« back to all changes in this revision
Viewing changes to mbedtls_2.x/pkparse.c
- browse files at revision 96
- compare with another revision
- download diff
- download tarball
- view history from revision 96
- Committer: Teus Benschop
- Date: 2024-08-17 17:08:44 UTC
- Revision ID: teusjannette@gmail.com-20240817170844-0qf789ywtms3hyz7
new upstream version
- files added:
- mbedtls2
- files removed:
- export/bibledropbox.cpp
- mbedtls_2.x
- files modified:
- Makefile.am
added
removed
mbedtls_2.x/pkparse.c
1
#pragma clang diagnostic ignored "-Wunknown-warning-option"
2
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
3
#pragma clang diagnostic ignored "-Wsign-conversion"
4
5
#pragma GCC diagnostic ignored "-Wconversion"
6
7
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
8
#pragma clang diagnostic ignored "-Wsign-conversion"
9
10
#pragma GCC diagnostic ignored "-Wconversion"
11
12
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
13
#pragma clang diagnostic ignored "-Wsign-conversion"
14
/*
15
* Public Key layer for parsing key files and structures
16
*
17
* Copyright The Mbed TLS Contributors
18
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
19
*
20
* This file is provided under the Apache License 2.0, or the
21
* GNU General Public License v2.0 or later.
22
*
23
* **********
24
* Apache License 2.0:
25
*
26
* Licensed under the Apache License, Version 2.0 (the "License"); you may
27
* not use this file except in compliance with the License.
28
* You may obtain a copy of the License at
29
*
30
* http://www.apache.org/licenses/LICENSE-2.0
31
*
32
* Unless required by applicable law or agreed to in writing, software
33
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
34
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
35
* See the License for the specific language governing permissions and
36
* limitations under the License.
37
*
38
* **********
39
*
40
* **********
41
* GNU General Public License v2.0 or later:
42
*
43
* This program is free software; you can redistribute it and/or modify
44
* it under the terms of the GNU General Public License as published by
45
* the Free Software Foundation; either version 2 of the License, or
46
* (at your option) any later version.
47
*
48
* This program is distributed in the hope that it will be useful,
49
* but WITHOUT ANY WARRANTY; without even the implied warranty of
50
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
51
* GNU General Public License for more details.
52
*
53
* You should have received a copy of the GNU General Public License along
54
* with this program; if not, write to the Free Software Foundation, Inc.,
55
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
56
*
57
* **********
58
*/
59
60
#if !defined(MBEDTLS_CONFIG_FILE)
61
#include "mbedtls/config.h"
62
#else
63
#include MBEDTLS_CONFIG_FILE
64
#endif
65
66
#if defined(MBEDTLS_PK_PARSE_C)
67
68
#include "mbedtls/pk.h"
69
#include "mbedtls/asn1.h"
70
#include "mbedtls/oid.h"
71
#include "mbedtls/platform_util.h"
72
73
#include <string.h>
74
75
#if defined(MBEDTLS_RSA_C)
76
#include "mbedtls/rsa.h"
77
#endif
78
#if defined(MBEDTLS_ECP_C)
79
#include "mbedtls/ecp.h"
80
#endif
81
#if defined(MBEDTLS_ECDSA_C)
82
#include "mbedtls/ecdsa.h"
83
#endif
84
#if defined(MBEDTLS_PEM_PARSE_C)
85
#include "mbedtls/pem.h"
86
#endif
87
#if defined(MBEDTLS_PKCS5_C)
88
#include "mbedtls/pkcs5.h"
89
#endif
90
#if defined(MBEDTLS_PKCS12_C)
91
#include "mbedtls/pkcs12.h"
92
#endif
93
94
#if defined(MBEDTLS_PLATFORM_C)
95
#include "mbedtls/platform.h"
96
#else
97
#include <stdlib.h>
98
#define mbedtls_calloc calloc
99
#define mbedtls_free free
100
#endif
101
102
/* Parameter validation macros based on platform_util.h */
103
#define PK_VALIDATE_RET( cond ) \
104
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
105
#define PK_VALIDATE( cond ) \
106
MBEDTLS_INTERNAL_VALIDATE( cond )
107
108
#if defined(MBEDTLS_FS_IO)
109
/*
110
* Load all data from a file into a given buffer.
111
*
112
* The file is expected to contain either PEM or DER encoded data.
113
* A terminating null byte is always appended. It is included in the announced
114
* length only if the data looks like it is PEM encoded.
115
*/
116
int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
117
{
118
FILE *f;
119
long size;
120
121
PK_VALIDATE_RET( path != NULL );
122
PK_VALIDATE_RET( buf != NULL );
123
PK_VALIDATE_RET( n != NULL );
124
125
if( ( f = fopen( path, "rb" ) ) == NULL )
126
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
127
128
fseek( f, 0, SEEK_END );
129
if( ( size = ftell( f ) ) == -1 )
130
{
131
fclose( f );
132
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
133
}
134
fseek( f, 0, SEEK_SET );
135
136
*n = (size_t) size;
137
138
if( *n + 1 == 0 ||
139
( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
140
{
141
fclose( f );
142
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
143
}
144
145
if( fread( *buf, 1, *n, f ) != *n )
146
{
147
fclose( f );
148
149
mbedtls_platform_zeroize( *buf, *n );
150
mbedtls_free( *buf );
151
152
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
153
}
154
155
fclose( f );
156
157
(*buf)[*n] = '\0';
158
159
if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
160
++*n;
161
162
return( 0 );
163
}
164
165
/*
166
* Load and parse a private key
167
*/
168
int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
169
const char *path, const char *pwd )
170
{
171
int ret;
172
size_t n;
173
unsigned char *buf;
174
175
PK_VALIDATE_RET( ctx != NULL );
176
PK_VALIDATE_RET( path != NULL );
177
178
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
179
return( ret );
180
181
if( pwd == NULL )
182
ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
183
else
184
ret = mbedtls_pk_parse_key( ctx, buf, n,
185
(const unsigned char *) pwd, strlen( pwd ) );
186
187
mbedtls_platform_zeroize( buf, n );
188
mbedtls_free( buf );
189
190
return( ret );
191
}
192
193
/*
194
* Load and parse a public key
195
*/
196
int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
197
{
198
int ret;
199
size_t n;
200
unsigned char *buf;
201
202
PK_VALIDATE_RET( ctx != NULL );
203
PK_VALIDATE_RET( path != NULL );
204
205
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
206
return( ret );
207
208
ret = mbedtls_pk_parse_public_key( ctx, buf, n );
209
210
mbedtls_platform_zeroize( buf, n );
211
mbedtls_free( buf );
212
213
return( ret );
214
}
215
#endif /* MBEDTLS_FS_IO */
216
217
#if defined(MBEDTLS_ECP_C)
218
/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
219
*
220
* ECParameters ::= CHOICE {
221
* namedCurve OBJECT IDENTIFIER
222
* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
223
* -- implicitCurve NULL
224
* }
225
*/
226
static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
227
mbedtls_asn1_buf *params )
228
{
229
int ret;
230
231
if ( end - *p < 1 )
232
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
233
MBEDTLS_ERR_ASN1_OUT_OF_DATA );
234
235
/* Tag may be either OID or SEQUENCE */
236
params->tag = **p;
237
if( params->tag != MBEDTLS_ASN1_OID
238
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
239
&& params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
240
#endif
241
)
242
{
243
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
244
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
245
}
246
247
if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 )
248
{
249
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
250
}
251
252
params->p = *p;
253
*p += params->len;
254
255
if( *p != end )
256
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
257
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
258
259
return( 0 );
260
}
261
262
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
263
/*
264
* Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
265
* WARNING: the resulting group should only be used with
266
* pk_group_id_from_specified(), since its base point may not be set correctly
267
* if it was encoded compressed.
268
*
269
* SpecifiedECDomain ::= SEQUENCE {
270
* version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
271
* fieldID FieldID {{FieldTypes}},
272
* curve Curve,
273
* base ECPoint,
274
* order INTEGER,
275
* cofactor INTEGER OPTIONAL,
276
* hash HashAlgorithm OPTIONAL,
277
* ...
278
* }
279
*
280
* We only support prime-field as field type, and ignore hash and cofactor.
281
*/
282
static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
283
{
284
int ret;
285
unsigned char *p = params->p;
286
const unsigned char * const end = params->p + params->len;
287
const unsigned char *end_field, *end_curve;
288
size_t len;
289
int ver;
290
291
/* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
292
if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
293
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
294
295
if( ver < 1 || ver > 3 )
296
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
297
298
/*
299
* FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
300
* fieldType FIELD-ID.&id({IOSet}),
301
* parameters FIELD-ID.&Type({IOSet}{@fieldType})
302
* }
303
*/
304
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
305
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
306
return( ret );
307
308
end_field = p + len;
309
310
/*
311
* FIELD-ID ::= TYPE-IDENTIFIER
312
* FieldTypes FIELD-ID ::= {
313
* { Prime-p IDENTIFIED BY prime-field } |
314
* { Characteristic-two IDENTIFIED BY characteristic-two-field }
315
* }
316
* prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
317
*/
318
if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
319
return( ret );
320
321
if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
322
memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
323
{
324
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
325
}
326
327
p += len;
328
329
/* Prime-p ::= INTEGER -- Field of size p. */
330
if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
331
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
332
333
grp->pbits = mbedtls_mpi_bitlen( &grp->P );
334
335
if( p != end_field )
336
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
337
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
338
339
/*
340
* Curve ::= SEQUENCE {
341
* a FieldElement,
342
* b FieldElement,
343
* seed BIT STRING OPTIONAL
344
* -- Shall be present if used in SpecifiedECDomain
345
* -- with version equal to ecdpVer2 or ecdpVer3
346
* }
347
*/
348
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
349
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
350
return( ret );
351
352
end_curve = p + len;
353
354
/*
355
* FieldElement ::= OCTET STRING
356
* containing an integer in the case of a prime field
357
*/
358
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
359
( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
360
{
361
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
362
}
363
364
p += len;
365
366
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
367
( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
368
{
369
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
370
}
371
372
p += len;
373
374
/* Ignore seed BIT STRING OPTIONAL */
375
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
376
p += len;
377
378
if( p != end_curve )
379
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
380
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
381
382
/*
383
* ECPoint ::= OCTET STRING
384
*/
385
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
386
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
387
388
if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
389
( const unsigned char *) p, len ) ) != 0 )
390
{
391
/*
392
* If we can't read the point because it's compressed, cheat by
393
* reading only the X coordinate and the parity bit of Y.
394
*/
395
if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
396
( p[0] != 0x02 && p[0] != 0x03 ) ||
397
len != mbedtls_mpi_size( &grp->P ) + 1 ||
398
mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
399
mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
400
mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
401
{
402
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
403
}
404
}
405
406
p += len;
407
408
/*
409
* order INTEGER
410
*/
411
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
412
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
413
414
grp->nbits = mbedtls_mpi_bitlen( &grp->N );
415
416
/*
417
* Allow optional elements by purposefully not enforcing p == end here.
418
*/
419
420
return( 0 );
421
}
422
423
/*
424
* Find the group id associated with an (almost filled) group as generated by
425
* pk_group_from_specified(), or return an error if unknown.
426
*/
427
static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
428
{
429
int ret = 0;
430
mbedtls_ecp_group ref;
431
const mbedtls_ecp_group_id *id;
432
433
mbedtls_ecp_group_init( &ref );
434
435
for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
436
{
437
/* Load the group associated to that id */
438
mbedtls_ecp_group_free( &ref );
439
MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
440
441
/* Compare to the group we were given, starting with easy tests */
442
if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
443
mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
444
mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
445
mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
446
mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
447
mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
448
mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
449
/* For Y we may only know the parity bit, so compare only that */
450
mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
451
{
452
break;
453
}
454
455
}
456
457
cleanup:
458
mbedtls_ecp_group_free( &ref );
459
460
*grp_id = *id;
461
462
if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
463
ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
464
465
return( ret );
466
}
467
468
/*
469
* Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
470
*/
471
static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
472
mbedtls_ecp_group_id *grp_id )
473
{
474
int ret;
475
mbedtls_ecp_group grp;
476
477
mbedtls_ecp_group_init( &grp );
478
479
if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
480
goto cleanup;
481
482
ret = pk_group_id_from_group( &grp, grp_id );
483
484
cleanup:
485
mbedtls_ecp_group_free( &grp );
486
487
return( ret );
488
}
489
#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
490
491
/*
492
* Use EC parameters to initialise an EC group
493
*
494
* ECParameters ::= CHOICE {
495
* namedCurve OBJECT IDENTIFIER
496
* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
497
* -- implicitCurve NULL
498
*/
499
static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
500
{
501
int ret;
502
mbedtls_ecp_group_id grp_id;
503
504
if( params->tag == MBEDTLS_ASN1_OID )
505
{
506
if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
507
return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
508
}
509
else
510
{
511
#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
512
if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
513
return( ret );
514
#else
515
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
516
#endif
517
}
518
519
/*
520
* grp may already be initilialized; if so, make sure IDs match
521
*/
522
if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
523
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
524
525
if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
526
return( ret );
527
528
return( 0 );
529
}
530
531
/*
532
* EC public key is an EC point
533
*
534
* The caller is responsible for clearing the structure upon failure if
535
* desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
536
* return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
537
*/
538
static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
539
mbedtls_ecp_keypair *key )
540
{
541
int ret;
542
543
if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
544
(const unsigned char *) *p, end - *p ) ) == 0 )
545
{
546
ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
547
}
548
549
/*
550
* We know mbedtls_ecp_point_read_binary consumed all bytes or failed
551
*/
552
*p = (unsigned char *) end;
553
554
return( ret );
555
}
556
#endif /* MBEDTLS_ECP_C */
557
558
#if defined(MBEDTLS_RSA_C)
559
/*
560
* RSAPublicKey ::= SEQUENCE {
561
* modulus INTEGER, -- n
562
* publicExponent INTEGER -- e
563
* }
564
*/
565
static int pk_get_rsapubkey( unsigned char **p,
566
const unsigned char *end,
567
mbedtls_rsa_context *rsa )
568
{
569
int ret;
570
size_t len;
571
572
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
573
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
574
return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
575
576
if( *p + len != end )
577
return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
578
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
579
580
/* Import N */
581
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
582
return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
583
584
if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
585
NULL, 0, NULL, 0 ) ) != 0 )
586
return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
587
588
*p += len;
589
590
/* Import E */
591
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
592
return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
593
594
if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
595
NULL, 0, *p, len ) ) != 0 )
596
return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
597
598
*p += len;
599
600
if( mbedtls_rsa_complete( rsa ) != 0 ||
601
mbedtls_rsa_check_pubkey( rsa ) != 0 )
602
{
603
return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
604
}
605
606
if( *p != end )
607
return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
608
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
609
610
return( 0 );
611
}
612
#endif /* MBEDTLS_RSA_C */
613
614
/* Get a PK algorithm identifier
615
*
616
* AlgorithmIdentifier ::= SEQUENCE {
617
* algorithm OBJECT IDENTIFIER,
618
* parameters ANY DEFINED BY algorithm OPTIONAL }
619
*/
620
static int pk_get_pk_alg( unsigned char **p,
621
const unsigned char *end,
622
mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
623
{
624
int ret;
625
mbedtls_asn1_buf alg_oid;
626
627
memset( params, 0, sizeof(mbedtls_asn1_buf) );
628
629
if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
630
return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
631
632
if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
633
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
634
635
/*
636
* No parameters with RSA (only for EC)
637
*/
638
if( *pk_alg == MBEDTLS_PK_RSA &&
639
( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
640
params->len != 0 ) )
641
{
642
return( MBEDTLS_ERR_PK_INVALID_ALG );
643
}
644
645
return( 0 );
646
}
647
648
/*
649
* SubjectPublicKeyInfo ::= SEQUENCE {
650
* algorithm AlgorithmIdentifier,
651
* subjectPublicKey BIT STRING }
652
*/
653
int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
654
mbedtls_pk_context *pk )
655
{
656
int ret;
657
size_t len;
658
mbedtls_asn1_buf alg_params;
659
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
660
const mbedtls_pk_info_t *pk_info;
661
662
PK_VALIDATE_RET( p != NULL );
663
PK_VALIDATE_RET( *p != NULL );
664
PK_VALIDATE_RET( end != NULL );
665
PK_VALIDATE_RET( pk != NULL );
666
667
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
668
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
669
{
670
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
671
}
672
673
end = *p + len;
674
675
if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
676
return( ret );
677
678
if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
679
return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
680
681
if( *p + len != end )
682
return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
683
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
684
685
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
686
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
687
688
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
689
return( ret );
690
691
#if defined(MBEDTLS_RSA_C)
692
if( pk_alg == MBEDTLS_PK_RSA )
693
{
694
ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
695
} else
696
#endif /* MBEDTLS_RSA_C */
697
#if defined(MBEDTLS_ECP_C)
698
if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
699
{
700
ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
701
if( ret == 0 )
702
ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
703
} else
704
#endif /* MBEDTLS_ECP_C */
705
ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
706
707
if( ret == 0 && *p != end )
708
ret = MBEDTLS_ERR_PK_INVALID_PUBKEY +
709
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
710
711
if( ret != 0 )
712
mbedtls_pk_free( pk );
713
714
return( ret );
715
}
716
717
#if defined(MBEDTLS_RSA_C)
718
/*
719
* Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
720
*
721
* The value zero is:
722
* - never a valid value for an RSA parameter
723
* - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
724
*
725
* Since values can't be omitted in PKCS#1, passing a zero value to
726
* rsa_complete() would be incorrect, so reject zero values early.
727
*/
728
static int asn1_get_nonzero_mpi( unsigned char **p,
729
const unsigned char *end,
730
mbedtls_mpi *X )
731
{
732
int ret;
733
734
ret = mbedtls_asn1_get_mpi( p, end, X );
735
if( ret != 0 )
736
return( ret );
737
738
if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
739
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
740
741
return( 0 );
742
}
743
744
/*
745
* Parse a PKCS#1 encoded private RSA key
746
*/
747
static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
748
const unsigned char *key,
749
size_t keylen )
750
{
751
int ret, version;
752
size_t len;
753
unsigned char *p, *end;
754
755
mbedtls_mpi T;
756
mbedtls_mpi_init( &T );
757
758
p = (unsigned char *) key;
759
end = p + keylen;
760
761
/*
762
* This function parses the RSAPrivateKey (PKCS#1)
763
*
764
* RSAPrivateKey ::= SEQUENCE {
765
* version Version,
766
* modulus INTEGER, -- n
767
* publicExponent INTEGER, -- e
768
* privateExponent INTEGER, -- d
769
* prime1 INTEGER, -- p
770
* prime2 INTEGER, -- q
771
* exponent1 INTEGER, -- d mod (p-1)
772
* exponent2 INTEGER, -- d mod (q-1)
773
* coefficient INTEGER, -- (inverse of q) mod p
774
* otherPrimeInfos OtherPrimeInfos OPTIONAL
775
* }
776
*/
777
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
778
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
779
{
780
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
781
}
782
783
end = p + len;
784
785
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
786
{
787
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
788
}
789
790
if( version != 0 )
791
{
792
return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
793
}
794
795
/* Import N */
796
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
797
( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
798
NULL, NULL ) ) != 0 )
799
goto cleanup;
800
801
/* Import E */
802
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
803
( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
804
NULL, &T ) ) != 0 )
805
goto cleanup;
806
807
/* Import D */
808
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
809
( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
810
&T, NULL ) ) != 0 )
811
goto cleanup;
812
813
/* Import P */
814
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
815
( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
816
NULL, NULL ) ) != 0 )
817
goto cleanup;
818
819
/* Import Q */
820
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
821
( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
822
NULL, NULL ) ) != 0 )
823
goto cleanup;
824
825
#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
826
/*
827
* The RSA CRT parameters DP, DQ and QP are nominally redundant, in
828
* that they can be easily recomputed from D, P and Q. However by
829
* parsing them from the PKCS1 structure it is possible to avoid
830
* recalculating them which both reduces the overhead of loading
831
* RSA private keys into memory and also avoids side channels which
832
* can arise when computing those values, since all of D, P, and Q
833
* are secret. See https://eprint.iacr.org/2020/055 for a
834
* description of one such attack.
835
*/
836
837
/* Import DP */
838
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
839
( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
840
goto cleanup;
841
842
/* Import DQ */
843
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
844
( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
845
goto cleanup;
846
847
/* Import QP */
848
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
849
( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
850
goto cleanup;
851
852
#else
853
/* Verify existance of the CRT params */
854
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
855
( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
856
( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
857
goto cleanup;
858
#endif
859
860
/* rsa_complete() doesn't complete anything with the default
861
* implementation but is still called:
862
* - for the benefit of alternative implementation that may want to
863
* pre-compute stuff beyond what's provided (eg Montgomery factors)
864
* - as is also sanity-checks the key
865
*
866
* Furthermore, we also check the public part for consistency with
867
* mbedtls_pk_parse_pubkey(), as it includes size minima for example.
868
*/
869
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
870
( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
871
{
872
goto cleanup;
873
}
874
875
if( p != end )
876
{
877
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
878
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
879
}
880
881
cleanup:
882
883
mbedtls_mpi_free( &T );
884
885
if( ret != 0 )
886
{
887
/* Wrap error code if it's coming from a lower level */
888
if( ( ret & 0xff80 ) == 0 )
889
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
890
else
891
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
892
893
mbedtls_rsa_free( rsa );
894
}
895
896
return( ret );
897
}
898
#endif /* MBEDTLS_RSA_C */
899
900
#if defined(MBEDTLS_ECP_C)
901
/*
902
* Parse a SEC1 encoded private EC key
903
*/
904
static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
905
const unsigned char *key,
906
size_t keylen )
907
{
908
int ret;
909
int version, pubkey_done;
910
size_t len;
911
mbedtls_asn1_buf params;
912
unsigned char *p = (unsigned char *) key;
913
unsigned char *end = p + keylen;
914
unsigned char *end2;
915
916
/*
917
* RFC 5915, or SEC1 Appendix C.4
918
*
919
* ECPrivateKey ::= SEQUENCE {
920
* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
921
* privateKey OCTET STRING,
922
* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
923
* publicKey [1] BIT STRING OPTIONAL
924
* }
925
*/
926
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
927
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
928
{
929
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
930
}
931
932
end = p + len;
933
934
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
935
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
936
937
if( version != 1 )
938
return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
939
940
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
941
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
942
943
if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
944
{
945
mbedtls_ecp_keypair_free( eck );
946
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
947
}
948
949
p += len;
950
951
pubkey_done = 0;
952
if( p != end )
953
{
954
/*
955
* Is 'parameters' present?
956
*/
957
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
958
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
959
{
960
if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 ||
961
( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 )
962
{
963
mbedtls_ecp_keypair_free( eck );
964
return( ret );
965
}
966
}
967
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
968
{
969
mbedtls_ecp_keypair_free( eck );
970
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
971
}
972
}
973
974
if( p != end )
975
{
976
/*
977
* Is 'publickey' present? If not, or if we can't read it (eg because it
978
* is compressed), create it from the private key.
979
*/
980
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
981
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
982
{
983
end2 = p + len;
984
985
if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
986
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
987
988
if( p + len != end2 )
989
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
990
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
991
992
if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
993
pubkey_done = 1;
994
else
995
{
996
/*
997
* The only acceptable failure mode of pk_get_ecpubkey() above
998
* is if the point format is not recognized.
999
*/
1000
if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
1001
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1002
}
1003
}
1004
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
1005
{
1006
mbedtls_ecp_keypair_free( eck );
1007
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1008
}
1009
}
1010
1011
if( ! pubkey_done &&
1012
( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
1013
NULL, NULL ) ) != 0 )
1014
{
1015
mbedtls_ecp_keypair_free( eck );
1016
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1017
}
1018
1019
if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
1020
{
1021
mbedtls_ecp_keypair_free( eck );
1022
return( ret );
1023
}
1024
1025
return( 0 );
1026
}
1027
#endif /* MBEDTLS_ECP_C */
1028
1029
/*
1030
* Parse an unencrypted PKCS#8 encoded private key
1031
*
1032
* Notes:
1033
*
1034
* - This function does not own the key buffer. It is the
1035
* responsibility of the caller to take care of zeroizing
1036
* and freeing it after use.
1037
*
1038
* - The function is responsible for freeing the provided
1039
* PK context on failure.
1040
*
1041
*/
1042
static int pk_parse_key_pkcs8_unencrypted_der(
1043
mbedtls_pk_context *pk,
1044
const unsigned char* key,
1045
size_t keylen )
1046
{
1047
int ret, version;
1048
size_t len;
1049
mbedtls_asn1_buf params;
1050
unsigned char *p = (unsigned char *) key;
1051
unsigned char *end = p + keylen;
1052
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
1053
const mbedtls_pk_info_t *pk_info;
1054
1055
/*
1056
* This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
1057
*
1058
* PrivateKeyInfo ::= SEQUENCE {
1059
* version Version,
1060
* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
1061
* privateKey PrivateKey,
1062
* attributes [0] IMPLICIT Attributes OPTIONAL }
1063
*
1064
* Version ::= INTEGER
1065
* PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
1066
* PrivateKey ::= OCTET STRING
1067
*
1068
* The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
1069
*/
1070
1071
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1072
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1073
{
1074
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1075
}
1076
1077
end = p + len;
1078
1079
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
1080
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1081
1082
if( version != 0 )
1083
return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
1084
1085
if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 )
1086
return( ret );
1087
1088
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1089
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1090
1091
if( len < 1 )
1092
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
1093
MBEDTLS_ERR_ASN1_OUT_OF_DATA );
1094
1095
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
1096
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1097
1098
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
1099
return( ret );
1100
1101
#if defined(MBEDTLS_RSA_C)
1102
if( pk_alg == MBEDTLS_PK_RSA )
1103
{
1104
if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
1105
{
1106
mbedtls_pk_free( pk );
1107
return( ret );
1108
}
1109
} else
1110
#endif /* MBEDTLS_RSA_C */
1111
#if defined(MBEDTLS_ECP_C)
1112
if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
1113
{
1114
if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
1115
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 )
1116
{
1117
mbedtls_pk_free( pk );
1118
return( ret );
1119
}
1120
} else
1121
#endif /* MBEDTLS_ECP_C */
1122
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1123
1124
return( 0 );
1125
}
1126
1127
/*
1128
* Parse an encrypted PKCS#8 encoded private key
1129
*
1130
* To save space, the decryption happens in-place on the given key buffer.
1131
* Also, while this function may modify the keybuffer, it doesn't own it,
1132
* and instead it is the responsibility of the caller to zeroize and properly
1133
* free it after use.
1134
*
1135
*/
1136
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1137
static int pk_parse_key_pkcs8_encrypted_der(
1138
mbedtls_pk_context *pk,
1139
unsigned char *key, size_t keylen,
1140
const unsigned char *pwd, size_t pwdlen )
1141
{
1142
int ret, decrypted = 0;
1143
size_t len;
1144
unsigned char *buf;
1145
unsigned char *p, *end;
1146
mbedtls_asn1_buf pbe_alg_oid, pbe_params;
1147
#if defined(MBEDTLS_PKCS12_C)
1148
mbedtls_cipher_type_t cipher_alg;
1149
mbedtls_md_type_t md_alg;
1150
#endif
1151
1152
p = key;
1153
end = p + keylen;
1154
1155
if( pwdlen == 0 )
1156
return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1157
1158
/*
1159
* This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
1160
*
1161
* EncryptedPrivateKeyInfo ::= SEQUENCE {
1162
* encryptionAlgorithm EncryptionAlgorithmIdentifier,
1163
* encryptedData EncryptedData
1164
* }
1165
*
1166
* EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1167
*
1168
* EncryptedData ::= OCTET STRING
1169
*
1170
* The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
1171
*
1172
*/
1173
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1174
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1175
{
1176
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1177
}
1178
1179
end = p + len;
1180
1181
if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
1182
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1183
1184
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1185
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
1186
1187
buf = p;
1188
1189
/*
1190
* Decrypt EncryptedData with appropriate PBE
1191
*/
1192
#if defined(MBEDTLS_PKCS12_C)
1193
if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
1194
{
1195
if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
1196
cipher_alg, md_alg,
1197
pwd, pwdlen, p, len, buf ) ) != 0 )
1198
{
1199
if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
1200
return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1201
1202
return( ret );
1203
}
1204
1205
decrypted = 1;
1206
}
1207
else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
1208
{
1209
if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
1210
MBEDTLS_PKCS12_PBE_DECRYPT,
1211
pwd, pwdlen,
1212
p, len, buf ) ) != 0 )
1213
{
1214
return( ret );
1215
}
1216
1217
// Best guess for password mismatch when using RC4. If first tag is
1218
// not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
1219
//
1220
if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
1221
return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1222
1223
decrypted = 1;
1224
}
1225
else
1226
#endif /* MBEDTLS_PKCS12_C */
1227
#if defined(MBEDTLS_PKCS5_C)
1228
if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
1229
{
1230
if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
1231
p, len, buf ) ) != 0 )
1232
{
1233
if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
1234
return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1235
1236
return( ret );
1237
}
1238
1239
decrypted = 1;
1240
}
1241
else
1242
#endif /* MBEDTLS_PKCS5_C */
1243
{
1244
((void) pwd);
1245
}
1246
1247
if( decrypted == 0 )
1248
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1249
1250
return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
1251
}
1252
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1253
1254
/*
1255
* Parse a private key
1256
*/
1257
int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
1258
const unsigned char *key, size_t keylen,
1259
const unsigned char *pwd, size_t pwdlen )
1260
{
1261
int ret;
1262
const mbedtls_pk_info_t *pk_info;
1263
#if defined(MBEDTLS_PEM_PARSE_C)
1264
size_t len;
1265
mbedtls_pem_context pem;
1266
#endif
1267
1268
PK_VALIDATE_RET( pk != NULL );
1269
if( keylen == 0 )
1270
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1271
PK_VALIDATE_RET( key != NULL );
1272
1273
#if defined(MBEDTLS_PEM_PARSE_C)
1274
mbedtls_pem_init( &pem );
1275
1276
#if defined(MBEDTLS_RSA_C)
1277
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1278
if( key[keylen - 1] != '\0' )
1279
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1280
else
1281
ret = mbedtls_pem_read_buffer( &pem,
1282
"-----BEGIN RSA PRIVATE KEY-----",
1283
"-----END RSA PRIVATE KEY-----",
1284
key, pwd, pwdlen, &len );
1285
1286
if( ret == 0 )
1287
{
1288
pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1289
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
1290
( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
1291
pem.buf, pem.buflen ) ) != 0 )
1292
{
1293
mbedtls_pk_free( pk );
1294
}
1295
1296
mbedtls_pem_free( &pem );
1297
return( ret );
1298
}
1299
else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1300
return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1301
else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1302
return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1303
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1304
return( ret );
1305
#endif /* MBEDTLS_RSA_C */
1306
1307
#if defined(MBEDTLS_ECP_C)
1308
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1309
if( key[keylen - 1] != '\0' )
1310
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1311
else
1312
ret = mbedtls_pem_read_buffer( &pem,
1313
"-----BEGIN EC PRIVATE KEY-----",
1314
"-----END EC PRIVATE KEY-----",
1315
key, pwd, pwdlen, &len );
1316
if( ret == 0 )
1317
{
1318
pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
1319
1320
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
1321
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1322
pem.buf, pem.buflen ) ) != 0 )
1323
{
1324
mbedtls_pk_free( pk );
1325
}
1326
1327
mbedtls_pem_free( &pem );
1328
return( ret );
1329
}
1330
else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1331
return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1332
else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1333
return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1334
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1335
return( ret );
1336
#endif /* MBEDTLS_ECP_C */
1337
1338
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1339
if( key[keylen - 1] != '\0' )
1340
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1341
else
1342
ret = mbedtls_pem_read_buffer( &pem,
1343
"-----BEGIN PRIVATE KEY-----",
1344
"-----END PRIVATE KEY-----",
1345
key, NULL, 0, &len );
1346
if( ret == 0 )
1347
{
1348
if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
1349
pem.buf, pem.buflen ) ) != 0 )
1350
{
1351
mbedtls_pk_free( pk );
1352
}
1353
1354
mbedtls_pem_free( &pem );
1355
return( ret );
1356
}
1357
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1358
return( ret );
1359
1360
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1361
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1362
if( key[keylen - 1] != '\0' )
1363
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1364
else
1365
ret = mbedtls_pem_read_buffer( &pem,
1366
"-----BEGIN ENCRYPTED PRIVATE KEY-----",
1367
"-----END ENCRYPTED PRIVATE KEY-----",
1368
key, NULL, 0, &len );
1369
if( ret == 0 )
1370
{
1371
if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
1372
pem.buf, pem.buflen,
1373
pwd, pwdlen ) ) != 0 )
1374
{
1375
mbedtls_pk_free( pk );
1376
}
1377
1378
mbedtls_pem_free( &pem );
1379
return( ret );
1380
}
1381
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1382
return( ret );
1383
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1384
#else
1385
((void) pwd);
1386
((void) pwdlen);
1387
#endif /* MBEDTLS_PEM_PARSE_C */
1388
1389
/*
1390
* At this point we only know it's not a PEM formatted key. Could be any
1391
* of the known DER encoded private key formats
1392
*
1393
* We try the different DER format parsers to see if one passes without
1394
* error
1395
*/
1396
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1397
{
1398
unsigned char *key_copy;
1399
1400
if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
1401
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
1402
1403
memcpy( key_copy, key, keylen );
1404
1405
ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
1406
pwd, pwdlen );
1407
1408
mbedtls_platform_zeroize( key_copy, keylen );
1409
mbedtls_free( key_copy );
1410
}
1411
1412
if( ret == 0 )
1413
return( 0 );
1414
1415
mbedtls_pk_free( pk );
1416
mbedtls_pk_init( pk );
1417
1418
if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
1419
{
1420
return( ret );
1421
}
1422
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1423
1424
if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
1425
return( 0 );
1426
1427
mbedtls_pk_free( pk );
1428
mbedtls_pk_init( pk );
1429
1430
#if defined(MBEDTLS_RSA_C)
1431
1432
pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1433
if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1434
pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
1435
{
1436
return( 0 );
1437
}
1438
1439
mbedtls_pk_free( pk );
1440
mbedtls_pk_init( pk );
1441
#endif /* MBEDTLS_RSA_C */
1442
1443
#if defined(MBEDTLS_ECP_C)
1444
pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
1445
if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1446
pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1447
key, keylen ) == 0 )
1448
{
1449
return( 0 );
1450
}
1451
mbedtls_pk_free( pk );
1452
#endif /* MBEDTLS_ECP_C */
1453
1454
/* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
1455
* it is ok to leave the PK context initialized but not
1456
* freed: It is the caller's responsibility to call pk_init()
1457
* before calling this function, and to call pk_free()
1458
* when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
1459
* isn't, this leads to mbedtls_pk_free() being called
1460
* twice, once here and once by the caller, but this is
1461
* also ok and in line with the mbedtls_pk_free() calls
1462
* on failed PEM parsing attempts. */
1463
1464
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1465
}
1466
1467
/*
1468
* Parse a public key
1469
*/
1470
int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
1471
const unsigned char *key, size_t keylen )
1472
{
1473
int ret;
1474
unsigned char *p;
1475
#if defined(MBEDTLS_RSA_C)
1476
const mbedtls_pk_info_t *pk_info;
1477
#endif
1478
#if defined(MBEDTLS_PEM_PARSE_C)
1479
size_t len;
1480
mbedtls_pem_context pem;
1481
#endif
1482
1483
PK_VALIDATE_RET( ctx != NULL );
1484
if( keylen == 0 )
1485
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1486
PK_VALIDATE_RET( key != NULL || keylen == 0 );
1487
1488
#if defined(MBEDTLS_PEM_PARSE_C)
1489
mbedtls_pem_init( &pem );
1490
#if defined(MBEDTLS_RSA_C)
1491
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1492
if( key[keylen - 1] != '\0' )
1493
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1494
else
1495
ret = mbedtls_pem_read_buffer( &pem,
1496
"-----BEGIN RSA PUBLIC KEY-----",
1497
"-----END RSA PUBLIC KEY-----",
1498
key, NULL, 0, &len );
1499
1500
if( ret == 0 )
1501
{
1502
p = pem.buf;
1503
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1504
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1505
1506
if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1507
return( ret );
1508
1509
if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
1510
mbedtls_pk_free( ctx );
1511
1512
mbedtls_pem_free( &pem );
1513
return( ret );
1514
}
1515
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1516
{
1517
mbedtls_pem_free( &pem );
1518
return( ret );
1519
}
1520
#endif /* MBEDTLS_RSA_C */
1521
1522
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1523
if( key[keylen - 1] != '\0' )
1524
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1525
else
1526
ret = mbedtls_pem_read_buffer( &pem,
1527
"-----BEGIN PUBLIC KEY-----",
1528
"-----END PUBLIC KEY-----",
1529
key, NULL, 0, &len );
1530
1531
if( ret == 0 )
1532
{
1533
/*
1534
* Was PEM encoded
1535
*/
1536
p = pem.buf;
1537
1538
ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx );
1539
mbedtls_pem_free( &pem );
1540
return( ret );
1541
}
1542
else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1543
{
1544
mbedtls_pem_free( &pem );
1545
return( ret );
1546
}
1547
mbedtls_pem_free( &pem );
1548
#endif /* MBEDTLS_PEM_PARSE_C */
1549
1550
#if defined(MBEDTLS_RSA_C)
1551
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1552
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1553
1554
if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1555
return( ret );
1556
1557
p = (unsigned char *)key;
1558
ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
1559
if( ret == 0 )
1560
{
1561
return( ret );
1562
}
1563
mbedtls_pk_free( ctx );
1564
if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
1565
{
1566
return( ret );
1567
}
1568
#endif /* MBEDTLS_RSA_C */
1569
p = (unsigned char *) key;
1570
1571
ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
1572
1573
return( ret );
1574
}
1575
1576
#endif /* MBEDTLS_PK_PARSE_C */
Loggerhead is a web-based interface for Breezy
Version: 2.0.1