diff options
| author | Richard Levitte <levitte@openssl.org> | 2021-05-27 12:34:03 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-06-09 17:00:10 +0200 |
| commit | 6a2b8ff392a304bbb106528653397b864acc53fa (patch) | |
| tree | 75bd836ad9cec6eec65f270fd4db4b893f73b939 /crypto | |
| parent | 320fc032b98cc452c5dc96600b16da40b155123b (diff) | |
Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.
The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asn1/d2i_pr.c | 2 | ||||
| -rw-r--r-- | crypto/asn1/i2d_evp.c | 2 | ||||
| -rw-r--r-- | crypto/evp/evp_pkey.c | 6 | ||||
| -rw-r--r-- | crypto/pem/pem_local.h | 2 | ||||
| -rw-r--r-- | crypto/pem/pem_pk8.c | 2 |
5 files changed, 7 insertions, 7 deletions
diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 3b28460d4b..720b7fd6c0 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -32,7 +32,7 @@ d2i_PrivateKey_decoder(int keytype, EVP_PKEY **a, const unsigned char **pp, EVP_PKEY *pkey = NULL, *bak_a = NULL; EVP_PKEY **ppkey = &pkey; const char *key_name = NULL; - const char *input_structures[] = { "type-specific", "pkcs8", NULL }; + const char *input_structures[] = { "type-specific", "PrivateKeyInfo", NULL }; int i, ret; if (keytype != EVP_PKEY_NONE) { diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index e1d5b7c7c4..8b36388263 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -97,7 +97,7 @@ int i2d_PrivateKey(const EVP_PKEY *a, unsigned char **pp) if (evp_pkey_is_provided(a)) { static const struct type_and_structure_st output_info[] = { { "DER", "type-specific" }, - { "DER", "pkcs8" }, + { "DER", "PrivateKeyInfo" }, { NULL, } }; diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 420b69399a..683f4bec54 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -79,8 +79,8 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, p8_data = encoded_data; len = encoded_len; - dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", "pkcs8", EVP_PKEY_NONE, - 0, libctx, propq); + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", "PrivateKeyInfo", + EVP_PKEY_NONE, 0, libctx, propq); if (dctx == NULL || !OSSL_DECODER_from_data(dctx, &p8_data, &len)) /* try legacy */ @@ -115,7 +115,7 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey) const unsigned char *pp; if ((ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, - "DER", "pkcs8", + "DER", "PrivateKeyInfo", NULL)) == NULL || !OSSL_ENCODER_to_data(ctx, &der, &derlen)) goto error; diff --git a/crypto/pem/pem_local.h b/crypto/pem/pem_local.h index a84ca80be1..5cc1c76fdb 100644 --- a/crypto/pem/pem_local.h +++ b/crypto/pem/pem_local.h @@ -31,7 +31,7 @@ * Properties, named according to the ASN.1 names used throughout libcrypto. */ # define PEM_STRUCTURE_PUBKEY "SubjectPublicKeyInfo" -# define PEM_STRUCTURE_PrivateKey "pkcs8" +# define PEM_STRUCTURE_PrivateKey "PrivateKeyInfo" # define PEM_STRUCTURE_Parameters "type-specific" # define PEM_STRUCTURE_RSAPrivateKey "type-specific" diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c index ab86448db9..4742f02fef 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c @@ -74,7 +74,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, const char *outtype = isder ? "DER" : "PEM"; OSSL_ENCODER_CTX *ctx = OSSL_ENCODER_CTX_new_for_pkey(x, OSSL_KEYMGMT_SELECT_ALL, - outtype, "pkcs8", propq); + outtype, "PrivateKeyInfo", propq); if (ctx == NULL) return 0; |