1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/evp.h>
58
59 #include <string.h>
60
61 #include <openssl/bytestring.h>
62 #include <openssl/dsa.h>
63 #include <openssl/ec_key.h>
64 #include <openssl/err.h>
65 #include <openssl/rsa.h>
66
67 #include "internal.h"
68 #include "../bytestring/internal.h"
69 #include "../internal.h"
70
71
72 static const EVP_PKEY_ASN1_METHOD *const kASN1Methods[] = {
73 &rsa_asn1_meth,
74 &ec_asn1_meth,
75 &dsa_asn1_meth,
76 &ed25519_asn1_meth,
77 &x25519_asn1_meth,
78 };
79
parse_key_type(CBS * cbs,int * out_type)80 static int parse_key_type(CBS *cbs, int *out_type) {
81 CBS oid;
82 if (!CBS_get_asn1(cbs, &oid, CBS_ASN1_OBJECT)) {
83 return 0;
84 }
85
86 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kASN1Methods); i++) {
87 const EVP_PKEY_ASN1_METHOD *method = kASN1Methods[i];
88 if (CBS_len(&oid) == method->oid_len &&
89 OPENSSL_memcmp(CBS_data(&oid), method->oid, method->oid_len) == 0) {
90 *out_type = method->pkey_id;
91 return 1;
92 }
93 }
94
95 return 0;
96 }
97
EVP_parse_public_key(CBS * cbs)98 EVP_PKEY *EVP_parse_public_key(CBS *cbs) {
99 // Parse the SubjectPublicKeyInfo.
100 CBS spki, algorithm, key;
101 int type;
102 uint8_t padding;
103 if (!CBS_get_asn1(cbs, &spki, CBS_ASN1_SEQUENCE) ||
104 !CBS_get_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
105 !CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) ||
106 CBS_len(&spki) != 0) {
107 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
108 return NULL;
109 }
110 if (!parse_key_type(&algorithm, &type)) {
111 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
112 return NULL;
113 }
114 if (// Every key type defined encodes the key as a byte string with the same
115 // conversion to BIT STRING.
116 !CBS_get_u8(&key, &padding) ||
117 padding != 0) {
118 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
119 return NULL;
120 }
121
122 // Set up an |EVP_PKEY| of the appropriate type.
123 EVP_PKEY *ret = EVP_PKEY_new();
124 if (ret == NULL ||
125 !EVP_PKEY_set_type(ret, type)) {
126 goto err;
127 }
128
129 // Call into the type-specific SPKI decoding function.
130 if (ret->ameth->pub_decode == NULL) {
131 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
132 goto err;
133 }
134 if (!ret->ameth->pub_decode(ret, &algorithm, &key)) {
135 goto err;
136 }
137
138 return ret;
139
140 err:
141 EVP_PKEY_free(ret);
142 return NULL;
143 }
144
EVP_marshal_public_key(CBB * cbb,const EVP_PKEY * key)145 int EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key) {
146 if (key->ameth == NULL || key->ameth->pub_encode == NULL) {
147 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
148 return 0;
149 }
150
151 return key->ameth->pub_encode(cbb, key);
152 }
153
EVP_parse_private_key(CBS * cbs)154 EVP_PKEY *EVP_parse_private_key(CBS *cbs) {
155 // Parse the PrivateKeyInfo.
156 CBS pkcs8, algorithm, key;
157 uint64_t version;
158 int type;
159 if (!CBS_get_asn1(cbs, &pkcs8, CBS_ASN1_SEQUENCE) ||
160 !CBS_get_asn1_uint64(&pkcs8, &version) ||
161 version != 0 ||
162 !CBS_get_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||
163 !CBS_get_asn1(&pkcs8, &key, CBS_ASN1_OCTETSTRING)) {
164 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
165 return NULL;
166 }
167 if (!parse_key_type(&algorithm, &type)) {
168 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
169 return NULL;
170 }
171
172 // A PrivateKeyInfo ends with a SET of Attributes which we ignore.
173
174 // Set up an |EVP_PKEY| of the appropriate type.
175 EVP_PKEY *ret = EVP_PKEY_new();
176 if (ret == NULL ||
177 !EVP_PKEY_set_type(ret, type)) {
178 goto err;
179 }
180
181 // Call into the type-specific PrivateKeyInfo decoding function.
182 if (ret->ameth->priv_decode == NULL) {
183 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
184 goto err;
185 }
186 if (!ret->ameth->priv_decode(ret, &algorithm, &key)) {
187 goto err;
188 }
189
190 return ret;
191
192 err:
193 EVP_PKEY_free(ret);
194 return NULL;
195 }
196
EVP_marshal_private_key(CBB * cbb,const EVP_PKEY * key)197 int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key) {
198 if (key->ameth == NULL || key->ameth->priv_encode == NULL) {
199 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
200 return 0;
201 }
202
203 return key->ameth->priv_encode(cbb, key);
204 }
205
old_priv_decode(CBS * cbs,int type)206 static EVP_PKEY *old_priv_decode(CBS *cbs, int type) {
207 EVP_PKEY *ret = EVP_PKEY_new();
208 if (ret == NULL) {
209 return NULL;
210 }
211
212 switch (type) {
213 case EVP_PKEY_EC: {
214 EC_KEY *ec_key = EC_KEY_parse_private_key(cbs, NULL);
215 if (ec_key == NULL || !EVP_PKEY_assign_EC_KEY(ret, ec_key)) {
216 EC_KEY_free(ec_key);
217 goto err;
218 }
219 return ret;
220 }
221 case EVP_PKEY_DSA: {
222 DSA *dsa = DSA_parse_private_key(cbs);
223 if (dsa == NULL || !EVP_PKEY_assign_DSA(ret, dsa)) {
224 DSA_free(dsa);
225 goto err;
226 }
227 return ret;
228 }
229 case EVP_PKEY_RSA: {
230 RSA *rsa = RSA_parse_private_key(cbs);
231 if (rsa == NULL || !EVP_PKEY_assign_RSA(ret, rsa)) {
232 RSA_free(rsa);
233 goto err;
234 }
235 return ret;
236 }
237 default:
238 OPENSSL_PUT_ERROR(EVP, EVP_R_UNKNOWN_PUBLIC_KEY_TYPE);
239 goto err;
240 }
241
242 err:
243 EVP_PKEY_free(ret);
244 return NULL;
245 }
246
d2i_PrivateKey(int type,EVP_PKEY ** out,const uint8_t ** inp,long len)247 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp,
248 long len) {
249 if (len < 0) {
250 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
251 return NULL;
252 }
253
254 // Parse with the legacy format.
255 CBS cbs;
256 CBS_init(&cbs, *inp, (size_t)len);
257 EVP_PKEY *ret = old_priv_decode(&cbs, type);
258 if (ret == NULL) {
259 // Try again with PKCS#8.
260 ERR_clear_error();
261 CBS_init(&cbs, *inp, (size_t)len);
262 ret = EVP_parse_private_key(&cbs);
263 if (ret == NULL) {
264 return NULL;
265 }
266 if (ret->type != type) {
267 OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES);
268 EVP_PKEY_free(ret);
269 return NULL;
270 }
271 }
272
273 if (out != NULL) {
274 EVP_PKEY_free(*out);
275 *out = ret;
276 }
277 *inp = CBS_data(&cbs);
278 return ret;
279 }
280
281 // num_elements parses one SEQUENCE from |in| and returns the number of elements
282 // in it. On parse error, it returns zero.
num_elements(const uint8_t * in,size_t in_len)283 static size_t num_elements(const uint8_t *in, size_t in_len) {
284 CBS cbs, sequence;
285 CBS_init(&cbs, in, (size_t)in_len);
286
287 if (!CBS_get_asn1(&cbs, &sequence, CBS_ASN1_SEQUENCE)) {
288 return 0;
289 }
290
291 size_t count = 0;
292 while (CBS_len(&sequence) > 0) {
293 if (!CBS_get_any_asn1_element(&sequence, NULL, NULL, NULL)) {
294 return 0;
295 }
296
297 count++;
298 }
299
300 return count;
301 }
302
d2i_AutoPrivateKey(EVP_PKEY ** out,const uint8_t ** inp,long len)303 EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len) {
304 if (len < 0) {
305 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
306 return NULL;
307 }
308
309 // Parse the input as a PKCS#8 PrivateKeyInfo.
310 CBS cbs;
311 CBS_init(&cbs, *inp, (size_t)len);
312 EVP_PKEY *ret = EVP_parse_private_key(&cbs);
313 if (ret != NULL) {
314 if (out != NULL) {
315 EVP_PKEY_free(*out);
316 *out = ret;
317 }
318 *inp = CBS_data(&cbs);
319 return ret;
320 }
321 ERR_clear_error();
322
323 // Count the elements to determine the legacy key format.
324 switch (num_elements(*inp, (size_t)len)) {
325 case 4:
326 return d2i_PrivateKey(EVP_PKEY_EC, out, inp, len);
327
328 case 6:
329 return d2i_PrivateKey(EVP_PKEY_DSA, out, inp, len);
330
331 default:
332 return d2i_PrivateKey(EVP_PKEY_RSA, out, inp, len);
333 }
334 }
335
i2d_PublicKey(const EVP_PKEY * key,uint8_t ** outp)336 int i2d_PublicKey(const EVP_PKEY *key, uint8_t **outp) {
337 switch (key->type) {
338 case EVP_PKEY_RSA:
339 return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(key), outp);
340 case EVP_PKEY_DSA:
341 return i2d_DSAPublicKey(EVP_PKEY_get0_DSA(key), outp);
342 case EVP_PKEY_EC:
343 return i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(key), outp);
344 default:
345 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
346 return -1;
347 }
348 }
349
d2i_PublicKey(int type,EVP_PKEY ** out,const uint8_t ** inp,long len)350 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp,
351 long len) {
352 EVP_PKEY *ret = EVP_PKEY_new();
353 if (ret == NULL) {
354 return NULL;
355 }
356
357 CBS cbs;
358 CBS_init(&cbs, *inp, len < 0 ? 0 : (size_t)len);
359 switch (type) {
360 case EVP_PKEY_RSA: {
361 RSA *rsa = RSA_parse_public_key(&cbs);
362 if (rsa == NULL || !EVP_PKEY_assign_RSA(ret, rsa)) {
363 RSA_free(rsa);
364 goto err;
365 }
366 break;
367 }
368
369 // Unlike OpenSSL, we do not support EC keys with this API. The raw EC
370 // public key serialization requires knowing the group. In OpenSSL, calling
371 // this function with |EVP_PKEY_EC| and setting |out| to NULL does not work.
372 // It requires |*out| to include a partially-initialized |EVP_PKEY| to
373 // extract the group.
374 default:
375 OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
376 goto err;
377 }
378
379 *inp = CBS_data(&cbs);
380 if (out != NULL) {
381 EVP_PKEY_free(*out);
382 *out = ret;
383 }
384 return ret;
385
386 err:
387 EVP_PKEY_free(ret);
388 return NULL;
389 }
390
d2i_PUBKEY(EVP_PKEY ** out,const uint8_t ** inp,long len)391 EVP_PKEY *d2i_PUBKEY(EVP_PKEY **out, const uint8_t **inp, long len) {
392 if (len < 0) {
393 return NULL;
394 }
395 CBS cbs;
396 CBS_init(&cbs, *inp, (size_t)len);
397 EVP_PKEY *ret = EVP_parse_public_key(&cbs);
398 if (ret == NULL) {
399 return NULL;
400 }
401 if (out != NULL) {
402 EVP_PKEY_free(*out);
403 *out = ret;
404 }
405 *inp = CBS_data(&cbs);
406 return ret;
407 }
408
i2d_PUBKEY(const EVP_PKEY * pkey,uint8_t ** outp)409 int i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp) {
410 if (pkey == NULL) {
411 return 0;
412 }
413
414 CBB cbb;
415 if (!CBB_init(&cbb, 128) ||
416 !EVP_marshal_public_key(&cbb, pkey)) {
417 CBB_cleanup(&cbb);
418 return -1;
419 }
420 return CBB_finish_i2d(&cbb, outp);
421 }
422
d2i_RSA_PUBKEY(RSA ** out,const uint8_t ** inp,long len)423 RSA *d2i_RSA_PUBKEY(RSA **out, const uint8_t **inp, long len) {
424 if (len < 0) {
425 return NULL;
426 }
427 CBS cbs;
428 CBS_init(&cbs, *inp, (size_t)len);
429 EVP_PKEY *pkey = EVP_parse_public_key(&cbs);
430 if (pkey == NULL) {
431 return NULL;
432 }
433 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
434 EVP_PKEY_free(pkey);
435 if (rsa == NULL) {
436 return NULL;
437 }
438 if (out != NULL) {
439 RSA_free(*out);
440 *out = rsa;
441 }
442 *inp = CBS_data(&cbs);
443 return rsa;
444 }
445
i2d_RSA_PUBKEY(const RSA * rsa,uint8_t ** outp)446 int i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp) {
447 if (rsa == NULL) {
448 return 0;
449 }
450
451 int ret = -1;
452 EVP_PKEY *pkey = EVP_PKEY_new();
453 if (pkey == NULL ||
454 !EVP_PKEY_set1_RSA(pkey, (RSA *)rsa)) {
455 goto err;
456 }
457
458 ret = i2d_PUBKEY(pkey, outp);
459
460 err:
461 EVP_PKEY_free(pkey);
462 return ret;
463 }
464
d2i_DSA_PUBKEY(DSA ** out,const uint8_t ** inp,long len)465 DSA *d2i_DSA_PUBKEY(DSA **out, const uint8_t **inp, long len) {
466 if (len < 0) {
467 return NULL;
468 }
469 CBS cbs;
470 CBS_init(&cbs, *inp, (size_t)len);
471 EVP_PKEY *pkey = EVP_parse_public_key(&cbs);
472 if (pkey == NULL) {
473 return NULL;
474 }
475 DSA *dsa = EVP_PKEY_get1_DSA(pkey);
476 EVP_PKEY_free(pkey);
477 if (dsa == NULL) {
478 return NULL;
479 }
480 if (out != NULL) {
481 DSA_free(*out);
482 *out = dsa;
483 }
484 *inp = CBS_data(&cbs);
485 return dsa;
486 }
487
i2d_DSA_PUBKEY(const DSA * dsa,uint8_t ** outp)488 int i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp) {
489 if (dsa == NULL) {
490 return 0;
491 }
492
493 int ret = -1;
494 EVP_PKEY *pkey = EVP_PKEY_new();
495 if (pkey == NULL ||
496 !EVP_PKEY_set1_DSA(pkey, (DSA *)dsa)) {
497 goto err;
498 }
499
500 ret = i2d_PUBKEY(pkey, outp);
501
502 err:
503 EVP_PKEY_free(pkey);
504 return ret;
505 }
506
d2i_EC_PUBKEY(EC_KEY ** out,const uint8_t ** inp,long len)507 EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, long len) {
508 if (len < 0) {
509 return NULL;
510 }
511 CBS cbs;
512 CBS_init(&cbs, *inp, (size_t)len);
513 EVP_PKEY *pkey = EVP_parse_public_key(&cbs);
514 if (pkey == NULL) {
515 return NULL;
516 }
517 EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey);
518 EVP_PKEY_free(pkey);
519 if (ec_key == NULL) {
520 return NULL;
521 }
522 if (out != NULL) {
523 EC_KEY_free(*out);
524 *out = ec_key;
525 }
526 *inp = CBS_data(&cbs);
527 return ec_key;
528 }
529
i2d_EC_PUBKEY(const EC_KEY * ec_key,uint8_t ** outp)530 int i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp) {
531 if (ec_key == NULL) {
532 return 0;
533 }
534
535 int ret = -1;
536 EVP_PKEY *pkey = EVP_PKEY_new();
537 if (pkey == NULL ||
538 !EVP_PKEY_set1_EC_KEY(pkey, (EC_KEY *)ec_key)) {
539 goto err;
540 }
541
542 ret = i2d_PUBKEY(pkey, outp);
543
544 err:
545 EVP_PKEY_free(pkey);
546 return ret;
547 }
548