From 37d398c180cd30f69a9d122af4734852309b55a5 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 3 Aug 2020 21:08:40 +0200 Subject: PROV: Add MSBLOB and PVK to DSA and RSA deserializers Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12574) --- providers/deserializers.inc | 11 + .../implementations/include/prov/implementations.h | 4 + providers/implementations/serializers/build.info | 6 +- .../serializers/deserialize_common.c | 58 ++++- .../serializers/deserialize_ms2key.c | 241 +++++++++++++++++++++ .../implementations/serializers/serializer_local.h | 8 + 6 files changed, 326 insertions(+), 2 deletions(-) create mode 100644 providers/implementations/serializers/deserialize_ms2key.c diff --git a/providers/deserializers.inc b/providers/deserializers.inc index ead1c67878..e11056ee9e 100644 --- a/providers/deserializers.inc +++ b/providers/deserializers.inc @@ -16,6 +16,10 @@ #endif #ifndef OPENSSL_NO_DSA DESER("DSA", "yes", "der", der_to_dsa_deserializer_functions), + DESER("DSA", "yes", "mblob", msblob_to_dsa_deserializer_functions), +# ifndef OPENSSL_NO_RC4 + DESER("DSA", "yes", "pvk", pvk_to_dsa_deserializer_functions), +# endif #endif #ifndef OPENSSL_NO_EC DESER("EC", "yes", "der", der_to_ec_deserializer_functions), @@ -26,5 +30,12 @@ #endif DESER("RSA", "yes", "der", der_to_rsa_deserializer_functions), DESER("RSA-PSS", "yes", "der", der_to_rsapss_deserializer_functions), +#ifndef OPENSSL_NO_DSA + DESER("RSA", "yes", "mblob", msblob_to_rsa_deserializer_functions), +# ifndef OPENSSL_NO_RC4 + DESER("RSA", "yes", "pvk", pvk_to_rsa_deserializer_functions), +# endif +#endif DESER("DER", "yes", "pem", pem_to_der_deserializer_functions), + diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 73d4a0225e..7e470044cd 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -361,6 +361,8 @@ extern const OSSL_DISPATCH ec_param_pem_serializer_functions[]; extern const OSSL_DISPATCH der_to_dh_deserializer_functions[]; extern const OSSL_DISPATCH der_to_dsa_deserializer_functions[]; +extern const OSSL_DISPATCH msblob_to_dsa_deserializer_functions[]; +extern const OSSL_DISPATCH pvk_to_dsa_deserializer_functions[]; extern const OSSL_DISPATCH der_to_ec_deserializer_functions[]; extern const OSSL_DISPATCH der_to_x25519_deserializer_functions[]; extern const OSSL_DISPATCH der_to_x448_deserializer_functions[]; @@ -368,4 +370,6 @@ extern const OSSL_DISPATCH der_to_ed25519_deserializer_functions[]; extern const OSSL_DISPATCH der_to_ed448_deserializer_functions[]; extern const OSSL_DISPATCH der_to_rsa_deserializer_functions[]; extern const OSSL_DISPATCH der_to_rsapss_deserializer_functions[]; +extern const OSSL_DISPATCH msblob_to_rsa_deserializer_functions[]; +extern const OSSL_DISPATCH pvk_to_rsa_deserializer_functions[]; extern const OSSL_DISPATCH pem_to_der_deserializer_functions[]; diff --git a/providers/implementations/serializers/build.info b/providers/implementations/serializers/build.info index d660385163..04f230b334 100644 --- a/providers/implementations/serializers/build.info +++ b/providers/implementations/serializers/build.info @@ -12,7 +12,11 @@ $EC_GOAL=../../libimplementations.a SOURCE[$SERIALIZER_GOAL]=serializer_common.c deserialize_common.c -SOURCE[$RSA_GOAL]=deserialize_der2key.c deserialize_pem2der.c +SOURCE[$DESERIALIZER_GOAL]=deserialize_der2key.c deserialize_pem2der.c +IF[{- !$disabled{dsa} -}] + SOURCE[$DESERIALIZER_GOAL]=deserialize_ms2key.c +ENDIF + SOURCE[$RSA_GOAL]=serializer_rsa.c serializer_rsa_priv.c serializer_rsa_pub.c DEPEND[serializer_rsa.o]=../../common/include/prov/der_rsa.h diff --git a/providers/implementations/serializers/deserialize_common.c b/providers/implementations/serializers/deserialize_common.c index 1a9d3d4a77..54c63347fd 100644 --- a/providers/implementations/serializers/deserialize_common.c +++ b/providers/implementations/serializers/deserialize_common.c @@ -7,11 +7,13 @@ * https://www.openssl.org/source/license.html */ +#include #include #include #include -#include +#include /* For public PEM and PVK functions */ #include +#include "internal/pem.h" /* For internal PVK and "blob" functions */ #include "internal/cryptlib.h" #include "crypto/asn1.h" #include "prov/bio.h" /* ossl_prov_bio_printf() */ @@ -45,6 +47,60 @@ int ossl_prov_read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, return ok; } +#ifndef OPENSSL_NO_DSA +EVP_PKEY *ossl_prov_read_msblob(PROV_CTX *provctx, OSSL_CORE_BIO *cin, + int *ispub) +{ + BIO *in = bio_new_from_core_bio(provctx, cin); + EVP_PKEY *pkey = ossl_b2i_bio(in, ispub); + + BIO_free(in); + return pkey; +} + +struct pwdata_st { + OSSL_PASSPHRASE_CALLBACK *pw_cb; + void *pw_cbarg; +}; + +pem_password_cb pw_pem_password_to_ossl_passhrase; +int pw_pem_password_to_ossl_passhrase(char *buf, int size, int rwflag, + void *userdata) +{ + struct pwdata_st *data = userdata; + size_t pw_len = 0; + static char prompt_info[] = "pass phrase"; + OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, prompt_info, + sizeof(prompt_info) - 1), + OSSL_PARAM_END + }; + int ok = data->pw_cb(buf, (size_t)size, &pw_len, params, data->pw_cbarg); + + if (ok) + return (int)pw_len; + else + return -1; +} + +# ifndef OPENSSL_NO_RC4 +EVP_PKEY *ossl_prov_read_pvk(PROV_CTX *provctx, OSSL_CORE_BIO *cin, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + BIO *in = bio_new_from_core_bio(provctx, cin); + EVP_PKEY *pkey = NULL; + struct pwdata_st pwdata; + + pwdata.pw_cb = pw_cb; + pwdata.pw_cbarg = pw_cbarg; + pkey = b2i_PVK_bio(in, pw_pem_password_to_ossl_passhrase, &pwdata); + + BIO_free(in); + return pkey; +} +# endif +#endif + int ossl_prov_der_from_p8(unsigned char **new_der, long *new_der_len, unsigned char *input_der, long input_der_len, OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) diff --git a/providers/implementations/serializers/deserialize_ms2key.c b/providers/implementations/serializers/deserialize_ms2key.c new file mode 100644 index 0000000000..73d462e41e --- /dev/null +++ b/providers/implementations/serializers/deserialize_ms2key.c @@ -0,0 +1,241 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include +#include +#include +#include +#include +#include "internal/pem.h" /* For PVK and "blob" PEM headers */ +#include "prov/bio.h" +#include "prov/implementations.h" +#include "serializer_local.h" + +static OSSL_FUNC_deserializer_freectx_fn ms2key_freectx; +static OSSL_FUNC_deserializer_gettable_params_fn ms2key_gettable_params; +static OSSL_FUNC_deserializer_get_params_fn msblob2key_get_params; +#ifndef OPENSSL_NO_RC4 +static OSSL_FUNC_deserializer_get_params_fn pvk2key_get_params; +#endif +static OSSL_FUNC_deserializer_deserialize_fn msblob2key_deserialize; +#ifndef OPENSSL_NO_RC4 +static OSSL_FUNC_deserializer_deserialize_fn pvk2key_deserialize; +#endif +static OSSL_FUNC_deserializer_export_object_fn ms2key_export_object; + +typedef void *(extract_key_fn)(EVP_PKEY *); +typedef void (free_key_fn)(void *); +struct keytype_desc_st { + int type; /* EVP key type */ + const char *name; /* Keytype */ + const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */ + + /* + * These must be the correct EVP_PKEY_get1_{TYPE}() and {TYPE}_free() + * function for the key. + */ + extract_key_fn *extract_key; + free_key_fn *free_key; +}; + +/* + * Context used for DER to key deserialization. + */ +struct ms2key_ctx_st { + PROV_CTX *provctx; + const struct keytype_desc_st *desc; +}; + +static struct ms2key_ctx_st * +ms2key_newctx(void *provctx, const struct keytype_desc_st *desc) +{ + struct ms2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx)); + + if (ctx != NULL) { + ctx->provctx = provctx; + ctx->desc = desc; + } + return ctx; +} + +static void ms2key_freectx(void *vctx) +{ + struct ms2key_ctx_st *ctx = vctx; + + OPENSSL_free(ctx); +} + +static const OSSL_PARAM *ms2key_gettable_params(void) +{ + static const OSSL_PARAM gettables[] = { + { OSSL_DESERIALIZER_PARAM_INPUT_TYPE, OSSL_PARAM_UTF8_PTR, NULL, 0, 0 }, + OSSL_PARAM_END, + }; + + return gettables; +} + +static int msblob2key_get_params(OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_DESERIALIZER_PARAM_INPUT_TYPE); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "MSBLOB")) + return 0; + + return 1; +} + +#ifndef OPENSSL_NO_RC4 +static int pvk2key_get_params(OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_DESERIALIZER_PARAM_INPUT_TYPE); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "PVK")) + return 0; + + return 1; +} +#endif + +static int ms2key_post(struct ms2key_ctx_st *ctx, EVP_PKEY *pkey, + OSSL_CALLBACK *data_cb, void *data_cbarg) +{ + void *key = NULL; + int ok = 0; + + if (pkey != NULL) { + /* + * Tear out the low-level key pointer from the pkey, + * but only if it matches the expected key type. + * + * TODO(3.0): The check should be done with EVP_PKEY_is_a(), but + * as long as we still have #legacy internal keys, it's safer to + * use the type numbers in side the provider. + */ + if (EVP_PKEY_id(pkey) == ctx->desc->type) + key = ctx->desc->extract_key(pkey); + } + + if (key != NULL) { + OSSL_PARAM params[3]; + + params[0] = + OSSL_PARAM_construct_utf8_string(OSSL_DESERIALIZER_PARAM_DATA_TYPE, + (char *)ctx->desc->name, 0); + /* The address of the key becomes the octet string */ + params[1] = + OSSL_PARAM_construct_octet_string(OSSL_DESERIALIZER_PARAM_REFERENCE, + &key, sizeof(key)); + params[2] = OSSL_PARAM_construct_end(); + + ok = data_cb(params, data_cbarg); + } + ctx->desc->free_key(key); + + return ok; +} + +static int msblob2key_deserialize(void *vctx, OSSL_CORE_BIO *cin, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, + void *pw_cbarg) +{ + struct ms2key_ctx_st *ctx = vctx; + int ispub = -1; + EVP_PKEY *pkey = ossl_prov_read_msblob(ctx->provctx, cin, &ispub); + int ok = ms2key_post(ctx, pkey, data_cb, data_cbarg); + + EVP_PKEY_free(pkey); + return ok; +} + +#ifndef OPENSSL_NO_RC4 +static int pvk2key_deserialize(void *vctx, OSSL_CORE_BIO *cin, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, + void *pw_cbarg) +{ + struct ms2key_ctx_st *ctx = vctx; + EVP_PKEY *pkey = ossl_prov_read_pvk(ctx->provctx, cin, pw_cb, pw_cbarg); + int ok = ms2key_post(ctx, pkey, data_cb, data_cbarg); + + EVP_PKEY_free(pkey); + return ok; +} +#endif + +static int ms2key_export_object(void *vctx, + const void *reference, size_t reference_sz, + OSSL_CALLBACK *export_cb, void *export_cbarg) +{ + struct ms2key_ctx_st *ctx = vctx; + OSSL_FUNC_keymgmt_export_fn *export = + ossl_prov_get_keymgmt_export(ctx->desc->fns); + void *keydata; + + if (reference_sz == sizeof(keydata) && export != NULL) { + /* The contents of the reference is the address to our object */ + keydata = *(void **)reference; + + return export(keydata, OSSL_KEYMGMT_SELECT_ALL, + export_cb, export_cbarg); + } + return 0; +} + +#define IMPLEMENT_TYPE(KEYTYPEstr, KEYTYPE, keytype, extract, free) \ + static const struct keytype_desc_st keytype##_desc; \ + static OSSL_FUNC_deserializer_newctx_fn ms2##keytype##_newctx; \ + static void *ms2##keytype##_newctx(void *provctx) \ + { \ + return ms2key_newctx(provctx, &keytype##_desc); \ + } \ + static const struct keytype_desc_st keytype##_desc = \ + { EVP_PKEY_##KEYTYPE, KEYTYPEstr, keytype##_keymgmt_functions, \ + (extract_key_fn *)extract, \ + (free_key_fn *)free } + +#define IMPLEMENT_MS(mstype, keytype) \ + const OSSL_DISPATCH \ + mstype##_to_##keytype##_deserializer_functions[] = { \ + { OSSL_FUNC_DESERIALIZER_NEWCTX, \ + (void (*)(void))ms2##keytype##_newctx }, \ + { OSSL_FUNC_DESERIALIZER_FREECTX, \ + (void (*)(void))ms2key_freectx }, \ + { OSSL_FUNC_DESERIALIZER_GETTABLE_PARAMS, \ + (void (*)(void))ms2key_gettable_params }, \ + { OSSL_FUNC_DESERIALIZER_GET_PARAMS, \ + (void (*)(void))mstype##2key_get_params }, \ + { OSSL_FUNC_DESERIALIZER_DESERIALIZE, \ + (void (*)(void))mstype##2key_deserialize }, \ + { OSSL_FUNC_DESERIALIZER_EXPORT_OBJECT, \ + (void (*)(void))ms2key_export_object }, \ + { 0, NULL } \ + } + +#ifndef OPENSSL_NO_DSA +IMPLEMENT_TYPE("DSA", DSA, dsa, EVP_PKEY_get1_DSA, DSA_free); +IMPLEMENT_MS(msblob, dsa); +# ifndef OPENSSL_NO_RC4 +IMPLEMENT_MS(pvk, dsa); +# endif +#endif +IMPLEMENT_TYPE("RSA", RSA, rsa, EVP_PKEY_get1_RSA, RSA_free); +IMPLEMENT_MS(msblob, rsa); +#ifndef OPENSSL_NO_RC4 +IMPLEMENT_MS(pvk, rsa); +#endif diff --git a/providers/implementations/serializers/serializer_local.h b/providers/implementations/serializers/serializer_local.h index d1359f7f4d..49ec8882c6 100644 --- a/providers/implementations/serializers/serializer_local.h +++ b/providers/implementations/serializers/serializer_local.h @@ -167,6 +167,14 @@ int ossl_prov_read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin, int ossl_prov_read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, char **pem_name, char **pem_header, unsigned char **data, long *len); +#ifndef OPENSSL_NO_DSA +EVP_PKEY *ossl_prov_read_msblob(PROV_CTX *provctx, OSSL_CORE_BIO *cin, + int *ispub); +# ifndef OPENSSL_NO_RC4 +EVP_PKEY *ossl_prov_read_pvk(PROV_CTX *provctx, OSSL_CORE_BIO *cin, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg); +# endif +#endif int ossl_prov_der_from_p8(unsigned char **new_der, long *new_der_len, unsigned char *input_der, long input_der_len, -- cgit v1.2.3