_fn der2rsa_settable_ctx_params;
+static OSSL_FUNC_deserializer_set_ctx_params_fn der2rsa_set_ctx_params;
 static OSSL_FUNC_deserializer_deserialize_fn der2rsa_deserialize;
 static OSSL_FUNC_deserializer_export_object_fn der2rsa_export_object;
 
@@ -35,9 +37,7 @@ static OSSL_FUNC_deserializer_export_object_fn der2rsa_export_object;
 struct der2rsa_ctx_st {
     PROV_CTX *provctx;
 
-#if 0
     struct pkcs8_encrypt_ctx_st sc;
-#endif
 };
 
 static void *der2rsa_newctx(void *provctx)
@@ -46,6 +46,8 @@ static void *der2rsa_newctx(void *provctx)
 
     if (ctx != NULL) {
         ctx->provctx = provctx;
+        /* -1 is the "whatever" indicator, i.e. the PKCS8 library default PBE */
+        ctx->sc.pbe_nid = -1;
     }
     return ctx;
 }
@@ -54,6 +56,8 @@ static void der2rsa_freectx(void *vctx)
 {
     struct der2rsa_ctx_st *ctx = vctx;
 
+    EVP_CIPHER_free(ctx->sc.cipher);
+    OPENSSL_clear_free(ctx->sc.cipher_pass, ctx->sc.cipher_pass_length);
     OPENSSL_free(ctx);
 }
 
@@ -78,6 +82,56 @@ static int der2rsa_get_params(OSSL_PARAM params[])
     return 1;
 }
 
+
+static const OSSL_PARAM *der2rsa_settable_ctx_params(void)
+{
+    static const OSSL_PARAM settables[] = {
+        OSSL_PARAM_utf8_string(OSSL_DESERIALIZER_PARAM_CIPHER, NULL, 0),
+        OSSL_PARAM_utf8_string(OSSL_DESERIALIZER_PARAM_PROPERTIES, NULL, 0),
+        OSSL_PARAM_octet_string(OSSL_DESERIALIZER_PARAM_PASS, NULL, 0),
+        OSSL_PARAM_END,
+    };
+
+    return settables;
+}
+
+static int der2rsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    struct der2rsa_ctx_st *ctx = vctx;
+    OPENSSL_CTX *libctx = PROV_CTX_get0_library_context(ctx->provctx);
+    const OSSL_PARAM *p;
+
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_DESERIALIZER_PARAM_CIPHER))
+        != NULL) {
+        const OSSL_PARAM *propsp =
+            OSSL_PARAM_locate_const(params, OSSL_DESERIALIZER_PARAM_PROPERTIES);
+        const char *props = NULL;
+
+        if (p->data_type != OSSL_PARAM_UTF8_STRING)
+            return 0;
+        if (propsp != NULL && propsp->data_type != OSSL_PARAM_UTF8_STRING)
+            return 0;
+        props = (propsp != NULL ? propsp->data : NULL);
+
+        EVP_CIPHER_free(ctx->sc.cipher);
+        ctx->sc.cipher = NULL;
+        ctx->sc.cipher_intent = p->data != NULL;
+        if (p->data != NULL
+            && ((ctx->sc.cipher = EVP_CIPHER_fetch(libctx, p->data, props))
+                == NULL))
+            return 0;
+    }
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_DESERIALIZER_PARAM_PASS))
+        != NULL) {
+        OPENSSL_clear_free(ctx->sc.cipher_pass, ctx->sc.cipher_pass_length);
+        ctx->sc.cipher_pass = NULL;
+        if (!OSSL_PARAM_get_octet_string(p, &ctx->sc.cipher_pass, 0,
+                                         &ctx->sc.cipher_pass_length))
+            return 0;
+    }
+    return 1;
+}
+
 static int der2rsa_deserialize(void *vctx, OSSL_CORE_BIO *cin,
                                OSSL_CALLBACK *data_cb, void *data_cbarg,
                                OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
@@ -88,34 +142,28 @@ static int der2rsa_deserialize(void *vctx, OSSL_CORE_BIO *cin,
     unsigned char *der = NULL;
     const unsigned char *derp;
     long der_len = 0;
+    unsigned char *new_der = NULL;
+    long new_der_len;
     EVP_PKEY *pkey = NULL;
     int ok = 0;
 
+    ctx->sc.cb = pw_cb;
+    ctx->sc.cbarg = pw_cbarg;
+
     if (!ossl_prov_read_der(ctx->provctx, cin, &der, &der_len))
         return 0;
 
-    derp = der;
-#if 0                            /* PKCS#8 decryption coming soon */
-    X509_SIG *p8 = NULL;
-    if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
-        const X509_ALGOR *dalg = NULL;
-        const ASN1_OCTET_STRING *doct = NULL;
-        unsigned char *new_data = NULL;
-        int new_data_len;
-
-        /* passphrase fetching code TBA */
-        X509_SIG_get0(p8, &dalg, &doct);
-        if (!PKCS12_pbe_crypt(dalg, pass, strlen(pass),
-                              doct->data, doct->length,
-                              &new_data, &new_data_len, 0))
-            goto nop8;
+    /*
+     * Opportunistic attempt to decrypt.  If it doesn't work, we try to
+     * decode our input unencrypted.
+     */
+    if (ctx->sc.cipher_intent
+        && ossl_prov_der_from_p8(&new_der, &new_der_len, der, der_len,
+                                 &ctx->sc)) {
         OPENSSL_free(der);
-        der = new_data;
-        der_len = new_data_len;
+        der = new_der;
+        der_len = new_der_len;
     }
-    X509_SIG_free(p8);
- nop8:
-#endif
 
     derp = der;
     if ((pkey = d2i_PrivateKey_ex(EVP_PKEY_RSA, NULL, &derp, der_len,
@@ -171,6 +219,10 @@ const OSSL_DISPATCH der_to_rsa_deserializer_functions[] = {
       (void (*)(void))der2rsa_gettable_params },
     { OSSL_FUNC_DESERIALIZER_GET_PARAMS,
       (void (*)(void))der2rsa_get_params },
+    { OSSL_FUNC_DESERIALIZER_SETTABLE_CTX_PARAMS,
+      (void (*)(void))der2rsa_settable_ctx_params },
+    { OSSL_FUNC_DESERIALIZER_SET_CTX_PARAMS,
+      (void (*)(void))der2rsa_set_ctx_params },
     { OSSL_FUNC_DESERIALIZER_DESERIALIZE,
       (void (*)(void))der2rsa_deserialize },
     { OSSL_FUNC_DESERIALIZER_EXPORT_OBJECT,