store_result.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625
  1. /*
  2. * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "e_os.h"
  10. #include <string.h>
  11. #include <openssl/core.h>
  12. #include <openssl/core_names.h>
  13. #include <openssl/core_object.h>
  14. #include <openssl/err.h>
  15. #include <openssl/pkcs12.h>
  16. #include <openssl/provider.h>
  17. #include <openssl/decoder.h>
  18. #include <openssl/store.h>
  19. #include "internal/provider.h"
  20. #include "internal/passphrase.h"
  21. #include "crypto/evp.h"
  22. #include "crypto/x509.h"
  23. #include "store_local.h"
  24. #ifndef OSSL_OBJECT_PKCS12
  25. /*
  26. * The object abstraction doesn't know PKCS#12, but we want to indicate
  27. * it anyway, so we create our own. Since the public macros use positive
  28. * numbers, negative ones should be fine. They must never slip out from
  29. * this translation unit anyway.
  30. */
  31. # define OSSL_OBJECT_PKCS12 -1
  32. #endif
  33. /*
  34. * ossl_store_handle_load_result() is initially written to be a companion
  35. * to our 'file:' scheme provider implementation, but has been made generic
  36. * to serve others as well.
  37. *
  38. * This result handler takes any object abstraction (see provider-object(7))
  39. * and does the best it can with it. If the object is passed by value (not
  40. * by reference), the contents are currently expected to be DER encoded.
  41. * If an object type is specified, that will be respected; otherwise, this
  42. * handler will guess the contents, by trying the following in order:
  43. *
  44. * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
  45. * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
  46. * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
  47. * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
  48. *
  49. * For the 'file:' scheme implementation, this is division of labor. Since
  50. * the libcrypto <-> provider interface currently doesn't support certain
  51. * structures as first class objects, they must be unpacked from DER here
  52. * rather than in the provider. The current exception is asymmetric keys,
  53. * which can reside within the provider boundary, most of all thanks to
  54. * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
  55. * reference.
  56. */
  57. struct extracted_param_data_st {
  58. int object_type;
  59. const char *data_type;
  60. const char *utf8_data;
  61. const void *octet_data;
  62. size_t octet_data_size;
  63. const void *ref;
  64. size_t ref_size;
  65. const char *desc;
  66. };
  67. static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
  68. static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
  69. OSSL_STORE_CTX *, const OSSL_PROVIDER *,
  70. OSSL_LIB_CTX *, const char *);
  71. static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
  72. OSSL_LIB_CTX *, const char *);
  73. static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
  74. OSSL_LIB_CTX *, const char *);
  75. static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
  76. OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);
  77. #define SET_ERR_MARK() ERR_set_mark()
  78. #define CLEAR_ERR_MARK() \
  79. do { \
  80. int err = ERR_peek_last_error(); \
  81. \
  82. if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
  83. && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \
  84. || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \
  85. || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \
  86. ERR_pop_to_mark(); \
  87. else \
  88. ERR_clear_last_mark(); \
  89. } while(0)
  90. #define RESET_ERR_MARK() \
  91. do { \
  92. CLEAR_ERR_MARK(); \
  93. SET_ERR_MARK(); \
  94. } while(0)
  95. int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
  96. {
  97. struct ossl_load_result_data_st *cbdata = arg;
  98. OSSL_STORE_INFO **v = &cbdata->v;
  99. OSSL_STORE_CTX *ctx = cbdata->ctx;
  100. const OSSL_PROVIDER *provider =
  101. OSSL_STORE_LOADER_provider(ctx->fetched_loader);
  102. OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
  103. const char *propq = ctx->properties;
  104. const OSSL_PARAM *p;
  105. struct extracted_param_data_st helper_data;
  106. memset(&helper_data, 0, sizeof(helper_data));
  107. helper_data.object_type = OSSL_OBJECT_UNKNOWN;
  108. if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
  109. && !OSSL_PARAM_get_int(p, &helper_data.object_type))
  110. return 0;
  111. p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
  112. if (p != NULL
  113. && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
  114. return 0;
  115. p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
  116. if (p != NULL
  117. && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
  118. &helper_data.octet_data_size)
  119. && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
  120. return 0;
  121. p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
  122. if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
  123. &helper_data.ref_size))
  124. return 0;
  125. p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
  126. if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
  127. return 0;
  128. /*
  129. * The helper functions return 0 on actual errors, otherwise 1, even if
  130. * they didn't fill out |*v|.
  131. */
  132. SET_ERR_MARK();
  133. if (!try_name(&helper_data, v))
  134. goto err;
  135. RESET_ERR_MARK();
  136. if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
  137. goto err;
  138. RESET_ERR_MARK();
  139. if (!try_cert(&helper_data, v, libctx, propq))
  140. goto err;
  141. RESET_ERR_MARK();
  142. if (!try_crl(&helper_data, v, libctx, propq))
  143. goto err;
  144. RESET_ERR_MARK();
  145. if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
  146. goto err;
  147. CLEAR_ERR_MARK();
  148. return (*v != NULL);
  149. err:
  150. return 0;
  151. }
  152. static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
  153. {
  154. if (data->object_type == OSSL_OBJECT_NAME) {
  155. char *newname = NULL, *newdesc = NULL;
  156. if (data->utf8_data == NULL)
  157. return 0;
  158. if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
  159. || (data->desc != NULL
  160. && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
  161. || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
  162. OPENSSL_free(newname);
  163. OPENSSL_free(newdesc);
  164. return 0;
  165. }
  166. OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
  167. }
  168. return 1;
  169. }
  170. /*
  171. * For the rest of the object types, the provider code may not know what
  172. * type of data it gave us, so we may need to figure that out on our own.
  173. * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
  174. * only return 0 on error if the object type is known.
  175. */
  176. static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
  177. OSSL_STORE_CTX *ctx,
  178. const OSSL_PROVIDER *provider,
  179. OSSL_LIB_CTX *libctx, const char *propq)
  180. {
  181. EVP_PKEY *pk = NULL;
  182. EVP_KEYMGMT *keymgmt = NULL;
  183. void *keydata = NULL;
  184. /* If we have an object reference, we must have a data type */
  185. if (data->data_type == NULL)
  186. return 0;
  187. keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
  188. if (keymgmt != NULL) {
  189. /*
  190. * There are two possible cases
  191. *
  192. * 1. The keymgmt is from the same provider as the loader,
  193. * so we can use evp_keymgmt_load()
  194. * 2. The keymgmt is from another provider, then we must
  195. * do the export/import dance.
  196. */
  197. if (EVP_KEYMGMT_provider(keymgmt) == provider) {
  198. keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
  199. } else {
  200. struct evp_keymgmt_util_try_import_data_st import_data;
  201. OSSL_FUNC_store_export_object_fn *export_object =
  202. ctx->fetched_loader->p_export_object;
  203. import_data.keymgmt = keymgmt;
  204. import_data.keydata = NULL;
  205. import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
  206. if (export_object != NULL) {
  207. /*
  208. * No need to check for errors here, the value of
  209. * |import_data.keydata| is as much an indicator.
  210. */
  211. (void)export_object(ctx->loader_ctx,
  212. data->ref, data->ref_size,
  213. &evp_keymgmt_util_try_import,
  214. &import_data);
  215. }
  216. keydata = import_data.keydata;
  217. }
  218. }
  219. if (keydata != NULL)
  220. pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
  221. EVP_KEYMGMT_free(keymgmt);
  222. return pk;
  223. }
  224. static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
  225. OSSL_STORE_CTX *ctx,
  226. OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
  227. OSSL_LIB_CTX *libctx, const char *propq)
  228. {
  229. EVP_PKEY *pk = NULL;
  230. OSSL_DECODER_CTX *decoderctx = NULL;
  231. const unsigned char *pdata = data->octet_data;
  232. size_t pdatalen = data->octet_data_size;
  233. int selection = 0;
  234. switch (ctx->expected_type) {
  235. case 0:
  236. break;
  237. case OSSL_STORE_INFO_PARAMS:
  238. selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
  239. break;
  240. case OSSL_STORE_INFO_PUBKEY:
  241. selection =
  242. OSSL_KEYMGMT_SELECT_PUBLIC_KEY
  243. | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
  244. break;
  245. case OSSL_STORE_INFO_PKEY:
  246. selection = OSSL_KEYMGMT_SELECT_ALL;
  247. break;
  248. default:
  249. return NULL;
  250. }
  251. decoderctx =
  252. OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", NULL, data->data_type,
  253. selection, libctx, propq);
  254. (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
  255. /* No error if this couldn't be decoded */
  256. (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
  257. OSSL_DECODER_CTX_free(decoderctx);
  258. return pk;
  259. }
  260. typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
  261. static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
  262. store_info_new_fn **store_info_new,
  263. OSSL_STORE_CTX *ctx,
  264. OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
  265. OSSL_LIB_CTX *libctx, const char *propq)
  266. {
  267. EVP_PKEY *pk = NULL;
  268. const unsigned char *der = data->octet_data, *derp;
  269. long der_len = (long)data->octet_data_size;
  270. SET_ERR_MARK();
  271. /* Try PUBKEY first, that's a real easy target */
  272. if (ctx->expected_type == 0
  273. || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
  274. derp = der;
  275. pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
  276. if (pk != NULL)
  277. *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
  278. RESET_ERR_MARK();
  279. }
  280. /* Try private keys next */
  281. if (pk == NULL
  282. && (ctx->expected_type == 0
  283. || ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
  284. unsigned char *new_der = NULL;
  285. X509_SIG *p8 = NULL;
  286. PKCS8_PRIV_KEY_INFO *p8info = NULL;
  287. /* See if it's an encrypted PKCS#8 and decrypt it */
  288. derp = der;
  289. if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
  290. char pbuf[PEM_BUFSIZE];
  291. size_t plen = 0;
  292. if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
  293. ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
  294. } else {
  295. const X509_ALGOR *alg = NULL;
  296. const ASN1_OCTET_STRING *oct = NULL;
  297. int len = 0;
  298. X509_SIG_get0(p8, &alg, &oct);
  299. /*
  300. * No need to check the returned value, |new_der|
  301. * will be NULL on error anyway.
  302. */
  303. PKCS12_pbe_crypt(alg, pbuf, plen,
  304. oct->data, oct->length,
  305. &new_der, &len, 0);
  306. der_len = len;
  307. der = new_der;
  308. }
  309. X509_SIG_free(p8);
  310. }
  311. RESET_ERR_MARK();
  312. /*
  313. * If the encrypted PKCS#8 couldn't be decrypted,
  314. * |der| is NULL
  315. */
  316. if (der != NULL) {
  317. /* Try to unpack an unencrypted PKCS#8, that's easy */
  318. derp = der;
  319. p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
  320. RESET_ERR_MARK();
  321. if (p8info != NULL) {
  322. pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
  323. PKCS8_PRIV_KEY_INFO_free(p8info);
  324. }
  325. }
  326. if (pk != NULL)
  327. *store_info_new = OSSL_STORE_INFO_new_PKEY;
  328. OPENSSL_free(new_der);
  329. der = data->octet_data;
  330. der_len = (long)data->octet_data_size;
  331. }
  332. CLEAR_ERR_MARK();
  333. return pk;
  334. }
  335. static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
  336. OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
  337. OSSL_LIB_CTX *libctx, const char *propq)
  338. {
  339. store_info_new_fn *store_info_new = NULL;
  340. if (data->object_type == OSSL_OBJECT_UNKNOWN
  341. || data->object_type == OSSL_OBJECT_PKEY) {
  342. EVP_PKEY *pk = NULL;
  343. /* Prefer key by reference than key by value */
  344. if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
  345. pk = try_key_ref(data, ctx, provider, libctx, propq);
  346. /*
  347. * If for some reason we couldn't get a key, it's an error.
  348. * It indicates that while decoders could make a key reference,
  349. * the keymgmt somehow couldn't handle it, or doesn't have a
  350. * OSSL_FUNC_keymgmt_load function.
  351. */
  352. if (pk == NULL)
  353. return 0;
  354. } else if (data->octet_data != NULL) {
  355. OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
  356. void *cbarg = &ctx->pwdata;
  357. pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
  358. /*
  359. * Desperate last maneuver, in case the decoders don't support
  360. * the data we have, then we try on our own to at least get a
  361. * legacy key.
  362. * This is the same as der2key_decode() does, but in a limited
  363. * way and within the walls of libcrypto.
  364. *
  365. * TODO Remove this when #legacy keys are gone
  366. */
  367. if (pk == NULL)
  368. pk = try_key_value_legacy(data, &store_info_new, ctx,
  369. cb, cbarg, libctx, propq);
  370. }
  371. if (pk != NULL) {
  372. data->object_type = OSSL_OBJECT_PKEY;
  373. if (store_info_new == NULL) {
  374. /*
  375. * We determined the object type for OSSL_STORE_INFO, which
  376. * makes an explicit difference between an EVP_PKEY with just
  377. * (domain) parameters and an EVP_PKEY with actual key
  378. * material.
  379. * The logic is that an EVP_PKEY with actual key material
  380. * always has the public half.
  381. */
  382. if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
  383. store_info_new = OSSL_STORE_INFO_new_PKEY;
  384. else if (evp_keymgmt_util_has(pk,
  385. OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
  386. store_info_new = OSSL_STORE_INFO_new_PUBKEY;
  387. else
  388. store_info_new = OSSL_STORE_INFO_new_PARAMS;
  389. }
  390. *v = store_info_new(pk);
  391. }
  392. if (*v == NULL)
  393. EVP_PKEY_free(pk);
  394. }
  395. return 1;
  396. }
  397. static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
  398. OSSL_LIB_CTX *libctx, const char *propq)
  399. {
  400. if (data->object_type == OSSL_OBJECT_UNKNOWN
  401. || data->object_type == OSSL_OBJECT_CERT) {
  402. X509 *cert;
  403. /*
  404. * In most cases, we can try to interpret the serialized
  405. * data as a trusted cert (X509 + X509_AUX) and fall back
  406. * to reading it as a normal cert (just X509), but if
  407. * |data_type| (the PEM name) specifically declares it as a
  408. * trusted cert, then no fallback should be engaged.
  409. * |ignore_trusted| tells if the fallback can be used (1)
  410. * or not (0).
  411. */
  412. int ignore_trusted = 1;
  413. /* If we have a data type, it should be a PEM name */
  414. if (data->data_type != NULL
  415. && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
  416. ignore_trusted = 0;
  417. cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
  418. data->octet_data_size);
  419. if (cert == NULL && ignore_trusted)
  420. cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
  421. data->octet_data_size);
  422. if (cert != NULL)
  423. /* We determined the object type */
  424. data->object_type = OSSL_OBJECT_CERT;
  425. if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
  426. X509_free(cert);
  427. cert = NULL;
  428. }
  429. if (cert != NULL)
  430. *v = OSSL_STORE_INFO_new_CERT(cert);
  431. if (*v == NULL)
  432. X509_free(cert);
  433. }
  434. return 1;
  435. }
  436. static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
  437. OSSL_LIB_CTX *libctx, const char *propq)
  438. {
  439. if (data->object_type == OSSL_OBJECT_UNKNOWN
  440. || data->object_type == OSSL_OBJECT_CRL) {
  441. X509_CRL *crl;
  442. crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
  443. data->octet_data_size);
  444. if (crl != NULL)
  445. /* We determined the object type */
  446. data->object_type = OSSL_OBJECT_CRL;
  447. if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
  448. X509_CRL_free(crl);
  449. crl = NULL;
  450. }
  451. if (crl != NULL)
  452. *v = OSSL_STORE_INFO_new_CRL(crl);
  453. if (*v == NULL)
  454. X509_CRL_free(crl);
  455. }
  456. return 1;
  457. }
  458. static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
  459. OSSL_STORE_CTX *ctx,
  460. OSSL_LIB_CTX *libctx, const char *propq)
  461. {
  462. /* There is no specific object type for PKCS12 */
  463. if (data->object_type == OSSL_OBJECT_UNKNOWN) {
  464. /* Initial parsing */
  465. PKCS12 *p12;
  466. if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
  467. data->octet_data_size)) != NULL) {
  468. char *pass = NULL;
  469. char tpass[PEM_BUFSIZE];
  470. size_t tpass_len;
  471. EVP_PKEY *pkey = NULL;
  472. X509 *cert = NULL;
  473. STACK_OF(X509) *chain = NULL;
  474. data->object_type = OSSL_OBJECT_PKCS12;
  475. if (PKCS12_verify_mac(p12, "", 0)
  476. || PKCS12_verify_mac(p12, NULL, 0)) {
  477. pass = "";
  478. } else {
  479. static char prompt_info[] = "PKCS12 import pass phrase";
  480. OSSL_PARAM pw_params[] = {
  481. OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
  482. prompt_info,
  483. sizeof(prompt_info) - 1),
  484. OSSL_PARAM_END
  485. };
  486. if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
  487. pw_params, 0, &ctx->pwdata)) {
  488. ERR_raise(ERR_LIB_OSSL_STORE,
  489. OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
  490. goto p12_end;
  491. }
  492. pass = tpass;
  493. if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
  494. ERR_raise(ERR_LIB_OSSL_STORE,
  495. OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
  496. goto p12_end;
  497. }
  498. }
  499. if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
  500. STACK_OF(OSSL_STORE_INFO) *infos = NULL;
  501. OSSL_STORE_INFO *osi_pkey = NULL;
  502. OSSL_STORE_INFO *osi_cert = NULL;
  503. OSSL_STORE_INFO *osi_ca = NULL;
  504. int ok = 1;
  505. if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
  506. if (pkey != NULL) {
  507. if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
  508. /* clearing pkey here avoids case distinctions */
  509. && (pkey = NULL) == NULL
  510. && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
  511. osi_pkey = NULL;
  512. else
  513. ok = 0;
  514. }
  515. if (ok && cert != NULL) {
  516. if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
  517. /* clearing cert here avoids case distinctions */
  518. && (cert = NULL) == NULL
  519. && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
  520. osi_cert = NULL;
  521. else
  522. ok = 0;
  523. }
  524. while (ok && sk_X509_num(chain) > 0) {
  525. X509 *ca = sk_X509_value(chain, 0);
  526. if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
  527. && sk_X509_shift(chain) != NULL
  528. && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
  529. osi_ca = NULL;
  530. else
  531. ok = 0;
  532. }
  533. }
  534. EVP_PKEY_free(pkey);
  535. X509_free(cert);
  536. sk_X509_pop_free(chain, X509_free);
  537. OSSL_STORE_INFO_free(osi_pkey);
  538. OSSL_STORE_INFO_free(osi_cert);
  539. OSSL_STORE_INFO_free(osi_ca);
  540. if (!ok) {
  541. sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
  542. infos = NULL;
  543. }
  544. ctx->cached_info = infos;
  545. }
  546. }
  547. p12_end:
  548. PKCS12_free(p12);
  549. *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
  550. }
  551. return 1;
  552. }