1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifndef OPENSSL_HEADER_PEM_H 11 #define OPENSSL_HEADER_PEM_H 12 13 #include <openssl/base64.h> 14 #include <openssl/bio.h> 15 #include <openssl/cipher.h> 16 #include <openssl/digest.h> 17 #include <openssl/evp.h> 18 #include <openssl/pkcs7.h> 19 #include <openssl/stack.h> 20 #include <openssl/x509.h> 21 22 // For compatibility with open-iscsi, which assumes that it can get 23 // |OPENSSL_malloc| from pem.h or err.h 24 #include <openssl/crypto.h> 25 26 #ifdef __cplusplus 27 extern "C" { 28 #endif 29 30 31 #define PEM_BUFSIZE 1024 32 33 #define PEM_STRING_X509_OLD "X509 CERTIFICATE" 34 #define PEM_STRING_X509 "CERTIFICATE" 35 #define PEM_STRING_X509_PAIR "CERTIFICATE PAIR" 36 #define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE" 37 #define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" 38 #define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" 39 #define PEM_STRING_X509_CRL "X509 CRL" 40 #define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY" 41 #define PEM_STRING_PUBLIC "PUBLIC KEY" 42 #define PEM_STRING_RSA "RSA PRIVATE KEY" 43 #define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" 44 #define PEM_STRING_DSA "DSA PRIVATE KEY" 45 #define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" 46 #define PEM_STRING_EC "EC PRIVATE KEY" 47 #define PEM_STRING_PKCS7 "PKCS7" 48 #define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA" 49 #define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY" 50 #define PEM_STRING_PKCS8INF "PRIVATE KEY" 51 #define PEM_STRING_DHPARAMS "DH PARAMETERS" 52 #define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS" 53 #define PEM_STRING_DSAPARAMS "DSA PARAMETERS" 54 #define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY" 55 #define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" 56 #define PEM_STRING_CMS "CMS" 57 58 // enc_type is one off 59 #define PEM_TYPE_ENCRYPTED 10 60 #define PEM_TYPE_MIC_ONLY 20 61 #define PEM_TYPE_MIC_CLEAR 30 62 #define PEM_TYPE_CLEAR 40 63 64 // These macros make the PEM_read/PEM_write functions easier to maintain and 65 // write. Now they are all implemented with either: 66 // IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...) 67 68 69 #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) \ 70 static void *pem_read_##name##_d2i(void **x, const unsigned char **inp, \ 71 long len) { \ 72 return d2i_##asn1((type **)x, inp, len); \ 73 } \ 74 OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \ 75 pem_password_cb *cb, void *u) { \ 76 return (type *)PEM_ASN1_read(pem_read_##name##_d2i, str, fp, (void **)x, \ 77 cb, u); \ 78 } 79 80 #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \ 81 static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ 82 return i2d_##asn1((type *)x, outp); \ 83 } \ 84 OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x) { \ 85 return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, NULL, NULL, 0, \ 86 NULL, NULL); \ 87 } 88 89 #define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) \ 90 static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ 91 return i2d_##asn1((const type *)x, outp); \ 92 } \ 93 OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x) { \ 94 return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, (void *)x, NULL, \ 95 NULL, 0, NULL, NULL); \ 96 } 97 98 #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \ 99 static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ 100 return i2d_##asn1((type *)x, outp); \ 101 } \ 102 OPENSSL_EXPORT int PEM_write_##name( \ 103 FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 104 int pass_len, pem_password_cb *cb, void *u) { \ 105 return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \ 106 pass_len, cb, u); \ 107 } 108 109 #define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) \ 110 static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ 111 return i2d_##asn1((const type *)x, outp); \ 112 } \ 113 OPENSSL_EXPORT int PEM_write_##name( \ 114 FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 115 int pass_len, pem_password_cb *cb, void *u) { \ 116 return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \ 117 pass_len, cb, u); \ 118 } 119 120 121 #define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \ 122 static void *pem_read_bio_##name##_d2i(void **x, const unsigned char **inp, \ 123 long len) { \ 124 return d2i_##asn1((type **)x, inp, len); \ 125 } \ 126 OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \ 127 pem_password_cb *cb, void *u) { \ 128 return (type *)PEM_ASN1_read_bio(pem_read_bio_##name##_d2i, str, bp, \ 129 (void **)x, cb, u); \ 130 } 131 132 #define IMPLEMENT_PEM_write_bio(name, type, str, asn1) \ 133 static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \ 134 return i2d_##asn1((type *)x, outp); \ 135 } \ 136 OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x) { \ 137 return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, x, NULL, \ 138 NULL, 0, NULL, NULL); \ 139 } 140 141 #define IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \ 142 static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \ 143 return i2d_##asn1((const type *)x, outp); \ 144 } \ 145 OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x) { \ 146 return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, (void *)x, \ 147 NULL, NULL, 0, NULL, NULL); \ 148 } 149 150 #define IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \ 151 static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \ 152 return i2d_##asn1((type *)x, outp); \ 153 } \ 154 OPENSSL_EXPORT int PEM_write_bio_##name( \ 155 BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 156 int pass_len, pem_password_cb *cb, void *u) { \ 157 return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, x, enc, \ 158 pass, pass_len, cb, u); \ 159 } 160 161 #define IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \ 162 static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \ 163 return i2d_##asn1((const type *)x, outp); \ 164 } \ 165 OPENSSL_EXPORT int PEM_write_bio_##name( \ 166 BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 167 int pass_len, pem_password_cb *cb, void *u) { \ 168 return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, (void *)x, \ 169 enc, pass, pass_len, cb, u); \ 170 } 171 172 #define IMPLEMENT_PEM_write(name, type, str, asn1) \ 173 IMPLEMENT_PEM_write_bio(name, type, str, asn1) \ 174 IMPLEMENT_PEM_write_fp(name, type, str, asn1) 175 176 #define IMPLEMENT_PEM_write_const(name, type, str, asn1) \ 177 IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \ 178 IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) 179 180 #define IMPLEMENT_PEM_write_cb(name, type, str, asn1) \ 181 IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \ 182 IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) 183 184 #define IMPLEMENT_PEM_write_cb_const(name, type, str, asn1) \ 185 IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \ 186 IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) 187 188 #define IMPLEMENT_PEM_read(name, type, str, asn1) \ 189 IMPLEMENT_PEM_read_bio(name, type, str, asn1) \ 190 IMPLEMENT_PEM_read_fp(name, type, str, asn1) 191 192 #define IMPLEMENT_PEM_rw(name, type, str, asn1) \ 193 IMPLEMENT_PEM_read(name, type, str, asn1) \ 194 IMPLEMENT_PEM_write(name, type, str, asn1) 195 196 #define IMPLEMENT_PEM_rw_const(name, type, str, asn1) \ 197 IMPLEMENT_PEM_read(name, type, str, asn1) \ 198 IMPLEMENT_PEM_write_const(name, type, str, asn1) 199 200 #define IMPLEMENT_PEM_rw_cb(name, type, str, asn1) \ 201 IMPLEMENT_PEM_read(name, type, str, asn1) \ 202 IMPLEMENT_PEM_write_cb(name, type, str, asn1) 203 204 // These are the same except they are for the declarations 205 206 #define DECLARE_PEM_read_fp(name, type) \ 207 OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \ 208 pem_password_cb *cb, void *u); 209 210 #define DECLARE_PEM_write_fp(name, type) \ 211 OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x); 212 213 #define DECLARE_PEM_write_fp_const(name, type) \ 214 OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x); 215 216 #define DECLARE_PEM_write_cb_fp(name, type) \ 217 OPENSSL_EXPORT int PEM_write_##name( \ 218 FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 219 int pass_len, pem_password_cb *cb, void *u); 220 221 #define DECLARE_PEM_read_bio(name, type) \ 222 OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \ 223 pem_password_cb *cb, void *u); 224 225 #define DECLARE_PEM_write_bio(name, type) \ 226 OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x); 227 228 #define DECLARE_PEM_write_bio_const(name, type) \ 229 OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x); 230 231 #define DECLARE_PEM_write_cb_bio(name, type) \ 232 OPENSSL_EXPORT int PEM_write_bio_##name( \ 233 BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ 234 int pass_len, pem_password_cb *cb, void *u); 235 236 237 #define DECLARE_PEM_write(name, type) \ 238 DECLARE_PEM_write_bio(name, type) \ 239 DECLARE_PEM_write_fp(name, type) 240 241 #define DECLARE_PEM_write_const(name, type) \ 242 DECLARE_PEM_write_bio_const(name, type) \ 243 DECLARE_PEM_write_fp_const(name, type) 244 245 #define DECLARE_PEM_write_cb(name, type) \ 246 DECLARE_PEM_write_cb_bio(name, type) \ 247 DECLARE_PEM_write_cb_fp(name, type) 248 249 #define DECLARE_PEM_read(name, type) \ 250 DECLARE_PEM_read_bio(name, type) \ 251 DECLARE_PEM_read_fp(name, type) 252 253 #define DECLARE_PEM_rw(name, type) \ 254 DECLARE_PEM_read(name, type) \ 255 DECLARE_PEM_write(name, type) 256 257 #define DECLARE_PEM_rw_const(name, type) \ 258 DECLARE_PEM_read(name, type) \ 259 DECLARE_PEM_write_const(name, type) 260 261 #define DECLARE_PEM_rw_cb(name, type) \ 262 DECLARE_PEM_read(name, type) \ 263 DECLARE_PEM_write_cb(name, type) 264 265 // "userdata": new with OpenSSL 0.9.4 266 typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); 267 268 // PEM_read_bio reads from |bp|, until the next PEM block. If one is found, it 269 // returns one and sets |*name|, |*header|, and |*data| to newly-allocated 270 // buffers containing the PEM type, the header block, and the decoded data, 271 // respectively. |*name| and |*header| are NUL-terminated C strings, while 272 // |*data| has |*len| bytes. The caller must release each of |*name|, |*header|, 273 // and |*data| with |OPENSSL_free| when done. If no PEM block is found, this 274 // function returns zero and pushes |PEM_R_NO_START_LINE| to the error queue. If 275 // one is found, but there is an error decoding it, it returns zero and pushes 276 // some other error to the error queue. 277 OPENSSL_EXPORT int PEM_read_bio(BIO *bp, char **name, char **header, 278 unsigned char **data, long *len); 279 280 // PEM_write_bio writes a PEM block to |bp|, containing |len| bytes from |data| 281 // as data. |name| and |hdr| are NUL-terminated C strings containing the PEM 282 // type and header block, respectively. This function returns zero on error and 283 // the number of bytes written on success. 284 OPENSSL_EXPORT int PEM_write_bio(BIO *bp, const char *name, const char *hdr, 285 const unsigned char *data, long len); 286 287 OPENSSL_EXPORT int PEM_bytes_read_bio(unsigned char **pdata, long *plen, 288 char **pnm, const char *name, BIO *bp, 289 pem_password_cb *cb, void *u); 290 OPENSSL_EXPORT void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, 291 BIO *bp, void **x, pem_password_cb *cb, 292 void *u); 293 OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, 294 BIO *bp, void *x, const EVP_CIPHER *enc, 295 const unsigned char *pass, int pass_len, 296 pem_password_cb *cb, void *u); 297 298 // PEM_X509_INFO_read_bio reads PEM blocks from |bp| and decodes any 299 // certificates, CRLs, and private keys found. It returns a 300 // |STACK_OF(X509_INFO)| structure containing the results, or NULL on error. 301 // 302 // If |sk| is NULL, the result on success will be a newly-allocated 303 // |STACK_OF(X509_INFO)| structure which should be released with 304 // |sk_X509_INFO_pop_free| and |X509_INFO_free| when done. 305 // 306 // If |sk| is non-NULL, it appends the results to |sk| instead and returns |sk| 307 // on success. In this case, the caller retains ownership of |sk| in both 308 // success and failure. 309 // 310 // WARNING: If the input contains "TRUSTED CERTIFICATE" PEM blocks, this 311 // function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted 312 // input to this function allows an attacker to influence those properties. See 313 // |d2i_X509_AUX| for details. 314 OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio( 315 BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); 316 317 // PEM_X509_INFO_read behaves like |PEM_X509_INFO_read_bio| but reads from a 318 // |FILE|. 319 OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, 320 STACK_OF(X509_INFO) *sk, 321 pem_password_cb *cb, 322 void *u); 323 324 OPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header, 325 unsigned char **data, long *len); 326 OPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr, 327 const unsigned char *data, long len); 328 OPENSSL_EXPORT void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, 329 void **x, pem_password_cb *cb, void *u); 330 OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, 331 void *x, const EVP_CIPHER *enc, 332 const unsigned char *pass, int pass_len, 333 pem_password_cb *callback, void *u); 334 335 // PEM_def_callback treats |userdata| as a string and copies it into |buf|, 336 // assuming its |size| is sufficient. Returns the length of the string, or -1 on 337 // error. Error cases the buffer being too small, or |buf| and |userdata| being 338 // NULL. Note that this is different from OpenSSL, which prompts for a password. 339 OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, 340 void *userdata); 341 342 343 DECLARE_PEM_rw(X509, X509) 344 345 // TODO(crbug.com/boringssl/426): When documenting these, copy the warning 346 // about auxiliary properties from |PEM_X509_INFO_read_bio|. 347 DECLARE_PEM_rw(X509_AUX, X509) 348 349 DECLARE_PEM_rw(X509_REQ, X509_REQ) 350 DECLARE_PEM_write(X509_REQ_NEW, X509_REQ) 351 352 DECLARE_PEM_rw(X509_CRL, X509_CRL) 353 354 DECLARE_PEM_rw(PKCS7, PKCS7) 355 DECLARE_PEM_rw(PKCS8, X509_SIG) 356 357 DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO) 358 359 DECLARE_PEM_rw_cb(RSAPrivateKey, RSA) 360 361 DECLARE_PEM_rw_const(RSAPublicKey, RSA) 362 DECLARE_PEM_rw(RSA_PUBKEY, RSA) 363 364 #ifndef OPENSSL_NO_DSA 365 366 DECLARE_PEM_rw_cb(DSAPrivateKey, DSA) 367 368 DECLARE_PEM_rw(DSA_PUBKEY, DSA) 369 370 DECLARE_PEM_rw_const(DSAparams, DSA) 371 372 #endif 373 374 DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY) 375 DECLARE_PEM_rw(EC_PUBKEY, EC_KEY) 376 377 378 DECLARE_PEM_rw_const(DHparams, DH) 379 380 381 DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY) 382 383 DECLARE_PEM_rw(PUBKEY, EVP_PKEY) 384 385 OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, 386 int nid, const char *pass, 387 int pass_len, 388 pem_password_cb *cb, 389 void *u); 390 OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x, 391 const EVP_CIPHER *enc, 392 const char *pass, int pass_len, 393 pem_password_cb *cb, void *u); 394 OPENSSL_EXPORT int i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x, 395 const EVP_CIPHER *enc, 396 const char *pass, int pass_len, 397 pem_password_cb *cb, void *u); 398 OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, 399 int nid, const char *pass, 400 int pass_len, 401 pem_password_cb *cb, void *u); 402 OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, 403 pem_password_cb *cb, void *u); 404 405 OPENSSL_EXPORT int i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x, 406 const EVP_CIPHER *enc, 407 const char *pass, int pass_len, 408 pem_password_cb *cb, void *u); 409 OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, 410 int nid, const char *pass, 411 int pass_len, pem_password_cb *cb, 412 void *u); 413 OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, 414 int nid, const char *pass, 415 int pass_len, 416 pem_password_cb *cb, void *u); 417 418 OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, 419 pem_password_cb *cb, void *u); 420 421 OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x, 422 const EVP_CIPHER *enc, 423 const char *pass, int pass_len, 424 pem_password_cb *cd, void *u); 425 426 427 #ifdef __cplusplus 428 } // extern "C" 429 #endif 430 431 #define PEM_R_BAD_BASE64_DECODE 100 432 #define PEM_R_BAD_DECRYPT 101 433 #define PEM_R_BAD_END_LINE 102 434 #define PEM_R_BAD_IV_CHARS 103 435 #define PEM_R_BAD_PASSWORD_READ 104 436 #define PEM_R_CIPHER_IS_NULL 105 437 #define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 106 438 #define PEM_R_NOT_DEK_INFO 107 439 #define PEM_R_NOT_ENCRYPTED 108 440 #define PEM_R_NOT_PROC_TYPE 109 441 #define PEM_R_NO_START_LINE 110 442 #define PEM_R_READ_KEY 111 443 #define PEM_R_SHORT_HEADER 112 444 #define PEM_R_UNSUPPORTED_CIPHER 113 445 #define PEM_R_UNSUPPORTED_ENCRYPTION 114 446 447 #endif // OPENSSL_HEADER_PEM_H 448