Implement pem_read_key directly through OSSL_DECODER

Using OSSL_STORE is too heavy and breaks things. There were also needed various fixes mainly for missing proper handling of the SM2 keys in the OSSL_DECODER. Fixes #14788 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15045)
author: Tomas Mraz <tomas@openssl.org> 2021-04-27 16:01:13 +0200
committer: Tomas Mraz <tomas@openssl.org> 2021-05-13 13:30:07 +0200
commit: b4c4a2c68817ea0b2df8012673fa4e0712681704 (patch)
tree: 0e9ef2698c96e048dda681af0aadc9f7daac384a /providers
parent: e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (diff)
4 files changed, 6 insertions, 14 deletions
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index 57c66af718..872759e0c7 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -147,7 +147,7 @@ d4969259e4fa5b71d8abbf5e736e658bd1daad6e46d272a9b88e190e2de96b61  crypto/ec/curv
 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a  crypto/ec/ec_check.c
 845a5e6ad6921aed63a18084d6b64a1907e4cb093639153ba32138e0b29ff0e5  crypto/ec/ec_curve.c
 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f  crypto/ec/ec_cvt.c
-2103bb62699b1a0ca4e3f75bd1697d856a9afd7f0051d49e433cf69d62d53e2a  crypto/ec/ec_key.c
+5485a66d4251bc2f044e4d91f6a6b5068957c3b685237bf96a4b45e9c737420c  crypto/ec/ec_key.c
 7b34605e017eb81037344538f917c32d3ab85c744a819617e012bab73c27dd68  crypto/ec/ec_kmeth.c
 90f070e5a7ea950e6fe88ed81c72161c58a4896efb4608076061e1fe12908908  crypto/ec/ec_lib.c
 58aa89c186c9bb6a5075a1d961723fe1fc97c6e290756ae682fe494c4f2435a0  crypto/ec/ec_mult.c
@@ -323,7 +323,7 @@ d447cd774869da68a2cc0bbb19c547ee6ed4858c7aee1f3d5bba7796f97823a9  providers/comm
 eec462d685dd3b4764b076a3c18ecd9dd254350a0b78ddc2f8a60587829e1ce3  providers/common/provider_util.c
 ce6731be4da709c753bd2c04e88d51d567c955c651e7575bb1410968e6c7620e  providers/common/securitycheck.c
 50a0e01e877ae818cf874f4515a130db0e869d4e9e8ce882bff1255695aba789  providers/common/securitycheck_fips.c
-5c31ba4eedb31e2509288be50280e0df58faa86fe4b5e99a1167a53fd6f3bd0f  providers/fips/fipsprov.c
+ff2d14b053ecad3a2bc42e2b4a54fe2bbb62fd6068d090dde4d68ae0e14a1a1d  providers/fips/fipsprov.c
 c69e60c29711d55cd5672dab9ff051f3c093d54e63a0ec575baa899e6bbf9c2b  providers/fips/self_test.c
 fb56f801613642f6b497803890b528a643024e3cdb5bd5dd619a2981afb2f3b0  providers/fips/self_test_kats.c
 08b287621158afb67e61e52fc34efbb9f9fe22ee6709c7ed6c937d5feb2b7fd8  providers/implementations/asymciphers/rsa_enc.c
@@ -375,7 +375,7 @@ a5b4ddffa137a52f6a0a0c0c28c618d9bff00af2ec49e51885fc7af116e04869  providers/impl
 1a6b7e37229e81eae3981ab2e0b7669eb24aaa6487738c4b44a970da212560b6  providers/implementations/keymgmt/ecx_kmgmt.c
 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b  providers/implementations/keymgmt/kdf_legacy_kmgmt.c
 21b259d6a9eb5e319106012179e04963fb9659ed85af37f5c9c8752ec2385dae  providers/implementations/keymgmt/mac_legacy_kmgmt.c
-c48eb00f0de1c28baaa3cf7c0e85d4d2a20592783aa545f8934da487c05a3e87  providers/implementations/keymgmt/rsa_kmgmt.c
+adb3672738af90c3f5829c77abe95af2862b13a7cb1679aac4edc9c704cbdef7  providers/implementations/keymgmt/rsa_kmgmt.c
 25d20ceb61cadb495ec890ae2c49c5c1c840b39ac77f20058ee87249cab341ef  providers/implementations/macs/cmac_prov.c
 f51b074d55028d3e24656da348d21ca79f6680fdb30383d936251f1b3467caab  providers/implementations/macs/gmac_prov.c
 35505704fda658c0911f95974913c1f2dd75c8f91c5d2ec597c70c52624bdfdf  providers/implementations/macs/hmac_prov.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index 83fe30d81c..3054d8e19f 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-3ea8c9568047f0cf5ca79b8de0b7d4daa76044baa6bfe25a22a7bbfe13186f7c  providers/fips-sources.checksums
+b3dca5cc989c42b9e46c0e0b1738ff17b51ce825f0b87ae13b8f609a0840978f  providers/fips-sources.checksums
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index f563d920c4..2673619ef4 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -1288,14 +1288,8 @@ static void *sm2_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     ret = ec_gen_assign_group(ec, gctx->gen_group);
 
     /* Whether you want it or not, you get a keypair, not just one half */
-    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
-        /*
-         * For SM2, we need a new flag to indicate the 'generate' function
-         * to use a new range
-         */
-        EC_KEY_set_flags(ec, EC_FLAG_SM2_RANGE);
+    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
         ret = ret && EC_KEY_generate_key(ec);
-    }
 
     if (ret)
         return ec;
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index a075c54487..34871629ba 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -122,9 +122,7 @@ static int rsa_has(const void *keydata, int selection)
     if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
         return 1; /* the selection is not missing */
 
-    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
-        /* This will change with OAEP */
-        ok = ok && (RSA_test_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS) != 0);
+    /* OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS are always available even if empty */
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
         ok = ok && (RSA_get0_e(rsa) != NULL);
     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
author	Tomas Mraz <tomas@openssl.org>	2021-04-27 16:01:13 +0200
committer	Tomas Mraz <tomas@openssl.org>	2021-05-13 13:30:07 +0200
commit	b4c4a2c68817ea0b2df8012673fa4e0712681704 (patch)
tree	0e9ef2698c96e048dda681af0aadc9f7daac384a /providers
parent	e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (diff)