Add selection support to the provider keymgmt_dup function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)

crypto/dh/dh_ameth.c

@@ -543,7 +543,7 @@ static int dh_pkey_copy(EVP_PKEY *to, EVP_PKEY *from)
     int ret;
 
     if (dh != NULL) {
-        dupkey = ossl_dh_dup(dh);
+        dupkey = ossl_dh_dup(dh, OSSL_KEYMGMT_SELECT_ALL);
         if (dupkey == NULL)
             return 0;
     }

crypto/dh/dh_backend.c

@@ -125,7 +125,7 @@ static ossl_inline int dh_bn_dup_check(BIGNUM **out, const BIGNUM *f)
     return 1;
 }
 
-DH *ossl_dh_dup(const DH *dh)
+DH *ossl_dh_dup(const DH *dh, int selection)
 {
     DH *dupkey = NULL;
 
@@ -139,14 +139,20 @@ DH *ossl_dh_dup(const DH *dh)
         return NULL;
 
     dupkey->length = DH_get_length(dh);
-    if (!ossl_ffc_params_copy(&dupkey->params, &dh->params))
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0
+        && !ossl_ffc_params_copy(&dupkey->params, &dh->params))
         goto err;
 
     dupkey->flags = dh->flags;
 
-    if (!dh_bn_dup_check(&dupkey->pub_key, dh->pub_key))
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0
+        && ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0
+            || !dh_bn_dup_check(&dupkey->pub_key, dh->pub_key)))
         goto err;
-    if (!dh_bn_dup_check(&dupkey->priv_key, dh->priv_key))
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+        && ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0
+            || !dh_bn_dup_check(&dupkey->priv_key, dh->priv_key)))
         goto err;
 
 #ifndef FIPS_MODULE
@@ -161,6 +167,7 @@ DH *ossl_dh_dup(const DH *dh)
     DH_free(dupkey);
     return NULL;
 }
+
 #ifndef FIPS_MODULE
 DH *ossl_dh_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
                            OSSL_LIB_CTX *libctx, const char *propq)

crypto/dsa/dsa_ameth.c

@@ -507,7 +507,7 @@ static int dsa_pkey_copy(EVP_PKEY *to, EVP_PKEY *from)
     int ret;
 
     if (dsa != NULL) {
-        dupkey = ossl_dsa_dup(dsa);
+        dupkey = ossl_dsa_dup(dsa, OSSL_KEYMGMT_SELECT_ALL);
         if (dupkey == NULL)
             return 0;
     }

crypto/dsa/dsa_backend.c

@@ -64,7 +64,7 @@ static ossl_inline int dsa_bn_dup_check(BIGNUM **out, const BIGNUM *f)
     return 1;
 }
 
-DSA *ossl_dsa_dup(const DSA *dsa)
+DSA *ossl_dsa_dup(const DSA *dsa, int selection)
 {
     DSA *dupkey = NULL;
 
@@ -77,14 +77,20 @@ DSA *ossl_dsa_dup(const DSA *dsa)
     if ((dupkey = ossl_dsa_new(dsa->libctx)) == NULL)
         return NULL;
 
-    if (!ossl_ffc_params_copy(&dupkey->params, &dsa->params))
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0
+        && !ossl_ffc_params_copy(&dupkey->params, &dsa->params))
         goto err;
 
     dupkey->flags = dsa->flags;
 
-    if (!dsa_bn_dup_check(&dupkey->pub_key, dsa->pub_key))
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0
+        && ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0
+            || !dsa_bn_dup_check(&dupkey->pub_key, dsa->pub_key)))
         goto err;
-    if (!dsa_bn_dup_check(&dupkey->priv_key, dsa->priv_key))
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+        && ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0
+            || !dsa_bn_dup_check(&dupkey->priv_key, dsa->priv_key)))
         goto err;
 
 #ifndef FIPS_MODULE

crypto/ec/ec_backend.c

@@ -17,6 +17,7 @@
 #include <openssl/objects.h>
 #include <openssl/params.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 #include "crypto/bn.h"
 #include "crypto/ec.h"
 #include "ec_local.h"
@@ -519,6 +520,93 @@ int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
     return 1;
 }
 
+EC_KEY *ossl_ec_key_dup(const EC_KEY *src, int selection)
+{
+    EC_KEY *ret = ossl_ec_key_new_method_int(src->libctx, src->propq,
+                                             src->engine);
+
+    if (ret == NULL)
+        return NULL;
+
+    if (src == NULL) {
+        ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
+        goto err;
+    }
+
+    /* copy the parameters */
+    if (src->group != NULL
+        && (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+        ret->group = ossl_ec_group_new_ex(src->libctx, src->propq,
+                                          src->group->meth);
+        if (ret->group == NULL
+            || !EC_GROUP_copy(ret->group, src->group))
+            goto err;
+
+        if (src->meth != NULL) {
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
+            if (src->engine != NULL && ENGINE_init(src->engine) == 0)
+                goto err;
+            ret->engine = src->engine;
+#endif
+            ret->meth = src->meth;
+        }
+    }
+
+    /*  copy the public key */
+    if (src->pub_key != NULL
+        && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+        if (ret->group == NULL)
+            /* no parameter-less keys allowed */
+            goto err;
+        ret->pub_key = EC_POINT_new(ret->group);
+        if (ret->pub_key == NULL
+            || !EC_POINT_copy(ret->pub_key, src->pub_key))
+                goto err;
+    }
+
+    /* copy the private key */
+    if (src->priv_key != NULL
+        && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+        if (ret->group == NULL)
+            /* no parameter-less keys allowed */
+            goto err;
+        ret->priv_key = BN_new();
+        if (ret->priv_key == NULL || !BN_copy(ret->priv_key, src->priv_key))
+            goto err;
+        if (ret->group->meth->keycopy
+            && ret->group->meth->keycopy(ret, src) == 0)
+            goto err;
+    }
+
+    /* copy the rest */
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) {
+        ret->enc_flag = src->enc_flag;
+        ret->conv_form = src->conv_form;
+    }
+
+    ret->version = src->version;
+    ret->flags = src->flags;
+
+#ifndef FIPS_MODULE
+    if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
+                            &ret->ex_data, &src->ex_data))
+        goto err;
+#endif
+
+    if (ret->meth != NULL && ret->meth->copy != NULL) {
+        if ((selection
+             & OSSL_KEYMGMT_SELECT_KEYPAIR) != OSSL_KEYMGMT_SELECT_KEYPAIR)
+            goto err;
+        if (ret->meth->copy(ret, src) == 0)
+            goto err;
+    }
+
+    return ret;
+ err:
+    EC_KEY_free(ret);
+    return NULL;
+}
+
 int ossl_ec_encoding_param2id(const OSSL_PARAM *p, int *id)
 {
     const char *name = NULL;

crypto/ec/ec_key.c

@@ -184,17 +184,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 
 EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
 {
-    EC_KEY *ret = ossl_ec_key_new_method_int(ec_key->libctx, ec_key->propq,
-                                             ec_key->engine);
-
-    if (ret == NULL)
-        return NULL;
-
-    if (EC_KEY_copy(ret, ec_key) == NULL) {
-        EC_KEY_free(ret);
-        return NULL;
-    }
-    return ret;
+    return ossl_ec_key_dup(ec_key, OSSL_KEYMGMT_SELECT_ALL);
 }
 
 int EC_KEY_up_ref(EC_KEY *r)

crypto/ec/ecx_backend.c

@@ -92,7 +92,7 @@ int ossl_ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[],
     return 1;
 }
 
-ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key)
+ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key, int selection)
 {
     ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret));
 
@@ -119,9 +119,11 @@ ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key)
             goto err;
     }
 
-    memcpy(ret->pubkey, key->pubkey, sizeof(ret->pubkey));
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+        memcpy(ret->pubkey, key->pubkey, sizeof(ret->pubkey));
 
-    if (key->privkey != NULL) {
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+        && key->privkey != NULL) {
         if (ossl_ecx_key_allocate_privkey(ret) == NULL)
             goto err;
         memcpy(ret->privkey, key->privkey, ret->keylen);

crypto/ec/ecx_meth.c

@@ -410,7 +410,7 @@ static int ecx_pkey_copy(EVP_PKEY *to, EVP_PKEY *from)
     int ret;
 
     if (ecx != NULL) {
-        dupkey = ossl_ecx_key_dup(ecx);
+        dupkey = ossl_ecx_key_dup(ecx, OSSL_KEYMGMT_SELECT_ALL);
         if (dupkey == NULL)
             return 0;
     }

crypto/evp/keymgmt_lib.c

@@ -460,9 +460,10 @@ int evp_keymgmt_util_copy(EVP_PKEY *to, EVP_PKEY *from, int selection)
             return 0;
         }
     } else if (to_keymgmt == from->keymgmt && to_keymgmt->dup != NULL
-               && to_keydata == NULL
-               && selection == OSSL_KEYMGMT_SELECT_ALL) {
-        to_keydata = alloc_keydata = evp_keymgmt_dup(to_keymgmt, from->keydata);
+               && to_keydata == NULL) {
+        to_keydata = alloc_keydata = evp_keymgmt_dup(to_keymgmt,
+                                                     from->keydata,
+                                                     selection);
         if (to_keydata == NULL)
             return 0;
     } else if (match_type(to_keymgmt, from->keymgmt)) {

crypto/evp/keymgmt_meth.c

@@ -477,10 +477,11 @@ int evp_keymgmt_copy(const EVP_KEYMGMT *keymgmt,
     return keymgmt->copy(keydata_to, keydata_from, selection);
 }
 
-void *evp_keymgmt_dup(const EVP_KEYMGMT *keymgmt, const void *keydata_from)
+void *evp_keymgmt_dup(const EVP_KEYMGMT *keymgmt, const void *keydata_from,
+                      int selection)
 {
     /* We assume no dup if the implementation doesn't have a function */
     if (keymgmt->dup == NULL)
         return NULL;
-    return keymgmt->dup(keydata_from);
+    return keymgmt->dup(keydata_from, selection);
 }

crypto/rsa/rsa_ameth.c

@@ -891,7 +891,7 @@ static int rsa_pkey_copy(EVP_PKEY *to, EVP_PKEY *from)
     int ret;
 
     if (rsa != NULL) {
-        dupkey = ossl_rsa_dup(rsa);
+        dupkey = ossl_rsa_dup(rsa, OSSL_KEYMGMT_SELECT_ALL);
         if (dupkey == NULL)
             return 0;
     }

crypto/rsa/rsa_backend.c

@@ -330,7 +330,7 @@ static ossl_inline int rsa_bn_dup_check(BIGNUM **out, const BIGNUM *f)
     return 1;
 }
 
-RSA *ossl_rsa_dup(const RSA *rsa)
+RSA *ossl_rsa_dup(const RSA *rsa, int selection)
 {
     RSA *dupkey = NULL;
 #ifndef FIPS_MODULE
@@ -344,34 +344,42 @@ RSA *ossl_rsa_dup(const RSA *rsa)
     if ((dupkey = ossl_rsa_new_with_ctx(rsa->libctx)) == NULL)
         return NULL;
 
-    /* private and public key */
-    if (!rsa_bn_dup_check(&dupkey->n, rsa->n))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->e, rsa->e))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->d, rsa->d))
-        goto err;
+    /* public key */
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        if (!rsa_bn_dup_check(&dupkey->n, rsa->n))
+            goto err;
+        if (!rsa_bn_dup_check(&dupkey->e, rsa->e))
+            goto err;
+    }
 
-    /* factors and crt params */
-    if (!rsa_bn_dup_check(&dupkey->p, rsa->p))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->q, rsa->q))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->dmp1, rsa->dmp1))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->dmq1, rsa->dmq1))
-        goto err;
-    if (!rsa_bn_dup_check(&dupkey->iqmp, rsa->iqmp))
-        goto err;
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+
+        /* private key */
+        if (!rsa_bn_dup_check(&dupkey->d, rsa->d))
+            goto err;
+
+        /* factors and crt params */
+        if (!rsa_bn_dup_check(&dupkey->p, rsa->p))
+            goto err;
+        if (!rsa_bn_dup_check(&dupkey->q, rsa->q))
+            goto err;
+        if (!rsa_bn_dup_check(&dupkey->dmp1, rsa->dmp1))
+            goto err;
+        if (!rsa_bn_dup_check(&dupkey->dmq1, rsa->dmq1))
+            goto err;
+        if (!rsa_bn_dup_check(&dupkey->iqmp, rsa->iqmp))
+            goto err;
+    }
 
     dupkey->version = rsa->version;
     dupkey->flags = rsa->flags;
+    /* we always copy the PSS parameters regardless of selection */
     dupkey->pss_params = rsa->pss_params;
 
 #ifndef FIPS_MODULE
     /* multiprime */
-    pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
-    if (pnum > 0) {
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+        && (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) {
         dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
         for (i = 0; i < pnum; i++) {
             const RSA_PRIME_INFO *pinfo = NULL;

doc/man7/provider-keymgmt.pod

@@ -56,7 +56,7 @@ provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions
  int OSSL_FUNC_keymgmt_copy(void *keydata_to, const void *keydata_from, int selection);
 
  /* Key object duplication, a constructor */
- void *OSSL_FUNC_keymgmt_dup(const void *keydata_from);
+ void *OSSL_FUNC_keymgmt_dup(const void *keydata_from, int selection);
 
  /* Key object validation */
  int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype);
@@ -346,8 +346,9 @@ from I<keydata_from> to I<keydata_to>.  It is assumed that the caller
 has ensured that I<keydata_to> and I<keydata_from> are both owned by
 the implementation of this function.
 
-OSSL_FUNC_keymgmt_dup() should duplicate the key data I<keydata_from> and
-create a new provider side key object with the data.
+OSSL_FUNC_keymgmt_dup() should duplicate data subsets indicated by
+I<selection> or the whole key data I<keydata_from> and create a new
+provider side key object with the data.
 
 =head2 Common Information Parameters
 

include/crypto/dh.h

@@ -56,6 +56,6 @@ int ossl_dh_kdf_X9_42_asn1(unsigned char *out, size_t outlen,
                            const unsigned char *ukm, size_t ukmlen,
                            const EVP_MD *md,
                            OSSL_LIB_CTX *libctx, const char *propq);
-DH *ossl_dh_dup(const DH *dh);
+DH *ossl_dh_dup(const DH *dh, int selection);
 
 #endif  /* OSSL_CRYPTO_DH_H */

include/crypto/dsa.h

@@ -43,6 +43,6 @@ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key,
                                    int *ret);
 int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret);
 int ossl_dsa_check_pairwise(const DSA *dsa);
-DSA *ossl_dsa_dup(const DSA *dsa);
+DSA *ossl_dsa_dup(const DSA *dsa, int selection);
 
 #endif

include/crypto/ec.h

@@ -79,6 +79,7 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]);
 int ossl_ec_key_fromdata(EC_KEY *ecx, const OSSL_PARAM params[],
                          int include_private);
 int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]);
+EC_KEY *ossl_ec_key_dup(const EC_KEY *key, int selection);
 EC_KEY *ossl_ec_key_param_from_x509_algor(const X509_ALGOR *palg,
                                           OSSL_LIB_CTX *libctx,
                                           const char *propq);

include/crypto/ecx.h

@@ -83,7 +83,7 @@ void ossl_ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx);
 unsigned char *ossl_ecx_key_allocate_privkey(ECX_KEY *key);
 void ossl_ecx_key_free(ECX_KEY *key);
 int ossl_ecx_key_up_ref(ECX_KEY *key);
-ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key);
+ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key, int selection);
 
 int ossl_x25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
                 const uint8_t peer_public_value[32]);

include/crypto/evp.h

@@ -814,7 +814,7 @@ int evp_keymgmt_copy(const EVP_KEYMGMT *keymgmt,
                      void *keydata_to, const void *keydata_from,
                      int selection);
 void *evp_keymgmt_dup(const EVP_KEYMGMT *keymgmt,
-                      const void *keydata_from);
+                      const void *keydata_from, int selection);
 
 /* Pulling defines out of C source files */
 

include/crypto/rsa.h

@@ -63,7 +63,7 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
 int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
                              STACK_OF(BIGNUM_const) *exps,
                              STACK_OF(BIGNUM_const) *coeffs);
-RSA *ossl_rsa_dup(const RSA *rsa);
+RSA *ossl_rsa_dup(const RSA *rsa, int selection);
 
 int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]);
 int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]);

include/openssl/core_dispatch.h

@@ -603,7 +603,7 @@ OSSL_CORE_MAKE_FUNC(int, keymgmt_copy,
 /* Dup function, constructor */
 # define OSSL_FUNC_KEYMGMT_DUP                        45
 OSSL_CORE_MAKE_FUNC(void *, keymgmt_dup,
-                    (const void *keydata_from))
+                    (const void *keydata_from, int selection))
 
 /* Key Exchange */
 

providers/implementations/keymgmt/dh_kmgmt.c

@@ -722,10 +722,10 @@ static void *dh_load(const void *reference, size_t reference_sz)
     return NULL;
 }
 
-static void *dh_dup(const void *keydata_from)
+static void *dh_dup(const void *keydata_from, int selection)
 {
     if (ossl_prov_is_running())
-        return ossl_dh_dup(keydata_from);
+        return ossl_dh_dup(keydata_from, selection);
     return NULL;
 }
 

providers/implementations/keymgmt/dsa_kmgmt.c

@@ -612,10 +612,10 @@ static void *dsa_load(const void *reference, size_t reference_sz)
     return NULL;
 }
 
-static void *dsa_dup(const void *keydata_from)
+static void *dsa_dup(const void *keydata_from, int selection)
 {
     if (ossl_prov_is_running())
-        return ossl_dsa_dup(keydata_from);
+        return ossl_dsa_dup(keydata_from, selection);
     return NULL;
 }
 

providers/implementations/keymgmt/ec_kmgmt.c

@@ -1362,10 +1362,10 @@ static void *sm2_load(const void *reference, size_t reference_sz)
 # endif
 #endif
 
-static void *ec_dup(const void *keydata_from)
+static void *ec_dup(const void *keydata_from, int selection)
 {
     if (ossl_prov_is_running())
-        return EC_KEY_dup(keydata_from);
+        return ossl_ec_key_dup(keydata_from, selection);
     return NULL;
 }
 

providers/implementations/keymgmt/ecx_kmgmt.c

@@ -692,10 +692,10 @@ void *ecx_load(const void *reference, size_t reference_sz)
     return NULL;
 }
 
-static void *ecx_dup(const void *keydata_from)
+static void *ecx_dup(const void *keydata_from, int selection)
 {
     if (ossl_prov_is_running())
-        return ossl_ecx_key_dup(keydata_from);
+        return ossl_ecx_key_dup(keydata_from, selection);
     return NULL;
 }
 

providers/implementations/keymgmt/rsa_kmgmt.c

@@ -646,10 +646,10 @@ static void *rsapss_load(const void *reference, size_t reference_sz)
     return common_load(reference, reference_sz, RSA_FLAG_TYPE_RSASSAPSS);
 }
 
-static void *rsa_dup(const void *keydata_from)
+static void *rsa_dup(const void *keydata_from, int selection)
 {
     if (ossl_prov_is_running())
-        return ossl_rsa_dup(keydata_from);
+        return ossl_rsa_dup(keydata_from, selection);
     return NULL;
 }