2016-05-17 14:24:46 -04:00
|
|
|
/*
|
2020-04-23 13:55:52 +01:00
|
|
|
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
1998-12-21 10:52:47 +00:00
|
|
|
*
|
2018-12-06 13:40:06 +01:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-17 14:24:46 -04:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
1998-12-21 10:52:47 +00:00
|
|
|
*/
|
|
|
|
|
|
2020-01-30 07:23:39 +10:00
|
|
|
/*
|
|
|
|
|
* DSA low level APIs are deprecated for public use, but still ok for
|
|
|
|
|
* internal use.
|
|
|
|
|
*/
|
|
|
|
|
#include "internal/deprecated.h"
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
#include <stdio.h>
|
2015-05-14 16:56:48 +02:00
|
|
|
#include "internal/cryptlib.h"
|
2017-08-22 07:17:35 +10:00
|
|
|
#include "internal/refcount.h"
|
2002-02-13 18:21:51 +00:00
|
|
|
#include <openssl/bn.h>
|
|
|
|
|
#include <openssl/err.h>
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/objects.h>
|
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
|
#include <openssl/x509.h>
|
2016-03-18 14:30:20 -04:00
|
|
|
#include <openssl/rsa.h>
|
|
|
|
|
#include <openssl/dsa.h>
|
|
|
|
|
#include <openssl/dh.h>
|
2020-03-16 18:55:32 +01:00
|
|
|
#include <openssl/ec.h>
|
2018-03-05 17:23:57 +00:00
|
|
|
#include <openssl/cmac.h>
|
2016-03-18 14:30:20 -04:00
|
|
|
#include <openssl/engine.h>
|
2019-05-07 12:39:58 +02:00
|
|
|
#include <openssl/params.h>
|
2019-11-18 01:47:32 +01:00
|
|
|
#include <openssl/serializer.h>
|
2019-05-07 12:39:58 +02:00
|
|
|
#include <openssl/core_names.h>
|
2006-06-05 11:52:46 +00:00
|
|
|
|
2019-09-28 00:45:33 +02:00
|
|
|
#include "crypto/asn1.h"
|
|
|
|
|
#include "crypto/evp.h"
|
2020-03-18 15:54:47 +01:00
|
|
|
#include "internal/evp.h"
|
2019-05-07 12:39:58 +02:00
|
|
|
#include "internal/provider.h"
|
2020-01-14 14:11:47 +01:00
|
|
|
#include "evp_local.h"
|
2019-12-19 17:30:24 -05:00
|
|
|
DEFINE_STACK_OF(X509_ATTRIBUTE)
|
2006-03-22 17:59:49 +00:00
|
|
|
|
2020-03-16 18:55:32 +01:00
|
|
|
#include "crypto/ec.h"
|
|
|
|
|
|
|
|
|
|
/* TODO remove this when the EVP_PKEY_is_a() #legacy support hack is removed */
|
|
|
|
|
#include "e_os.h" /* strcasecmp on Windows */
|
|
|
|
|
|
2020-03-21 06:14:25 +01:00
|
|
|
static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
|
|
|
|
|
int len, EVP_KEYMGMT *keymgmt);
|
2020-01-12 11:32:12 +10:00
|
|
|
static void evp_pkey_free_it(EVP_PKEY *key);
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2001-08-03 18:48:35 +00:00
|
|
|
|
2020-03-23 06:03:16 +01:00
|
|
|
/* The type of parameters selected in key parameter functions */
|
|
|
|
|
# define SELECT_PARAMETERS OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
|
|
|
|
|
|
2016-08-17 13:50:48 +01:00
|
|
|
int EVP_PKEY_bits(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-01-08 03:44:28 +01:00
|
|
|
if (pkey != NULL) {
|
|
|
|
|
if (pkey->ameth == NULL)
|
|
|
|
|
return pkey->cache.bits;
|
|
|
|
|
else if (pkey->ameth->pkey_bits)
|
|
|
|
|
return pkey->ameth->pkey_bits(pkey);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
|
2014-01-18 14:51:40 +00:00
|
|
|
int EVP_PKEY_security_bits(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
|
if (pkey == NULL)
|
|
|
|
|
return 0;
|
2020-01-08 03:44:28 +01:00
|
|
|
if (pkey->ameth == NULL)
|
|
|
|
|
return pkey->cache.security_bits;
|
|
|
|
|
if (pkey->ameth->pkey_security_bits == NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return -2;
|
|
|
|
|
return pkey->ameth->pkey_security_bits(pkey);
|
|
|
|
|
}
|
2014-01-18 14:51:40 +00:00
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_DSA
|
2015-01-22 03:40:55 +00:00
|
|
|
if (pkey->type == EVP_PKEY_DSA) {
|
|
|
|
|
int ret = pkey->save_parameters;
|
|
|
|
|
|
|
|
|
|
if (mode >= 0)
|
|
|
|
|
pkey->save_parameters = mode;
|
2017-10-17 23:04:09 +09:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_EC
|
2015-01-22 03:40:55 +00:00
|
|
|
if (pkey->type == EVP_PKEY_EC) {
|
|
|
|
|
int ret = pkey->save_parameters;
|
|
|
|
|
|
|
|
|
|
if (mode >= 0)
|
|
|
|
|
pkey->save_parameters = mode;
|
2017-10-17 23:04:09 +09:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2017-10-17 23:04:09 +09:00
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2020-04-07 00:18:09 +00:00
|
|
|
int EVP_PKEY_set_ex_data(EVP_PKEY *key, int idx, void *arg)
|
|
|
|
|
{
|
|
|
|
|
return CRYPTO_set_ex_data(&key->ex_data, idx, arg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void *EVP_PKEY_get_ex_data(const EVP_PKEY *key, int idx)
|
|
|
|
|
{
|
|
|
|
|
return CRYPTO_get_ex_data(&key->ex_data, idx);
|
|
|
|
|
}
|
|
|
|
|
|
2003-04-07 10:09:44 +00:00
|
|
|
int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-02-05 16:30:21 +01:00
|
|
|
/*
|
|
|
|
|
* TODO: clean up legacy stuff from this function when legacy support
|
|
|
|
|
* is gone.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
2020-03-21 06:21:26 +01:00
|
|
|
* If |to| is a legacy key and |from| isn't, we must downgrade |from|.
|
|
|
|
|
* If that fails, this function fails.
|
2020-02-05 16:30:21 +01:00
|
|
|
*/
|
2020-03-21 06:21:26 +01:00
|
|
|
if (to->type != EVP_PKEY_NONE && from->keymgmt != NULL)
|
|
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)from))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make sure |to| is typed. Content is less important at this early
|
|
|
|
|
* stage.
|
|
|
|
|
*
|
|
|
|
|
* 1. If |to| is untyped, assign |from|'s key type to it.
|
|
|
|
|
* 2. If |to| contains a legacy key, compare its |type| to |from|'s.
|
|
|
|
|
* (|from| was already downgraded above)
|
|
|
|
|
*
|
|
|
|
|
* If |to| is a provided key, there's nothing more to do here, functions
|
|
|
|
|
* like evp_keymgmt_util_copy() and evp_pkey_export_to_provider() called
|
|
|
|
|
* further down help us find out if they are the same or not.
|
|
|
|
|
*/
|
|
|
|
|
if (to->type == EVP_PKEY_NONE && to->keymgmt == NULL) {
|
|
|
|
|
if (from->type != EVP_PKEY_NONE) {
|
2020-02-05 16:30:21 +01:00
|
|
|
if (EVP_PKEY_set_type(to, from->type) == 0)
|
|
|
|
|
return 0;
|
2020-03-21 06:21:26 +01:00
|
|
|
} else {
|
|
|
|
|
if (EVP_PKEY_set_type_by_keymgmt(to, from->keymgmt) == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
} else if (to->type != EVP_PKEY_NONE) {
|
|
|
|
|
if (to->type != from->type) {
|
2020-02-05 16:30:21 +01:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS, EVP_R_DIFFERENT_KEY_TYPES);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (EVP_PKEY_missing_parameters(from)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS, EVP_R_MISSING_PARAMETERS);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2016-05-27 14:18:40 +01:00
|
|
|
|
|
|
|
|
if (!EVP_PKEY_missing_parameters(to)) {
|
|
|
|
|
if (EVP_PKEY_cmp_parameters(to, from) == 1)
|
|
|
|
|
return 1;
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS, EVP_R_DIFFERENT_PARAMETERS);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-05 16:30:21 +01:00
|
|
|
/* For purely provided keys, we just call the keymgmt utility */
|
|
|
|
|
if (to->keymgmt != NULL && from->keymgmt != NULL)
|
2020-03-23 06:03:16 +01:00
|
|
|
return evp_keymgmt_util_copy(to, (EVP_PKEY *)from, SELECT_PARAMETERS);
|
2020-02-05 16:30:21 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If |to| is provided, we know that |from| is legacy at this point.
|
|
|
|
|
* Try exporting |from| to |to|'s keymgmt, then use evp_keymgmt_copy()
|
|
|
|
|
* to copy the appropriate data to |to|'s keydata.
|
|
|
|
|
*/
|
|
|
|
|
if (to->keymgmt != NULL) {
|
|
|
|
|
EVP_KEYMGMT *to_keymgmt = to->keymgmt;
|
|
|
|
|
void *from_keydata =
|
|
|
|
|
evp_pkey_export_to_provider((EVP_PKEY *)from, NULL, &to_keymgmt,
|
|
|
|
|
NULL);
|
|
|
|
|
|
2020-03-21 06:21:26 +01:00
|
|
|
/*
|
|
|
|
|
* If we get a NULL, it could be an internal error, or it could be
|
|
|
|
|
* that there's a key mismatch. We're pretending the latter...
|
|
|
|
|
*/
|
2020-02-05 16:30:21 +01:00
|
|
|
if (from_keydata == NULL) {
|
2020-03-21 06:21:26 +01:00
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_DIFFERENT_KEY_TYPES);
|
2020-02-05 16:30:21 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return evp_keymgmt_copy(to->keymgmt, to->keydata, from_keydata,
|
2020-03-23 06:03:16 +01:00
|
|
|
SELECT_PARAMETERS);
|
2020-02-05 16:30:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Both keys are legacy */
|
|
|
|
|
if (from->ameth != NULL && from->ameth->param_copy != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return from->ameth->param_copy(to, from);
|
|
|
|
|
err:
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2003-04-06 15:31:18 +00:00
|
|
|
int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-02-05 10:18:51 +01:00
|
|
|
if (pkey != NULL) {
|
|
|
|
|
if (pkey->keymgmt != NULL)
|
2020-03-23 06:03:16 +01:00
|
|
|
return !evp_keymgmt_util_has((EVP_PKEY *)pkey, SELECT_PARAMETERS);
|
2020-02-05 10:18:51 +01:00
|
|
|
else if (pkey->ameth != NULL && pkey->ameth->param_missing != NULL)
|
|
|
|
|
return pkey->ameth->param_missing(pkey);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2020-02-05 12:55:43 +01:00
|
|
|
/*
|
|
|
|
|
* This function is called for any mixture of keys except pure legacy pair.
|
|
|
|
|
* TODO When legacy keys are gone, we replace a call to this functions with
|
|
|
|
|
* a call to evp_keymgmt_util_match().
|
|
|
|
|
*/
|
|
|
|
|
static int evp_pkey_cmp_any(const EVP_PKEY *a, const EVP_PKEY *b,
|
|
|
|
|
int selection)
|
|
|
|
|
{
|
|
|
|
|
EVP_KEYMGMT *keymgmt1 = NULL, *keymgmt2 = NULL;
|
|
|
|
|
void *keydata1 = NULL, *keydata2 = NULL, *tmp_keydata = NULL;
|
|
|
|
|
|
|
|
|
|
/* If none of them are provided, this function shouldn't have been called */
|
|
|
|
|
if (!ossl_assert(a->keymgmt != NULL || b->keymgmt != NULL))
|
|
|
|
|
return -2;
|
|
|
|
|
|
|
|
|
|
/* For purely provided keys, we just call the keymgmt utility */
|
|
|
|
|
if (a->keymgmt != NULL && b->keymgmt != NULL)
|
|
|
|
|
return evp_keymgmt_util_match((EVP_PKEY *)a, (EVP_PKEY *)b, selection);
|
|
|
|
|
|
|
|
|
|
/*
|
2020-03-21 06:21:26 +01:00
|
|
|
* At this point, one of them is provided, the other not. This allows
|
|
|
|
|
* us to compare types using legacy NIDs.
|
|
|
|
|
*/
|
|
|
|
|
if ((a->type != EVP_PKEY_NONE
|
|
|
|
|
&& !EVP_KEYMGMT_is_a(b->keymgmt, OBJ_nid2sn(a->type)))
|
|
|
|
|
|| (b->type != EVP_PKEY_NONE
|
|
|
|
|
&& !EVP_KEYMGMT_is_a(a->keymgmt, OBJ_nid2sn(b->type))))
|
|
|
|
|
return -1; /* not the same key type */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've determined that they both are the same keytype, so the next
|
|
|
|
|
* step is to do a bit of cross export to ensure we have keydata for
|
|
|
|
|
* both keys in the same keymgmt.
|
2020-02-05 12:55:43 +01:00
|
|
|
*/
|
|
|
|
|
keymgmt1 = a->keymgmt;
|
|
|
|
|
keydata1 = a->keydata;
|
|
|
|
|
keymgmt2 = b->keymgmt;
|
|
|
|
|
keydata2 = b->keydata;
|
|
|
|
|
|
|
|
|
|
if (keymgmt2 != NULL && keymgmt2->match != NULL) {
|
|
|
|
|
tmp_keydata =
|
|
|
|
|
evp_pkey_export_to_provider((EVP_PKEY *)a, NULL, &keymgmt2, NULL);
|
|
|
|
|
if (tmp_keydata != NULL) {
|
|
|
|
|
keymgmt1 = keymgmt2;
|
|
|
|
|
keydata1 = tmp_keydata;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (tmp_keydata == NULL && keymgmt1 != NULL && keymgmt1->match != NULL) {
|
|
|
|
|
tmp_keydata =
|
|
|
|
|
evp_pkey_export_to_provider((EVP_PKEY *)b, NULL, &keymgmt1, NULL);
|
|
|
|
|
if (tmp_keydata != NULL) {
|
|
|
|
|
keymgmt2 = keymgmt1;
|
|
|
|
|
keydata2 = tmp_keydata;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If we still don't have matching keymgmt implementations, we give up */
|
|
|
|
|
if (keymgmt1 != keymgmt2)
|
|
|
|
|
return -2;
|
|
|
|
|
|
|
|
|
|
return evp_keymgmt_match(keymgmt1, keydata1, keydata2, selection);
|
|
|
|
|
}
|
|
|
|
|
|
2003-04-06 15:31:18 +00:00
|
|
|
int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-02-05 12:55:43 +01:00
|
|
|
/*
|
|
|
|
|
* TODO: clean up legacy stuff from this function when legacy support
|
|
|
|
|
* is gone.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (a->keymgmt != NULL || b->keymgmt != NULL)
|
2020-03-23 06:03:16 +01:00
|
|
|
return evp_pkey_cmp_any(a, b, SELECT_PARAMETERS);
|
2020-02-05 12:55:43 +01:00
|
|
|
|
|
|
|
|
/* All legacy keys */
|
2015-01-22 03:40:55 +00:00
|
|
|
if (a->type != b->type)
|
|
|
|
|
return -1;
|
2020-02-05 12:55:43 +01:00
|
|
|
if (a->ameth != NULL && a->ameth->param_cmp != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return a->ameth->param_cmp(a, b);
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
|
2003-04-06 15:31:18 +00:00
|
|
|
int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-02-05 12:55:43 +01:00
|
|
|
/*
|
|
|
|
|
* TODO: clean up legacy stuff from this function when legacy support
|
|
|
|
|
* is gone.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (a->keymgmt != NULL || b->keymgmt != NULL)
|
2020-03-23 06:03:16 +01:00
|
|
|
return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS
|
|
|
|
|
| OSSL_KEYMGMT_SELECT_PUBLIC_KEY));
|
2020-02-05 12:55:43 +01:00
|
|
|
|
|
|
|
|
/* All legacy keys */
|
2015-01-22 03:40:55 +00:00
|
|
|
if (a->type != b->type)
|
|
|
|
|
return -1;
|
|
|
|
|
|
2020-02-05 12:55:43 +01:00
|
|
|
if (a->ameth != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
int ret;
|
|
|
|
|
/* Compare parameters if the algorithm has them */
|
2020-02-05 12:55:43 +01:00
|
|
|
if (a->ameth->param_cmp != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ret = a->ameth->param_cmp(a, b);
|
|
|
|
|
if (ret <= 0)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-05 12:55:43 +01:00
|
|
|
if (a->ameth->pub_cmp != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return a->ameth->pub_cmp(a, b);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
2003-04-03 22:27:24 +00:00
|
|
|
|
2018-03-15 12:19:16 +00:00
|
|
|
EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *e,
|
|
|
|
|
const unsigned char *priv,
|
|
|
|
|
size_t len)
|
2018-03-05 14:06:41 +00:00
|
|
|
{
|
|
|
|
|
EVP_PKEY *ret = EVP_PKEY_new();
|
|
|
|
|
|
|
|
|
|
if (ret == NULL
|
2020-03-21 06:14:25 +01:00
|
|
|
|| !pkey_set_type(ret, e, type, NULL, -1, NULL)) {
|
2018-03-05 14:06:41 +00:00
|
|
|
/* EVPerr already called */
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret->ameth->set_priv_key == NULL) {
|
2018-03-15 12:19:16 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_RAW_PRIVATE_KEY,
|
2018-03-05 14:06:41 +00:00
|
|
|
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ret->ameth->set_priv_key(ret, priv, len)) {
|
2018-03-15 12:19:16 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_RAW_PRIVATE_KEY, EVP_R_KEY_SETUP_FAILED);
|
2018-03-05 14:06:41 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
EVP_PKEY_free(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-15 12:19:16 +00:00
|
|
|
EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e,
|
|
|
|
|
const unsigned char *pub,
|
|
|
|
|
size_t len)
|
2018-03-05 14:06:41 +00:00
|
|
|
{
|
|
|
|
|
EVP_PKEY *ret = EVP_PKEY_new();
|
|
|
|
|
|
|
|
|
|
if (ret == NULL
|
2020-03-21 06:14:25 +01:00
|
|
|
|| !pkey_set_type(ret, e, type, NULL, -1, NULL)) {
|
2018-03-05 14:06:41 +00:00
|
|
|
/* EVPerr already called */
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret->ameth->set_pub_key == NULL) {
|
2018-03-15 12:19:16 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_RAW_PUBLIC_KEY,
|
2018-03-05 14:06:41 +00:00
|
|
|
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ret->ameth->set_pub_key(ret, pub, len)) {
|
2018-03-15 12:19:16 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_RAW_PUBLIC_KEY, EVP_R_KEY_SETUP_FAILED);
|
2018-03-05 14:06:41 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
EVP_PKEY_free(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-01 12:22:28 +01:00
|
|
|
int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv,
|
|
|
|
|
size_t *len)
|
|
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
/* TODO(3.0) Do we need to do anything about provider side keys? */
|
2018-06-01 12:22:28 +01:00
|
|
|
if (pkey->ameth->get_priv_key == NULL) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET_RAW_PRIVATE_KEY,
|
|
|
|
|
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!pkey->ameth->get_priv_key(pkey, priv, len)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET_RAW_PRIVATE_KEY, EVP_R_GET_RAW_KEY_FAILED);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub,
|
|
|
|
|
size_t *len)
|
|
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
/* TODO(3.0) Do we need to do anything about provider side keys? */
|
2018-06-01 12:22:28 +01:00
|
|
|
if (pkey->ameth->get_pub_key == NULL) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET_RAW_PUBLIC_KEY,
|
|
|
|
|
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!pkey->ameth->get_pub_key(pkey, pub, len)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET_RAW_PUBLIC_KEY, EVP_R_GET_RAW_KEY_FAILED);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-05 17:23:57 +00:00
|
|
|
EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
|
|
|
|
|
size_t len, const EVP_CIPHER *cipher)
|
|
|
|
|
{
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_CMAC
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
2019-08-29 11:55:57 +01:00
|
|
|
const char *engine_id = e != NULL ? ENGINE_get_id(e) : NULL;
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2019-05-07 12:39:58 +02:00
|
|
|
const char *cipher_name = EVP_CIPHER_name(cipher);
|
|
|
|
|
const OSSL_PROVIDER *prov = EVP_CIPHER_provider(cipher);
|
|
|
|
|
OPENSSL_CTX *libctx =
|
|
|
|
|
prov == NULL ? NULL : ossl_provider_library_context(prov);
|
2018-03-05 17:23:57 +00:00
|
|
|
EVP_PKEY *ret = EVP_PKEY_new();
|
2019-08-15 12:39:20 +02:00
|
|
|
EVP_MAC *cmac = EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, NULL);
|
2019-05-07 12:39:58 +02:00
|
|
|
EVP_MAC_CTX *cmctx = cmac != NULL ? EVP_MAC_CTX_new(cmac) : NULL;
|
|
|
|
|
OSSL_PARAM params[4];
|
|
|
|
|
size_t paramsn = 0;
|
2018-03-05 17:23:57 +00:00
|
|
|
|
|
|
|
|
if (ret == NULL
|
2020-03-21 06:14:25 +01:00
|
|
|
|| cmctx == NULL
|
|
|
|
|
|| !pkey_set_type(ret, e, EVP_PKEY_CMAC, NULL, -1, NULL)) {
|
2018-03-05 17:23:57 +00:00
|
|
|
/* EVPerr already called */
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
2019-08-29 11:55:57 +01:00
|
|
|
if (engine_id != NULL)
|
2019-05-07 12:39:58 +02:00
|
|
|
params[paramsn++] =
|
2019-09-22 10:43:08 +10:00
|
|
|
OSSL_PARAM_construct_utf8_string("engine", (char *)engine_id, 0);
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2019-08-28 16:18:05 +01:00
|
|
|
|
2019-05-07 12:39:58 +02:00
|
|
|
params[paramsn++] =
|
2019-08-22 12:50:00 +02:00
|
|
|
OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
|
2019-09-04 19:27:08 +10:00
|
|
|
(char *)cipher_name, 0);
|
2019-05-07 12:39:58 +02:00
|
|
|
params[paramsn++] =
|
|
|
|
|
OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
|
|
|
|
|
(char *)priv, len);
|
|
|
|
|
params[paramsn] = OSSL_PARAM_construct_end();
|
|
|
|
|
|
|
|
|
|
if (!EVP_MAC_CTX_set_params(cmctx, params)) {
|
2018-03-05 17:23:57 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_CMAC_KEY, EVP_R_KEY_SETUP_FAILED);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret->pkey.ptr = cmctx;
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
EVP_PKEY_free(ret);
|
2018-10-24 21:40:00 +02:00
|
|
|
EVP_MAC_CTX_free(cmctx);
|
2019-05-07 12:39:58 +02:00
|
|
|
EVP_MAC_free(cmac);
|
2018-03-05 17:23:57 +00:00
|
|
|
return NULL;
|
2020-01-12 11:32:12 +10:00
|
|
|
# else
|
2018-03-19 10:35:16 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW_CMAC_KEY,
|
|
|
|
|
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
|
|
|
|
|
return NULL;
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2018-03-05 17:23:57 +00:00
|
|
|
}
|
2018-03-05 14:06:41 +00:00
|
|
|
|
2006-06-05 11:52:46 +00:00
|
|
|
int EVP_PKEY_set_type(EVP_PKEY *pkey, int type)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:14:25 +01:00
|
|
|
return pkey_set_type(pkey, NULL, type, NULL, -1, NULL);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-06-05 11:52:46 +00:00
|
|
|
|
|
|
|
|
int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:14:25 +01:00
|
|
|
return pkey_set_type(pkey, NULL, EVP_PKEY_NONE, str, len, NULL);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2018-06-18 15:49:15 -04:00
|
|
|
|
|
|
|
|
int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type)
|
|
|
|
|
{
|
|
|
|
|
if (pkey->type == type) {
|
|
|
|
|
return 1; /* it already is that type */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The application is requesting to alias this to a different pkey type,
|
|
|
|
|
* but not one that resolves to the base type.
|
|
|
|
|
*/
|
|
|
|
|
if (EVP_PKEY_type(type) != EVP_PKEY_base_id(pkey)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_SET_ALIAS_TYPE, EVP_R_UNSUPPORTED_ALGORITHM);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pkey->type = type;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
2017-10-09 15:21:11 +01:00
|
|
|
int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *e)
|
|
|
|
|
{
|
|
|
|
|
if (e != NULL) {
|
|
|
|
|
if (!ENGINE_init(e)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_SET1_ENGINE, ERR_R_ENGINE_LIB);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if (ENGINE_get_pkey_meth(e, pkey->type) == NULL) {
|
|
|
|
|
ENGINE_finish(e);
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_SET1_ENGINE, EVP_R_UNSUPPORTED_ALGORITHM);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ENGINE_finish(pkey->pmeth_engine);
|
|
|
|
|
pkey->pmeth_engine = e;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2019-02-25 18:02:33 +03:00
|
|
|
|
|
|
|
|
ENGINE *EVP_PKEY_get0_engine(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
return pkey->engine;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2006-06-05 11:52:46 +00:00
|
|
|
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-01-24 17:51:39 +01:00
|
|
|
int alias = type;
|
|
|
|
|
|
2020-02-06 15:17:28 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2020-01-24 17:51:39 +01:00
|
|
|
if (EVP_PKEY_type(type) == EVP_PKEY_EC) {
|
|
|
|
|
const EC_GROUP *group = EC_KEY_get0_group(key);
|
|
|
|
|
|
|
|
|
|
if (group != NULL && EC_GROUP_get_curve_name(group) == NID_sm2)
|
|
|
|
|
alias = EVP_PKEY_SM2;
|
|
|
|
|
}
|
2020-02-06 15:17:28 +00:00
|
|
|
#endif
|
2020-01-24 17:51:39 +01:00
|
|
|
|
2015-09-01 16:31:55 +02:00
|
|
|
if (pkey == NULL || !EVP_PKEY_set_type(pkey, type))
|
2015-01-22 03:40:55 +00:00
|
|
|
return 0;
|
2020-01-24 17:51:39 +01:00
|
|
|
if (!EVP_PKEY_set_alias_type(pkey, alias))
|
|
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
pkey->pkey.ptr = key;
|
|
|
|
|
return (key != NULL);
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2016-01-19 00:21:12 +00:00
|
|
|
void *EVP_PKEY_get0(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
return pkey->pkey.ptr;
|
|
|
|
|
}
|
2006-03-24 13:46:58 +00:00
|
|
|
|
2016-06-15 14:02:04 -04:00
|
|
|
const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len)
|
|
|
|
|
{
|
|
|
|
|
ASN1_OCTET_STRING *os = NULL;
|
|
|
|
|
if (pkey->type != EVP_PKEY_HMAC) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_HMAC, EVP_R_EXPECTING_AN_HMAC_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
os = EVP_PKEY_get0(pkey);
|
|
|
|
|
*len = os->length;
|
|
|
|
|
return os->data;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_POLY1305
|
2016-12-16 17:00:43 -05:00
|
|
|
const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len)
|
|
|
|
|
{
|
|
|
|
|
ASN1_OCTET_STRING *os = NULL;
|
|
|
|
|
if (pkey->type != EVP_PKEY_POLY1305) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_POLY1305, EVP_R_EXPECTING_A_POLY1305_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
os = EVP_PKEY_get0(pkey);
|
|
|
|
|
*len = os->length;
|
|
|
|
|
return os->data;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2016-12-16 17:00:43 -05:00
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_SIPHASH
|
2017-01-11 16:38:44 -05:00
|
|
|
const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len)
|
|
|
|
|
{
|
|
|
|
|
ASN1_OCTET_STRING *os = NULL;
|
|
|
|
|
|
|
|
|
|
if (pkey->type != EVP_PKEY_SIPHASH) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_SIPHASH, EVP_R_EXPECTING_A_SIPHASH_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
os = EVP_PKEY_get0(pkey);
|
|
|
|
|
*len = os->length;
|
|
|
|
|
return os->data;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2017-01-11 16:38:44 -05:00
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_RSA
|
2000-02-26 01:55:33 +00:00
|
|
|
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
|
1999-11-21 22:28:31 +00:00
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
int ret = EVP_PKEY_assign_RSA(pkey, key);
|
|
|
|
|
if (ret)
|
|
|
|
|
RSA_up_ref(key);
|
|
|
|
|
return ret;
|
1999-11-21 22:28:31 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-15 21:51:25 +01:00
|
|
|
RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2019-10-18 20:44:49 +02:00
|
|
|
if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) {
|
2015-12-13 17:57:01 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
|
2015-01-22 03:40:55 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return pkey->pkey.rsa;
|
1999-10-25 02:00:09 +00:00
|
|
|
}
|
2015-12-13 17:57:01 +00:00
|
|
|
|
|
|
|
|
RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
RSA *ret = EVP_PKEY_get0_RSA(pkey);
|
|
|
|
|
if (ret != NULL)
|
|
|
|
|
RSA_up_ref(ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
1999-10-25 02:00:09 +00:00
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_DSA
|
2019-01-15 21:51:25 +01:00
|
|
|
DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
if (pkey->type != EVP_PKEY_DSA) {
|
2015-12-13 17:57:01 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_DSA, EVP_R_EXPECTING_A_DSA_KEY);
|
2015-01-22 03:40:55 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return pkey->pkey.dsa;
|
1999-10-25 02:00:09 +00:00
|
|
|
}
|
2015-12-13 17:57:01 +00:00
|
|
|
|
2020-04-15 21:02:52 +10:00
|
|
|
int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
|
|
|
|
|
{
|
|
|
|
|
int ret = EVP_PKEY_assign_DSA(pkey, key);
|
|
|
|
|
if (ret)
|
|
|
|
|
DSA_up_ref(key);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2015-12-13 17:57:01 +00:00
|
|
|
DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
DSA *ret = EVP_PKEY_get0_DSA(pkey);
|
|
|
|
|
if (ret != NULL)
|
|
|
|
|
DSA_up_ref(ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2020-04-15 21:02:52 +10:00
|
|
|
# endif /* OPENSSL_NO_DSA */
|
2020-04-13 22:34:56 +02:00
|
|
|
#endif /* FIPS_MODULE */
|
1999-10-25 02:00:09 +00:00
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_EC
|
2002-08-07 10:49:54 +00:00
|
|
|
int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
|
2002-02-13 18:21:51 +00:00
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
int ret = EVP_PKEY_assign_EC_KEY(pkey, key);
|
|
|
|
|
if (ret)
|
|
|
|
|
EC_KEY_up_ref(key);
|
|
|
|
|
return ret;
|
2002-02-13 18:21:51 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-15 21:51:25 +01:00
|
|
|
EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey)
|
2002-02-13 18:21:51 +00:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2020-01-24 17:51:39 +01:00
|
|
|
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
|
2015-12-13 17:57:01 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
|
2015-01-22 03:40:55 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return pkey->pkey.ec;
|
2002-02-13 18:21:51 +00:00
|
|
|
}
|
2015-12-13 17:57:01 +00:00
|
|
|
|
|
|
|
|
EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey);
|
|
|
|
|
if (ret != NULL)
|
|
|
|
|
EC_KEY_up_ref(ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2002-02-13 18:21:51 +00:00
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_DH
|
1999-11-21 22:28:31 +00:00
|
|
|
|
2000-02-26 01:55:33 +00:00
|
|
|
int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
|
1999-11-21 22:28:31 +00:00
|
|
|
{
|
2019-12-09 11:51:48 +00:00
|
|
|
int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
|
|
|
|
|
int ret = EVP_PKEY_assign(pkey, type, key);
|
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (ret)
|
|
|
|
|
DH_up_ref(key);
|
|
|
|
|
return ret;
|
1999-11-21 22:28:31 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-15 21:51:25 +01:00
|
|
|
DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
if (pkey->type != EVP_PKEY_DH && pkey->type != EVP_PKEY_DHX) {
|
2015-12-13 17:57:01 +00:00
|
|
|
EVPerr(EVP_F_EVP_PKEY_GET0_DH, EVP_R_EXPECTING_A_DH_KEY);
|
2015-01-22 03:40:55 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return pkey->pkey.dh;
|
1999-10-25 02:00:09 +00:00
|
|
|
}
|
2015-12-13 17:57:01 +00:00
|
|
|
|
|
|
|
|
DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
DH *ret = EVP_PKEY_get0_DH(pkey);
|
|
|
|
|
if (ret != NULL)
|
|
|
|
|
DH_up_ref(ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
1999-10-25 02:00:09 +00:00
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
int EVP_PKEY_type(int type)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
const EVP_PKEY_ASN1_METHOD *ameth;
|
|
|
|
|
ENGINE *e;
|
|
|
|
|
ameth = EVP_PKEY_asn1_find(&e, type);
|
|
|
|
|
if (ameth)
|
|
|
|
|
ret = ameth->pkey_id;
|
|
|
|
|
else
|
|
|
|
|
ret = NID_undef;
|
2020-01-12 11:32:12 +10:00
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
2016-02-25 12:09:06 -05:00
|
|
|
ENGINE_finish(e);
|
2020-01-12 11:32:12 +10:00
|
|
|
# endif
|
2015-01-22 03:40:55 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2006-05-11 21:33:00 +00:00
|
|
|
int EVP_PKEY_id(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
|
return pkey->type;
|
|
|
|
|
}
|
2006-05-11 21:33:00 +00:00
|
|
|
|
|
|
|
|
int EVP_PKEY_base_id(const EVP_PKEY *pkey)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
|
return EVP_PKEY_type(pkey->type);
|
|
|
|
|
}
|
2006-05-11 21:33:00 +00:00
|
|
|
|
2020-03-16 18:55:32 +01:00
|
|
|
int EVP_PKEY_is_a(const EVP_PKEY *pkey, const char *name)
|
|
|
|
|
{
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-16 18:55:32 +01:00
|
|
|
if (pkey->keymgmt == NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* These hard coded cases are pure hackery to get around the fact
|
|
|
|
|
* that names in crypto/objects/objects.txt are a mess. There is
|
|
|
|
|
* no "EC", and "RSA" leads to the NID for 2.5.8.1.1, an OID that's
|
|
|
|
|
* fallen out in favor of { pkcs-1 1 }, i.e. 1.2.840.113549.1.1.1,
|
|
|
|
|
* the NID of which is used for EVP_PKEY_RSA. Strangely enough,
|
|
|
|
|
* "DSA" is accurate... but still, better be safe and hard-code
|
|
|
|
|
* names that we know.
|
|
|
|
|
* TODO Clean this away along with all other #legacy support.
|
|
|
|
|
*/
|
|
|
|
|
int type;
|
|
|
|
|
|
|
|
|
|
if (strcasecmp(name, "RSA") == 0)
|
|
|
|
|
type = EVP_PKEY_RSA;
|
|
|
|
|
#ifndef OPENSSL_NO_EC
|
|
|
|
|
else if (strcasecmp(name, "EC") == 0)
|
|
|
|
|
type = EVP_PKEY_EC;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_DSA
|
|
|
|
|
else if (strcasecmp(name, "DSA") == 0)
|
|
|
|
|
type = EVP_PKEY_DSA;
|
|
|
|
|
#endif
|
|
|
|
|
else
|
|
|
|
|
type = EVP_PKEY_type(OBJ_sn2nid(name));
|
|
|
|
|
return EVP_PKEY_type(pkey->type) == type;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return EVP_KEYMGMT_is_a(pkey->keymgmt, name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_can_sign(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
if (pkey->keymgmt == NULL) {
|
|
|
|
|
switch (EVP_PKEY_base_id(pkey)) {
|
|
|
|
|
case EVP_PKEY_RSA:
|
|
|
|
|
return 1;
|
|
|
|
|
#ifndef OPENSSL_NO_DSA
|
|
|
|
|
case EVP_PKEY_DSA:
|
|
|
|
|
return 1;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_EC
|
|
|
|
|
case EVP_PKEY_ED25519:
|
|
|
|
|
case EVP_PKEY_ED448:
|
|
|
|
|
return 1;
|
|
|
|
|
case EVP_PKEY_EC: /* Including SM2 */
|
|
|
|
|
return EC_KEY_can_sign(pkey->pkey.ec);
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
const OSSL_PROVIDER *prov = EVP_KEYMGMT_provider(pkey->keymgmt);
|
|
|
|
|
OPENSSL_CTX *libctx = ossl_provider_library_context(prov);
|
|
|
|
|
const char *supported_sig =
|
|
|
|
|
pkey->keymgmt->query_operation_name != NULL
|
|
|
|
|
? pkey->keymgmt->query_operation_name(OSSL_OP_SIGNATURE)
|
|
|
|
|
: evp_first_name(prov, pkey->keymgmt->name_id);
|
|
|
|
|
EVP_SIGNATURE *signature = NULL;
|
|
|
|
|
|
|
|
|
|
signature = EVP_SIGNATURE_fetch(libctx, supported_sig, NULL);
|
|
|
|
|
if (signature != NULL) {
|
|
|
|
|
EVP_SIGNATURE_free(signature);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2020-03-18 15:54:47 +01:00
|
|
|
#ifndef OPENSSL_NO_EC
|
|
|
|
|
/*
|
|
|
|
|
* TODO rewrite when we have proper data extraction functions
|
|
|
|
|
* Note: an octet pointer would be desirable!
|
|
|
|
|
*/
|
|
|
|
|
static OSSL_CALLBACK get_ec_curve_name_cb;
|
|
|
|
|
static int get_ec_curve_name_cb(const OSSL_PARAM params[], void *arg)
|
|
|
|
|
{
|
|
|
|
|
const OSSL_PARAM *p = NULL;
|
|
|
|
|
|
|
|
|
|
if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME)) != NULL)
|
|
|
|
|
return OSSL_PARAM_get_utf8_string(p, arg, 0);
|
|
|
|
|
|
|
|
|
|
/* If there is no curve name, this is not an EC key */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int evp_pkey_get_EC_KEY_curve_nid(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
int ret = NID_undef;
|
|
|
|
|
|
|
|
|
|
if (pkey->keymgmt == NULL) {
|
|
|
|
|
if (EVP_PKEY_base_id(pkey) == EVP_PKEY_EC) {
|
|
|
|
|
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
|
|
|
|
|
|
|
|
|
|
ret = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
|
|
|
|
|
}
|
|
|
|
|
} else if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "SM2")) {
|
|
|
|
|
char *curve_name = NULL;
|
|
|
|
|
|
|
|
|
|
ret = evp_keymgmt_export(pkey->keymgmt, pkey->keydata,
|
|
|
|
|
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
|
|
|
|
get_ec_curve_name_cb, &curve_name);
|
|
|
|
|
if (ret)
|
|
|
|
|
ret = ec_curve_name2nid(curve_name);
|
|
|
|
|
OPENSSL_free(curve_name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2019-11-27 18:35:48 +01:00
|
|
|
static int print_reset_indent(BIO **out, int pop_f_prefix, long saved_indent)
|
|
|
|
|
{
|
|
|
|
|
BIO_set_indent(*out, saved_indent);
|
|
|
|
|
if (pop_f_prefix) {
|
|
|
|
|
BIO *next = BIO_pop(*out);
|
|
|
|
|
|
|
|
|
|
BIO_free(*out);
|
|
|
|
|
*out = next;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int print_set_indent(BIO **out, int *pop_f_prefix, long *saved_indent,
|
|
|
|
|
long indent)
|
|
|
|
|
{
|
|
|
|
|
*pop_f_prefix = 0;
|
|
|
|
|
*saved_indent = 0;
|
|
|
|
|
if (indent > 0) {
|
|
|
|
|
long i = BIO_get_indent(*out);
|
|
|
|
|
|
|
|
|
|
*saved_indent = (i < 0 ? 0 : i);
|
|
|
|
|
if (BIO_set_indent(*out, indent) <= 0) {
|
|
|
|
|
if ((*out = BIO_push(BIO_new(BIO_f_prefix()), *out)) == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
*pop_f_prefix = 1;
|
|
|
|
|
}
|
|
|
|
|
if (BIO_set_indent(*out, indent) <= 0) {
|
|
|
|
|
print_reset_indent(out, *pop_f_prefix, *saved_indent);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2006-03-22 13:09:35 +00:00
|
|
|
static int unsup_alg(BIO *out, const EVP_PKEY *pkey, int indent,
|
2015-01-22 03:40:55 +00:00
|
|
|
const char *kstr)
|
|
|
|
|
{
|
2020-01-06 11:23:21 +10:00
|
|
|
return BIO_indent(out, indent, 128)
|
|
|
|
|
&& BIO_printf(out, "%s algorithm \"%s\" unsupported\n",
|
|
|
|
|
kstr, OBJ_nid2ln(pkey->type)) > 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-03-22 13:09:35 +00:00
|
|
|
|
2019-11-27 18:35:48 +01:00
|
|
|
static int print_pkey(const EVP_PKEY *pkey, BIO *out, int indent,
|
|
|
|
|
const char *propquery /* For provided serialization */,
|
|
|
|
|
int (*legacy_print)(BIO *out, const EVP_PKEY *pkey,
|
|
|
|
|
int indent, ASN1_PCTX *pctx),
|
|
|
|
|
ASN1_PCTX *legacy_pctx /* For legacy print */)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2019-11-27 18:35:48 +01:00
|
|
|
int pop_f_prefix;
|
|
|
|
|
long saved_indent;
|
|
|
|
|
OSSL_SERIALIZER_CTX *ctx = NULL;
|
|
|
|
|
int ret = -2; /* default to unsupported */
|
|
|
|
|
|
|
|
|
|
if (!print_set_indent(&out, &pop_f_prefix, &saved_indent, indent))
|
|
|
|
|
return 0;
|
2019-11-18 01:47:32 +01:00
|
|
|
|
2019-11-27 18:35:48 +01:00
|
|
|
ctx = OSSL_SERIALIZER_CTX_new_by_EVP_PKEY(pkey, propquery);
|
2019-11-18 01:47:32 +01:00
|
|
|
if (OSSL_SERIALIZER_CTX_get_serializer(ctx) != NULL)
|
|
|
|
|
ret = OSSL_SERIALIZER_to_bio(ctx, out);
|
|
|
|
|
OSSL_SERIALIZER_CTX_free(ctx);
|
|
|
|
|
|
|
|
|
|
if (ret != -2)
|
2019-11-27 18:35:48 +01:00
|
|
|
goto end;
|
2019-11-18 01:47:32 +01:00
|
|
|
|
|
|
|
|
/* legacy fallback */
|
2019-11-27 18:35:48 +01:00
|
|
|
if (legacy_print != NULL)
|
|
|
|
|
ret = legacy_print(out, pkey, 0, legacy_pctx);
|
|
|
|
|
else
|
|
|
|
|
ret = unsup_alg(out, pkey, 0, "Public Key");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2019-11-27 18:35:48 +01:00
|
|
|
end:
|
|
|
|
|
print_reset_indent(&out, pop_f_prefix, saved_indent);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
|
|
|
|
|
int indent, ASN1_PCTX *pctx)
|
|
|
|
|
{
|
|
|
|
|
return print_pkey(pkey, out, indent, OSSL_SERIALIZER_PUBKEY_TO_TEXT_PQ,
|
|
|
|
|
(pkey->ameth != NULL ? pkey->ameth->pub_print : NULL),
|
|
|
|
|
pctx);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-03-22 13:09:35 +00:00
|
|
|
|
|
|
|
|
int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
|
2015-01-22 03:40:55 +00:00
|
|
|
int indent, ASN1_PCTX *pctx)
|
|
|
|
|
{
|
2019-11-27 18:35:48 +01:00
|
|
|
return print_pkey(pkey, out, indent, OSSL_SERIALIZER_PrivateKey_TO_TEXT_PQ,
|
|
|
|
|
(pkey->ameth != NULL ? pkey->ameth->priv_print : NULL),
|
|
|
|
|
pctx);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-03-22 13:09:35 +00:00
|
|
|
|
|
|
|
|
int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
|
2015-01-22 03:40:55 +00:00
|
|
|
int indent, ASN1_PCTX *pctx)
|
|
|
|
|
{
|
2019-11-27 18:35:48 +01:00
|
|
|
return print_pkey(pkey, out, indent, OSSL_SERIALIZER_Parameters_TO_TEXT_PQ,
|
|
|
|
|
(pkey->ameth != NULL ? pkey->ameth->param_print : NULL),
|
|
|
|
|
pctx);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-05-07 17:09:39 +00:00
|
|
|
|
2020-01-13 08:49:44 +01:00
|
|
|
static int legacy_asn1_ctrl_to_param(EVP_PKEY *pkey, int op,
|
|
|
|
|
int arg1, void *arg2)
|
|
|
|
|
{
|
2020-02-20 20:26:16 +01:00
|
|
|
if (pkey->keymgmt == NULL)
|
2020-01-13 08:49:44 +01:00
|
|
|
return 0;
|
|
|
|
|
switch (op) {
|
|
|
|
|
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
|
|
|
|
{
|
|
|
|
|
char mdname[80] = "";
|
|
|
|
|
int nid;
|
|
|
|
|
int rv = EVP_PKEY_get_default_digest_name(pkey, mdname,
|
|
|
|
|
sizeof(mdname));
|
|
|
|
|
|
|
|
|
|
if (rv <= 0)
|
|
|
|
|
return rv;
|
|
|
|
|
nid = OBJ_sn2nid(mdname);
|
|
|
|
|
if (nid == NID_undef)
|
|
|
|
|
nid = OBJ_ln2nid(mdname);
|
|
|
|
|
if (nid == NID_undef)
|
|
|
|
|
return 0;
|
|
|
|
|
*(int *)arg2 = nid;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-10 22:30:43 +01:00
|
|
|
static int evp_pkey_asn1_ctrl(EVP_PKEY *pkey, int op, int arg1, void *arg2)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2020-01-13 08:49:44 +01:00
|
|
|
if (pkey->ameth == NULL)
|
|
|
|
|
return legacy_asn1_ctrl_to_param(pkey, op, arg1, arg2);
|
|
|
|
|
if (pkey->ameth->pkey_ctrl == NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return -2;
|
2016-08-10 22:30:43 +01:00
|
|
|
return pkey->ameth->pkey_ctrl(pkey, op, arg1, arg2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid)
|
|
|
|
|
{
|
|
|
|
|
return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid);
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-13 08:49:44 +01:00
|
|
|
int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey,
|
|
|
|
|
char *mdname, size_t mdname_sz)
|
|
|
|
|
{
|
2020-04-20 09:14:59 +02:00
|
|
|
if (pkey->ameth == NULL)
|
|
|
|
|
return evp_keymgmt_util_get_deflt_digest_name(pkey->keymgmt,
|
|
|
|
|
pkey->keydata,
|
|
|
|
|
mdname, mdname_sz);
|
2020-01-13 08:49:44 +01:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
int nid = NID_undef;
|
|
|
|
|
int rv = EVP_PKEY_get_default_digest_nid(pkey, &nid);
|
|
|
|
|
const char *name = rv > 0 ? OBJ_nid2sn(nid) : NULL;
|
|
|
|
|
|
|
|
|
|
if (rv > 0)
|
|
|
|
|
OPENSSL_strlcpy(mdname, name, mdname_sz);
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-22 18:49:54 +01:00
|
|
|
int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid)
|
|
|
|
|
{
|
|
|
|
|
int rv, default_nid;
|
|
|
|
|
|
|
|
|
|
rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL);
|
|
|
|
|
if (rv == -2) {
|
|
|
|
|
/*
|
|
|
|
|
* If there is a mandatory default digest and this isn't it, then
|
|
|
|
|
* the answer is 'no'.
|
|
|
|
|
*/
|
|
|
|
|
rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid);
|
|
|
|
|
if (rv == 2)
|
|
|
|
|
return (nid == default_nid);
|
|
|
|
|
/* zero is an error from EVP_PKEY_get_default_digest_nid() */
|
|
|
|
|
if (rv == 0)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-10 22:30:43 +01:00
|
|
|
int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
|
|
|
|
|
const unsigned char *pt, size_t ptlen)
|
|
|
|
|
{
|
|
|
|
|
if (ptlen > INT_MAX)
|
|
|
|
|
return 0;
|
|
|
|
|
if (evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SET1_TLS_ENCPT, ptlen,
|
|
|
|
|
(void *)pt) <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt)
|
|
|
|
|
{
|
|
|
|
|
int rv;
|
|
|
|
|
rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_GET1_TLS_ENCPT, 0, ppt);
|
|
|
|
|
if (rv <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return rv;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#endif /* FIPS_MODULE */
|
2020-01-12 11:32:12 +10:00
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
/*- All methods below can also be used in FIPS_MODULE */
|
2020-01-12 11:32:12 +10:00
|
|
|
|
|
|
|
|
EVP_PKEY *EVP_PKEY_new(void)
|
|
|
|
|
{
|
|
|
|
|
EVP_PKEY *ret = OPENSSL_zalloc(sizeof(*ret));
|
|
|
|
|
|
|
|
|
|
if (ret == NULL) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
ret->type = EVP_PKEY_NONE;
|
|
|
|
|
ret->save_type = EVP_PKEY_NONE;
|
|
|
|
|
ret->references = 1;
|
|
|
|
|
ret->save_parameters = 1;
|
|
|
|
|
ret->lock = CRYPTO_THREAD_lock_new();
|
|
|
|
|
if (ret->lock == NULL) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE);
|
2020-04-07 00:18:09 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-04-07 00:18:09 +00:00
|
|
|
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EVP_PKEY, ret, &ret->ex_data)) {
|
|
|
|
|
EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE);
|
|
|
|
|
goto err;
|
2020-01-12 11:32:12 +10:00
|
|
|
}
|
2020-04-07 00:18:09 +00:00
|
|
|
#endif
|
2020-01-12 11:32:12 +10:00
|
|
|
return ret;
|
2020-04-07 00:18:09 +00:00
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
CRYPTO_THREAD_lock_free(ret->lock);
|
|
|
|
|
OPENSSL_free(ret);
|
|
|
|
|
return NULL;
|
2020-01-12 11:32:12 +10:00
|
|
|
}
|
|
|
|
|
|
2020-03-21 06:14:25 +01:00
|
|
|
/*
|
|
|
|
|
* Setup a public key management method.
|
|
|
|
|
*
|
|
|
|
|
* For legacy keys, either |type| or |str| is expected to have the type
|
|
|
|
|
* information. In this case, the setup consists of finding an ASN1 method
|
|
|
|
|
* and potentially an ENGINE, and setting those fields in |pkey|.
|
|
|
|
|
*
|
|
|
|
|
* For provider side keys, |keymgmt| is expected to be non-NULL. In this
|
|
|
|
|
* case, the setup consists of setting the |keymgmt| field in |pkey|.
|
|
|
|
|
*
|
|
|
|
|
* If pkey is NULL just return 1 or 0 if the key management method exists.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
|
|
|
|
|
int len, EVP_KEYMGMT *keymgmt)
|
|
|
|
|
{
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
const EVP_PKEY_ASN1_METHOD *ameth = NULL;
|
|
|
|
|
ENGINE **eptr = (e == NULL) ? &e : NULL;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The setups can't set both legacy and provider side methods.
|
|
|
|
|
* It is forbidden
|
|
|
|
|
*/
|
|
|
|
|
if (!ossl_assert(type == EVP_PKEY_NONE || keymgmt == NULL)
|
|
|
|
|
|| !ossl_assert(e == NULL || keymgmt == NULL)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pkey != NULL) {
|
|
|
|
|
int free_it = 0;
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
free_it = free_it || pkey->pkey.ptr != NULL;
|
|
|
|
|
#endif
|
|
|
|
|
free_it = free_it || pkey->keydata != NULL;
|
|
|
|
|
if (free_it)
|
|
|
|
|
evp_pkey_free_it(pkey);
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
/*
|
|
|
|
|
* If key type matches and a method exists then this lookup has
|
|
|
|
|
* succeeded once so just indicate success.
|
|
|
|
|
*/
|
|
|
|
|
if (pkey->type != EVP_PKEY_NONE
|
|
|
|
|
&& type == pkey->save_type
|
|
|
|
|
&& pkey->ameth != NULL)
|
|
|
|
|
return 1;
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
/* If we have ENGINEs release them */
|
|
|
|
|
ENGINE_finish(pkey->engine);
|
|
|
|
|
pkey->engine = NULL;
|
|
|
|
|
ENGINE_finish(pkey->pmeth_engine);
|
|
|
|
|
pkey->pmeth_engine = NULL;
|
|
|
|
|
# endif
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
if (str != NULL)
|
|
|
|
|
ameth = EVP_PKEY_asn1_find_str(eptr, str, len);
|
|
|
|
|
else if (type != EVP_PKEY_NONE)
|
|
|
|
|
ameth = EVP_PKEY_asn1_find(eptr, type);
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
if (pkey == NULL && eptr != NULL)
|
|
|
|
|
ENGINE_finish(e);
|
|
|
|
|
# endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
int check = 1;
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
check = check && ameth == NULL;
|
|
|
|
|
#endif
|
|
|
|
|
check = check && keymgmt == NULL;
|
|
|
|
|
if (check) {
|
|
|
|
|
EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_UNSUPPORTED_ALGORITHM);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (pkey != NULL) {
|
|
|
|
|
if (keymgmt != NULL && !EVP_KEYMGMT_up_ref(keymgmt)) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pkey->keymgmt = keymgmt;
|
|
|
|
|
|
|
|
|
|
pkey->save_type = type;
|
|
|
|
|
pkey->type = type;
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
/*
|
|
|
|
|
* If the internal "origin" key is provider side, don't save |ameth|.
|
|
|
|
|
* The main reason is that |ameth| is one factor to detect that the
|
|
|
|
|
* internal "origin" key is a legacy one.
|
|
|
|
|
*/
|
|
|
|
|
if (keymgmt == NULL)
|
|
|
|
|
pkey->ameth = ameth;
|
|
|
|
|
pkey->engine = e;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The EVP_PKEY_ASN1_METHOD |pkey_id| serves different purposes,
|
|
|
|
|
* depending on if we're setting this key to contain a legacy or
|
|
|
|
|
* a provider side "origin" key. For a legacy key, we assign it
|
|
|
|
|
* to the |type| field, but for a provider side key, we assign it
|
|
|
|
|
* to the |save_type| field, because |type| is supposed to be set
|
|
|
|
|
* to EVP_PKEY_NONE in that case.
|
|
|
|
|
*/
|
|
|
|
|
if (keymgmt != NULL)
|
|
|
|
|
pkey->save_type = ameth->pkey_id;
|
|
|
|
|
else if (pkey->ameth != NULL)
|
|
|
|
|
pkey->type = ameth->pkey_id;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
static void find_ameth(const char *name, void *data)
|
|
|
|
|
{
|
|
|
|
|
const char **str = data;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The error messages from pkey_set_type() are uninteresting here,
|
|
|
|
|
* and misleading.
|
|
|
|
|
*/
|
|
|
|
|
ERR_set_mark();
|
|
|
|
|
|
|
|
|
|
if (pkey_set_type(NULL, NULL, EVP_PKEY_NONE, name, strlen(name),
|
|
|
|
|
NULL)) {
|
|
|
|
|
if (str[0] == NULL)
|
|
|
|
|
str[0] = name;
|
|
|
|
|
else if (str[1] == NULL)
|
|
|
|
|
str[1] = name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ERR_pop_to_mark();
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_set_type_by_keymgmt(EVP_PKEY *pkey, EVP_KEYMGMT *keymgmt)
|
|
|
|
|
{
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:14:25 +01:00
|
|
|
# define EVP_PKEY_TYPE_STR str[0]
|
|
|
|
|
# define EVP_PKEY_TYPE_STRLEN (str[0] == NULL ? -1 : (int)strlen(str[0]))
|
|
|
|
|
/*
|
|
|
|
|
* Find at most two strings that have an associated EVP_PKEY_ASN1_METHOD
|
|
|
|
|
* Ideally, only one should be found. If two (or more) are found, the
|
|
|
|
|
* match is ambiguous. This should never happen, but...
|
|
|
|
|
*/
|
|
|
|
|
const char *str[2] = { NULL, NULL };
|
|
|
|
|
|
|
|
|
|
EVP_KEYMGMT_names_do_all(keymgmt, find_ameth, &str);
|
|
|
|
|
if (str[1] != NULL) {
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
# define EVP_PKEY_TYPE_STR NULL
|
|
|
|
|
# define EVP_PKEY_TYPE_STRLEN -1
|
|
|
|
|
#endif
|
|
|
|
|
return pkey_set_type(pkey, NULL, EVP_PKEY_NONE,
|
|
|
|
|
EVP_PKEY_TYPE_STR, EVP_PKEY_TYPE_STRLEN,
|
|
|
|
|
keymgmt);
|
|
|
|
|
|
|
|
|
|
#undef EVP_PKEY_TYPE_STR
|
|
|
|
|
#undef EVP_PKEY_TYPE_STRLEN
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
int EVP_PKEY_up_ref(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (CRYPTO_UP_REF(&pkey->references, &i, pkey->lock) <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
REF_PRINT_COUNT("EVP_PKEY", pkey);
|
|
|
|
|
REF_ASSERT_ISNT(i < 2);
|
|
|
|
|
return ((i > 1) ? 1 : 0);
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2019-10-27 15:09:26 +01:00
|
|
|
void evp_pkey_free_legacy(EVP_PKEY *x)
|
2020-02-20 22:55:41 +01:00
|
|
|
{
|
|
|
|
|
if (x->ameth != NULL) {
|
2020-02-05 16:30:21 +01:00
|
|
|
if (x->ameth->pkey_free != NULL)
|
2020-02-20 22:55:41 +01:00
|
|
|
x->ameth->pkey_free(x);
|
|
|
|
|
x->pkey.ptr = NULL;
|
|
|
|
|
}
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
ENGINE_finish(x->engine);
|
|
|
|
|
x->engine = NULL;
|
|
|
|
|
ENGINE_finish(x->pmeth_engine);
|
|
|
|
|
x->pmeth_engine = NULL;
|
|
|
|
|
# endif
|
2020-03-21 06:14:25 +01:00
|
|
|
x->type = EVP_PKEY_NONE;
|
2020-02-20 22:55:41 +01:00
|
|
|
}
|
2020-04-13 22:34:56 +02:00
|
|
|
#endif /* FIPS_MODULE */
|
2020-02-20 22:55:41 +01:00
|
|
|
|
2020-01-12 11:32:12 +10:00
|
|
|
static void evp_pkey_free_it(EVP_PKEY *x)
|
|
|
|
|
{
|
|
|
|
|
/* internal function; x is never NULL */
|
|
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
evp_keymgmt_util_clear_operation_cache(x);
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-02-20 22:55:41 +01:00
|
|
|
evp_pkey_free_legacy(x);
|
|
|
|
|
#endif
|
2020-01-12 11:32:12 +10:00
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
if (x->keymgmt != NULL) {
|
|
|
|
|
evp_keymgmt_freedata(x->keymgmt, x->keydata);
|
|
|
|
|
EVP_KEYMGMT_free(x->keymgmt);
|
|
|
|
|
x->keymgmt = NULL;
|
|
|
|
|
x->keydata = NULL;
|
|
|
|
|
}
|
2020-01-12 11:32:12 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void EVP_PKEY_free(EVP_PKEY *x)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (x == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
CRYPTO_DOWN_REF(&x->references, &i, x->lock);
|
|
|
|
|
REF_PRINT_COUNT("EVP_PKEY", x);
|
|
|
|
|
if (i > 0)
|
|
|
|
|
return;
|
|
|
|
|
REF_ASSERT_ISNT(i < 0);
|
|
|
|
|
evp_pkey_free_it(x);
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-04-07 00:18:09 +00:00
|
|
|
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EVP_PKEY, x, &x->ex_data);
|
|
|
|
|
#endif
|
2020-01-12 11:32:12 +10:00
|
|
|
CRYPTO_THREAD_lock_free(x->lock);
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-01-12 11:32:12 +10:00
|
|
|
sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free);
|
|
|
|
|
#endif
|
|
|
|
|
OPENSSL_free(x);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_size(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
2020-03-21 06:03:39 +01:00
|
|
|
int size = 0;
|
|
|
|
|
|
2020-01-08 03:44:28 +01:00
|
|
|
if (pkey != NULL) {
|
2020-03-21 06:03:39 +01:00
|
|
|
size = pkey->cache.size;
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:03:39 +01:00
|
|
|
if (pkey->ameth != NULL && pkey->ameth->pkey_size != NULL)
|
|
|
|
|
size = pkey->ameth->pkey_size(pkey);
|
|
|
|
|
#endif
|
2020-01-08 03:44:28 +01:00
|
|
|
}
|
2020-03-21 06:03:39 +01:00
|
|
|
return size;
|
2020-01-12 11:32:12 +10:00
|
|
|
}
|
2020-01-14 14:11:47 +01:00
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
void *evp_pkey_export_to_provider(EVP_PKEY *pk, OPENSSL_CTX *libctx,
|
|
|
|
|
EVP_KEYMGMT **keymgmt,
|
|
|
|
|
const char *propquery)
|
2020-01-14 14:11:47 +01:00
|
|
|
{
|
|
|
|
|
EVP_KEYMGMT *allocated_keymgmt = NULL;
|
|
|
|
|
EVP_KEYMGMT *tmp_keymgmt = NULL;
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-02 18:56:07 +01:00
|
|
|
void *keydata = NULL;
|
2020-03-21 06:03:39 +01:00
|
|
|
int check;
|
2020-01-14 14:11:47 +01:00
|
|
|
|
|
|
|
|
if (pk == NULL)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2020-03-21 06:03:39 +01:00
|
|
|
/* No key data => nothing to export */
|
|
|
|
|
check = 1;
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:03:39 +01:00
|
|
|
check = check && pk->pkey.ptr == NULL;
|
|
|
|
|
#endif
|
|
|
|
|
check = check && pk->keydata == NULL;
|
|
|
|
|
if (check)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-02-12 14:28:50 +01:00
|
|
|
if (pk->pkey.ptr != NULL) {
|
|
|
|
|
/*
|
2020-02-20 20:26:16 +01:00
|
|
|
* If the legacy key doesn't have an dirty counter or export function,
|
|
|
|
|
* give up
|
2020-02-12 14:28:50 +01:00
|
|
|
*/
|
2020-02-20 20:26:16 +01:00
|
|
|
if (pk->ameth->dirty_cnt == NULL || pk->ameth->export_to == NULL)
|
|
|
|
|
return NULL;
|
2020-02-12 14:28:50 +01:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
if (keymgmt != NULL) {
|
|
|
|
|
tmp_keymgmt = *keymgmt;
|
|
|
|
|
*keymgmt = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-17 14:37:47 +01:00
|
|
|
/*
|
|
|
|
|
* If no keymgmt was given or found, get a default keymgmt. We do so by
|
|
|
|
|
* letting EVP_PKEY_CTX_new_from_pkey() do it for us, then we steal it.
|
|
|
|
|
*/
|
2020-01-14 14:11:47 +01:00
|
|
|
if (tmp_keymgmt == NULL) {
|
2020-01-15 11:10:43 +00:00
|
|
|
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, propquery);
|
2020-01-14 14:11:47 +01:00
|
|
|
|
2020-03-17 14:37:47 +01:00
|
|
|
tmp_keymgmt = ctx->keymgmt;
|
|
|
|
|
ctx->keymgmt = NULL;
|
2020-01-14 14:11:47 +01:00
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
/* If there's still no keymgmt to be had, give up */
|
2020-02-12 14:28:50 +01:00
|
|
|
if (tmp_keymgmt == NULL)
|
|
|
|
|
goto end;
|
2020-01-14 14:11:47 +01:00
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-02-12 14:28:50 +01:00
|
|
|
if (pk->pkey.ptr != NULL) {
|
2020-02-20 20:26:16 +01:00
|
|
|
size_t i = 0;
|
2020-02-12 14:28:50 +01:00
|
|
|
|
|
|
|
|
/*
|
2020-02-20 20:26:16 +01:00
|
|
|
* If the legacy "origin" hasn't changed since last time, we try
|
|
|
|
|
* to find our keymgmt in the operation cache. If it has changed,
|
|
|
|
|
* |i| remains zero, and we will clear the cache further down.
|
2020-02-12 14:28:50 +01:00
|
|
|
*/
|
2020-02-20 20:26:16 +01:00
|
|
|
if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
|
|
|
|
|
i = evp_keymgmt_util_find_operation_cache_index(pk, tmp_keymgmt);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If |tmp_keymgmt| is present in the operation cache, it means
|
|
|
|
|
* that export doesn't need to be redone. In that case, we take
|
|
|
|
|
* token copies of the cached pointers, to have token success
|
|
|
|
|
* values to return.
|
|
|
|
|
*/
|
|
|
|
|
if (i < OSSL_NELEM(pk->operation_cache)
|
|
|
|
|
&& pk->operation_cache[i].keymgmt != NULL) {
|
|
|
|
|
keydata = pk->operation_cache[i].keydata;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2020-02-12 14:28:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2020-02-20 20:26:16 +01:00
|
|
|
* TODO(3.0) Right now, we assume we have ample space. We will have
|
|
|
|
|
* to think about a cache aging scheme, though, if |i| indexes outside
|
|
|
|
|
* the array.
|
2020-02-12 14:28:50 +01:00
|
|
|
*/
|
2020-02-20 20:26:16 +01:00
|
|
|
if (!ossl_assert(i < OSSL_NELEM(pk->operation_cache)))
|
2020-02-12 14:28:50 +01:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
/* Make sure that the keymgmt key type matches the legacy NID */
|
|
|
|
|
if (!ossl_assert(EVP_KEYMGMT_is_a(tmp_keymgmt, OBJ_nid2sn(pk->type))))
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
if ((keydata = evp_keymgmt_newdata(tmp_keymgmt)) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
2020-04-06 16:05:24 +01:00
|
|
|
if (!pk->ameth->export_to(pk, keydata, tmp_keymgmt, libctx, propquery)) {
|
2020-02-12 14:28:50 +01:00
|
|
|
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
|
|
|
|
keydata = NULL;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 20:26:16 +01:00
|
|
|
/*
|
|
|
|
|
* If the dirty counter changed since last time, then clear the
|
|
|
|
|
* operation cache. In that case, we know that |i| is zero. Just
|
|
|
|
|
* in case this is a re-export, we increment then decrement the
|
|
|
|
|
* keymgmt reference counter.
|
|
|
|
|
*/
|
|
|
|
|
if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { /* refcnt++ */
|
|
|
|
|
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
|
|
|
|
keydata = NULL;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
|
|
|
|
|
evp_keymgmt_util_clear_operation_cache(pk);
|
|
|
|
|
EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
|
|
|
|
|
|
|
|
|
|
/* Add the new export to the operation cache */
|
|
|
|
|
if (!evp_keymgmt_util_cache_keydata(pk, i, tmp_keymgmt, keydata)) {
|
|
|
|
|
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
|
|
|
|
keydata = NULL;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2020-02-12 14:28:50 +01:00
|
|
|
|
|
|
|
|
/* Synchronize the dirty count */
|
|
|
|
|
pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2020-04-13 22:34:56 +02:00
|
|
|
#endif /* FIPS_MODULE */
|
2020-02-12 14:28:50 +01:00
|
|
|
|
|
|
|
|
keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
|
|
|
|
|
|
|
|
|
|
end:
|
2020-01-14 14:11:47 +01:00
|
|
|
/*
|
|
|
|
|
* If nothing was exported, |tmp_keymgmt| might point at a freed
|
|
|
|
|
* EVP_KEYMGMT, so we clear it to be safe. It shouldn't be useful for
|
|
|
|
|
* the caller either way in that case.
|
|
|
|
|
*/
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-02 18:56:07 +01:00
|
|
|
if (keydata == NULL)
|
2020-01-14 14:11:47 +01:00
|
|
|
tmp_keymgmt = NULL;
|
|
|
|
|
|
|
|
|
|
if (keymgmt != NULL)
|
|
|
|
|
*keymgmt = tmp_keymgmt;
|
|
|
|
|
|
|
|
|
|
EVP_KEYMGMT_free(allocated_keymgmt);
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-02 18:56:07 +01:00
|
|
|
return keydata;
|
2020-01-14 14:11:47 +01:00
|
|
|
}
|
2020-02-20 22:55:41 +01:00
|
|
|
|
2020-04-13 22:34:56 +02:00
|
|
|
#ifndef FIPS_MODULE
|
2020-03-21 06:21:26 +01:00
|
|
|
int evp_pkey_downgrade(EVP_PKEY *pk)
|
2020-02-20 22:55:41 +01:00
|
|
|
{
|
2020-03-21 06:21:26 +01:00
|
|
|
EVP_KEYMGMT *keymgmt = pk->keymgmt;
|
|
|
|
|
void *keydata = pk->keydata;
|
|
|
|
|
int type = pk->save_type;
|
|
|
|
|
const char *keytype = NULL;
|
2020-02-20 22:55:41 +01:00
|
|
|
|
2020-03-21 06:21:26 +01:00
|
|
|
/* If this isn't a provider side key, we're done */
|
|
|
|
|
if (keymgmt == NULL)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
/* Get the key type name for error reporting */
|
|
|
|
|
if (type != EVP_PKEY_NONE)
|
|
|
|
|
keytype = OBJ_nid2sn(type);
|
|
|
|
|
else
|
|
|
|
|
keytype =
|
|
|
|
|
evp_first_name(EVP_KEYMGMT_provider(keymgmt), keymgmt->name_id);
|
2020-02-20 22:55:41 +01:00
|
|
|
|
|
|
|
|
/*
|
2020-03-21 06:21:26 +01:00
|
|
|
* |save_type| was set when any of the EVP_PKEY_set_type functions
|
|
|
|
|
* was called. It was set to EVP_PKEY_NONE if the key type wasn't
|
|
|
|
|
* recognised to be any of the legacy key types, and the downgrade
|
|
|
|
|
* isn't possible.
|
2020-02-20 22:55:41 +01:00
|
|
|
*/
|
2020-03-21 06:21:26 +01:00
|
|
|
if (type == EVP_PKEY_NONE) {
|
|
|
|
|
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_KEY_TYPE,
|
|
|
|
|
"key type = %s, can't downgrade", keytype);
|
|
|
|
|
return 0;
|
2020-02-20 22:55:41 +01:00
|
|
|
}
|
|
|
|
|
|
2020-03-21 06:21:26 +01:00
|
|
|
/*
|
|
|
|
|
* To be able to downgrade, we steal the provider side "origin" keymgmt
|
|
|
|
|
* and keydata. We've already grabbed the pointers, so all we need to
|
|
|
|
|
* do is clear those pointers in |pk| and then call evp_pkey_free_it().
|
|
|
|
|
* That way, we can restore |pk| if we need to.
|
|
|
|
|
*/
|
|
|
|
|
pk->keymgmt = NULL;
|
|
|
|
|
pk->keydata = NULL;
|
|
|
|
|
evp_pkey_free_it(pk);
|
|
|
|
|
if (EVP_PKEY_set_type(pk, type)) {
|
|
|
|
|
/* If the key is typed but empty, we're done */
|
2020-04-11 13:16:22 +02:00
|
|
|
if (keydata == NULL) {
|
|
|
|
|
/* We're dropping the EVP_KEYMGMT */
|
|
|
|
|
EVP_KEYMGMT_free(keymgmt);
|
2020-03-21 06:21:26 +01:00
|
|
|
return 1;
|
2020-04-11 13:16:22 +02:00
|
|
|
}
|
2020-02-20 22:55:41 +01:00
|
|
|
|
2020-03-21 06:21:26 +01:00
|
|
|
if (pk->ameth->import_from == NULL) {
|
|
|
|
|
ERR_raise_data(ERR_LIB_EVP, EVP_R_NO_IMPORT_FUNCTION,
|
|
|
|
|
"key type = %s", keytype);
|
2020-04-10 18:28:24 +01:00
|
|
|
} else {
|
2020-03-21 06:21:26 +01:00
|
|
|
/*
|
2020-04-10 18:28:24 +01:00
|
|
|
* We perform the export in the same libctx as the keymgmt that we
|
|
|
|
|
* are using.
|
2020-03-21 06:21:26 +01:00
|
|
|
*/
|
2020-04-10 18:28:24 +01:00
|
|
|
OPENSSL_CTX *libctx = ossl_provider_library_context(keymgmt->prov);
|
|
|
|
|
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, NULL);
|
|
|
|
|
if (pctx == NULL)
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
|
|
|
|
|
|
|
|
|
|
if (pctx != NULL
|
|
|
|
|
&& evp_keymgmt_export(keymgmt, keydata,
|
|
|
|
|
OSSL_KEYMGMT_SELECT_ALL,
|
|
|
|
|
pk->ameth->import_from, pctx)) {
|
|
|
|
|
/*
|
|
|
|
|
* Save the provider side data in the operation cache, so they'll
|
|
|
|
|
* find it again. evp_pkey_free_it() cleared the cache, so it's
|
|
|
|
|
* safe to assume slot zero is free.
|
|
|
|
|
* Note that evp_keymgmt_util_cache_keydata() increments keymgmt's
|
|
|
|
|
* reference count.
|
|
|
|
|
*/
|
|
|
|
|
evp_keymgmt_util_cache_keydata(pk, 0, keymgmt, keydata);
|
|
|
|
|
EVP_PKEY_CTX_free(pctx);
|
|
|
|
|
|
|
|
|
|
/* Synchronize the dirty count */
|
|
|
|
|
pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
|
|
|
|
|
|
|
|
|
|
/* evp_keymgmt_export() increased the refcount... */
|
|
|
|
|
EVP_KEYMGMT_free(keymgmt);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
EVP_PKEY_CTX_free(pctx);
|
2020-02-20 22:55:41 +01:00
|
|
|
}
|
|
|
|
|
|
2020-03-21 06:21:26 +01:00
|
|
|
ERR_raise_data(ERR_LIB_EVP, EVP_R_KEYMGMT_EXPORT_FAILURE,
|
|
|
|
|
"key type = %s", keytype);
|
2020-02-20 22:55:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2020-03-21 06:21:26 +01:00
|
|
|
* Something went wrong. This could for example happen if the keymgmt
|
|
|
|
|
* turns out to be an HSM implementation that refuses to let go of some
|
|
|
|
|
* of the key data, typically the private bits. In this case, we restore
|
|
|
|
|
* the provider side internal "origin" and leave it at that.
|
2020-02-20 22:55:41 +01:00
|
|
|
*/
|
2020-03-21 06:21:26 +01:00
|
|
|
if (!ossl_assert(EVP_PKEY_set_type_by_keymgmt(pk, keymgmt))) {
|
|
|
|
|
/* This should not be impossible */
|
|
|
|
|
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2020-04-11 13:16:22 +02:00
|
|
|
/* EVP_PKEY_set_type_by_keymgmt() increased the refcount... */
|
|
|
|
|
EVP_KEYMGMT_free(keymgmt);
|
2020-03-21 06:21:26 +01:00
|
|
|
pk->keydata = keydata;
|
|
|
|
|
evp_keymgmt_util_cache_keyinfo(pk);
|
|
|
|
|
return 0; /* No downgrade, but at least the key is restored */
|
2020-02-20 22:55:41 +01:00
|
|
|
}
|
2020-04-13 22:34:56 +02:00
|
|
|
#endif /* FIPS_MODULE */
|
2020-04-01 15:51:18 +10:00
|
|
|
|
|
|
|
|
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
return evp_keymgmt_gettable_params(pkey->keymgmt);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_bn_param(EVP_PKEY *pkey, const char *key_name, BIGNUM **bn)
|
|
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
OSSL_PARAM params[2];
|
|
|
|
|
unsigned char buffer[2048];
|
|
|
|
|
unsigned char *buf = NULL;
|
|
|
|
|
size_t buf_sz = 0;
|
|
|
|
|
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL
|
|
|
|
|
|| key_name == NULL
|
|
|
|
|
|| bn == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
memset(buffer, 0, sizeof(buffer));
|
|
|
|
|
params[0] = OSSL_PARAM_construct_BN(key_name, buffer, sizeof(buffer));
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
|
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)) {
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!OSSL_PARAM_modified(params) || params[0].return_size == 0)
|
2020-04-01 15:51:18 +10:00
|
|
|
return 0;
|
|
|
|
|
buf_sz = params[0].return_size;
|
|
|
|
|
/*
|
|
|
|
|
* If it failed because the buffer was too small then allocate the
|
|
|
|
|
* required buffer size and retry.
|
|
|
|
|
*/
|
|
|
|
|
buf = OPENSSL_zalloc(buf_sz);
|
|
|
|
|
if (buf == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
params[0].data = buf;
|
|
|
|
|
params[0].data_size = buf_sz;
|
|
|
|
|
|
|
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
/* Fail if the param was not found */
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!OSSL_PARAM_modified(params))
|
2020-04-01 15:51:18 +10:00
|
|
|
goto err;
|
|
|
|
|
ret = OSSL_PARAM_get_BN(params, bn);
|
|
|
|
|
err:
|
|
|
|
|
OPENSSL_free(buf);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_octet_string_param(EVP_PKEY *pkey, const char *key_name,
|
|
|
|
|
unsigned char *buf, size_t max_buf_sz,
|
|
|
|
|
size_t *out_sz)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2];
|
|
|
|
|
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL
|
|
|
|
|
|| key_name == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
params[0] = OSSL_PARAM_construct_octet_string(key_name, buf, max_buf_sz);
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)
|
|
|
|
|
|| !OSSL_PARAM_modified(params))
|
2020-04-01 15:51:18 +10:00
|
|
|
return 0;
|
|
|
|
|
if (out_sz != NULL)
|
|
|
|
|
*out_sz = params[0].return_size;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_utf8_string_param(EVP_PKEY *pkey, const char *key_name,
|
|
|
|
|
char *str, size_t max_buf_sz,
|
|
|
|
|
size_t *out_sz)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2];
|
|
|
|
|
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL
|
|
|
|
|
|| key_name == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
params[0] = OSSL_PARAM_construct_utf8_string(key_name, str, max_buf_sz);
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)
|
|
|
|
|
|| !OSSL_PARAM_modified(params))
|
2020-04-01 15:51:18 +10:00
|
|
|
return 0;
|
|
|
|
|
if (out_sz != NULL)
|
|
|
|
|
*out_sz = params[0].return_size;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_int_param(EVP_PKEY *pkey, const char *key_name, int *out)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2];
|
|
|
|
|
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL
|
|
|
|
|
|| key_name == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
params[0] = OSSL_PARAM_construct_int(key_name, out);
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)
|
|
|
|
|
|| !OSSL_PARAM_modified(params))
|
2020-04-01 15:51:18 +10:00
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int EVP_PKEY_get_size_t_param(EVP_PKEY *pkey, const char *key_name, size_t *out)
|
|
|
|
|
{
|
|
|
|
|
OSSL_PARAM params[2];
|
|
|
|
|
|
|
|
|
|
if (pkey == NULL
|
|
|
|
|
|| pkey->keymgmt == NULL
|
|
|
|
|
|| pkey->keydata == NULL
|
|
|
|
|
|| key_name == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
params[0] = OSSL_PARAM_construct_size_t(key_name, out);
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
2020-04-22 14:20:11 +10:00
|
|
|
if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params)
|
|
|
|
|
|| !OSSL_PARAM_modified(params))
|
2020-04-01 15:51:18 +10:00
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
