pem_info.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361
  1. /*
  2. * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * DSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/objects.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/x509.h>
  20. #include <openssl/pem.h>
  21. #include <openssl/rsa.h>
  22. #include <openssl/dsa.h>
  23. #ifndef OPENSSL_NO_STDIO
  24. STACK_OF(X509_INFO)
  25. *PEM_X509_INFO_read_ex(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
  26. void *u, OSSL_LIB_CTX *libctx, const char *propq)
  27. {
  28. BIO *b;
  29. STACK_OF(X509_INFO) *ret;
  30. if ((b = BIO_new(BIO_s_file())) == NULL) {
  31. ERR_raise(ERR_LIB_PEM, ERR_R_BUF_LIB);
  32. return 0;
  33. }
  34. BIO_set_fp(b, fp, BIO_NOCLOSE);
  35. ret = PEM_X509_INFO_read_bio_ex(b, sk, cb, u, libctx, propq);
  36. BIO_free(b);
  37. return ret;
  38. }
  39. STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
  40. pem_password_cb *cb, void *u)
  41. {
  42. return PEM_X509_INFO_read_ex(fp, sk, cb, u, NULL, NULL);
  43. }
  44. #endif
  45. STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk,
  46. pem_password_cb *cb, void *u,
  47. OSSL_LIB_CTX *libctx,
  48. const char *propq)
  49. {
  50. X509_INFO *xi = NULL;
  51. char *name = NULL, *header = NULL;
  52. void *pp;
  53. unsigned char *data = NULL;
  54. const unsigned char *p;
  55. long len, error = 0;
  56. int ok = 0;
  57. STACK_OF(X509_INFO) *ret = NULL;
  58. unsigned int i, raw, ptype;
  59. d2i_of_void *d2i = 0;
  60. if (sk == NULL) {
  61. if ((ret = sk_X509_INFO_new_null()) == NULL) {
  62. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  63. goto err;
  64. }
  65. } else
  66. ret = sk;
  67. if ((xi = X509_INFO_new()) == NULL)
  68. goto err;
  69. for (;;) {
  70. raw = 0;
  71. ptype = 0;
  72. ERR_set_mark();
  73. i = PEM_read_bio(bp, &name, &header, &data, &len);
  74. if (i == 0) {
  75. error = ERR_GET_REASON(ERR_peek_last_error());
  76. if (error == PEM_R_NO_START_LINE) {
  77. ERR_pop_to_mark();
  78. break;
  79. }
  80. ERR_clear_last_mark();
  81. goto err;
  82. }
  83. ERR_clear_last_mark();
  84. start:
  85. if ((strcmp(name, PEM_STRING_X509) == 0) ||
  86. (strcmp(name, PEM_STRING_X509_OLD) == 0)) {
  87. d2i = (D2I_OF(void)) d2i_X509;
  88. if (xi->x509 != NULL) {
  89. if (!sk_X509_INFO_push(ret, xi))
  90. goto err;
  91. if ((xi = X509_INFO_new()) == NULL)
  92. goto err;
  93. goto start;
  94. }
  95. xi->x509 = X509_new_ex(libctx, propq);
  96. if (xi->x509 == NULL)
  97. goto err;
  98. pp = &(xi->x509);
  99. } else if ((strcmp(name, PEM_STRING_X509_TRUSTED) == 0)) {
  100. d2i = (D2I_OF(void)) d2i_X509_AUX;
  101. if (xi->x509 != NULL) {
  102. if (!sk_X509_INFO_push(ret, xi))
  103. goto err;
  104. if ((xi = X509_INFO_new()) == NULL)
  105. goto err;
  106. goto start;
  107. }
  108. xi->x509 = X509_new_ex(libctx, propq);
  109. if (xi->x509 == NULL)
  110. goto err;
  111. pp = &(xi->x509);
  112. } else if (strcmp(name, PEM_STRING_X509_CRL) == 0) {
  113. d2i = (D2I_OF(void)) d2i_X509_CRL;
  114. if (xi->crl != NULL) {
  115. if (!sk_X509_INFO_push(ret, xi))
  116. goto err;
  117. if ((xi = X509_INFO_new()) == NULL)
  118. goto err;
  119. goto start;
  120. }
  121. pp = &(xi->crl);
  122. } else if (strcmp(name, PEM_STRING_RSA) == 0) {
  123. d2i = (D2I_OF(void)) d2i_RSAPrivateKey;
  124. if (xi->x_pkey != NULL) {
  125. if (!sk_X509_INFO_push(ret, xi))
  126. goto err;
  127. if ((xi = X509_INFO_new()) == NULL)
  128. goto err;
  129. goto start;
  130. }
  131. xi->enc_data = NULL;
  132. xi->enc_len = 0;
  133. xi->x_pkey = X509_PKEY_new();
  134. if (xi->x_pkey == NULL)
  135. goto err;
  136. ptype = EVP_PKEY_RSA;
  137. pp = &xi->x_pkey->dec_pkey;
  138. if ((int)strlen(header) > 10) /* assume encrypted */
  139. raw = 1;
  140. } else
  141. #ifndef OPENSSL_NO_DSA
  142. if (strcmp(name, PEM_STRING_DSA) == 0) {
  143. d2i = (D2I_OF(void)) d2i_DSAPrivateKey;
  144. if (xi->x_pkey != NULL) {
  145. if (!sk_X509_INFO_push(ret, xi))
  146. goto err;
  147. if ((xi = X509_INFO_new()) == NULL)
  148. goto err;
  149. goto start;
  150. }
  151. xi->enc_data = NULL;
  152. xi->enc_len = 0;
  153. xi->x_pkey = X509_PKEY_new();
  154. if (xi->x_pkey == NULL)
  155. goto err;
  156. ptype = EVP_PKEY_DSA;
  157. pp = &xi->x_pkey->dec_pkey;
  158. if ((int)strlen(header) > 10) /* assume encrypted */
  159. raw = 1;
  160. } else
  161. #endif
  162. #ifndef OPENSSL_NO_EC
  163. if (strcmp(name, PEM_STRING_ECPRIVATEKEY) == 0) {
  164. d2i = (D2I_OF(void)) d2i_ECPrivateKey;
  165. if (xi->x_pkey != NULL) {
  166. if (!sk_X509_INFO_push(ret, xi))
  167. goto err;
  168. if ((xi = X509_INFO_new()) == NULL)
  169. goto err;
  170. goto start;
  171. }
  172. xi->enc_data = NULL;
  173. xi->enc_len = 0;
  174. xi->x_pkey = X509_PKEY_new();
  175. if (xi->x_pkey == NULL)
  176. goto err;
  177. ptype = EVP_PKEY_EC;
  178. pp = &xi->x_pkey->dec_pkey;
  179. if ((int)strlen(header) > 10) /* assume encrypted */
  180. raw = 1;
  181. } else
  182. #endif
  183. {
  184. d2i = NULL;
  185. pp = NULL;
  186. }
  187. if (d2i != NULL) {
  188. if (!raw) {
  189. EVP_CIPHER_INFO cipher;
  190. if (!PEM_get_EVP_CIPHER_INFO(header, &cipher))
  191. goto err;
  192. if (!PEM_do_header(&cipher, data, &len, cb, u))
  193. goto err;
  194. p = data;
  195. if (ptype) {
  196. if (!d2i_PrivateKey(ptype, pp, &p, len)) {
  197. ERR_raise(ERR_LIB_PEM, ERR_R_ASN1_LIB);
  198. goto err;
  199. }
  200. } else if (d2i(pp, &p, len) == NULL) {
  201. ERR_raise(ERR_LIB_PEM, ERR_R_ASN1_LIB);
  202. goto err;
  203. }
  204. } else { /* encrypted RSA data */
  205. if (!PEM_get_EVP_CIPHER_INFO(header, &xi->enc_cipher))
  206. goto err;
  207. xi->enc_data = (char *)data;
  208. xi->enc_len = (int)len;
  209. data = NULL;
  210. }
  211. } else {
  212. /* unknown */
  213. }
  214. OPENSSL_free(name);
  215. name = NULL;
  216. OPENSSL_free(header);
  217. header = NULL;
  218. OPENSSL_free(data);
  219. data = NULL;
  220. }
  221. /*
  222. * if the last one hasn't been pushed yet and there is anything in it
  223. * then add it to the stack ...
  224. */
  225. if ((xi->x509 != NULL) || (xi->crl != NULL) ||
  226. (xi->x_pkey != NULL) || (xi->enc_data != NULL)) {
  227. if (!sk_X509_INFO_push(ret, xi))
  228. goto err;
  229. xi = NULL;
  230. }
  231. ok = 1;
  232. err:
  233. X509_INFO_free(xi);
  234. if (!ok) {
  235. for (i = 0; ((int)i) < sk_X509_INFO_num(ret); i++) {
  236. xi = sk_X509_INFO_value(ret, i);
  237. X509_INFO_free(xi);
  238. }
  239. if (ret != sk)
  240. sk_X509_INFO_free(ret);
  241. ret = NULL;
  242. }
  243. OPENSSL_free(name);
  244. OPENSSL_free(header);
  245. OPENSSL_free(data);
  246. return ret;
  247. }
  248. STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
  249. pem_password_cb *cb, void *u)
  250. {
  251. return PEM_X509_INFO_read_bio_ex(bp, sk, cb, u, NULL, NULL);
  252. }
  253. /* A TJH addition */
  254. int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc,
  255. const unsigned char *kstr, int klen,
  256. pem_password_cb *cb, void *u)
  257. {
  258. int i, ret = 0;
  259. unsigned char *data = NULL;
  260. const char *objstr = NULL;
  261. char buf[PEM_BUFSIZE];
  262. const unsigned char *iv = NULL;
  263. if (enc != NULL) {
  264. objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
  265. if (objstr == NULL
  266. /*
  267. * Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n"
  268. * fits into buf
  269. */
  270. || (strlen(objstr) + 23 + 2 * EVP_CIPHER_iv_length(enc) + 13)
  271. > sizeof(buf)) {
  272. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
  273. goto err;
  274. }
  275. }
  276. /*
  277. * now for the fun part ... if we have a private key then we have to be
  278. * able to handle a not-yet-decrypted key being written out correctly ...
  279. * if it is decrypted or it is non-encrypted then we use the base code
  280. */
  281. if (xi->x_pkey != NULL) {
  282. if ((xi->enc_data != NULL) && (xi->enc_len > 0)) {
  283. if (enc == NULL) {
  284. ERR_raise(ERR_LIB_PEM, PEM_R_CIPHER_IS_NULL);
  285. goto err;
  286. }
  287. /* copy from weirdo names into more normal things */
  288. iv = xi->enc_cipher.iv;
  289. data = (unsigned char *)xi->enc_data;
  290. i = xi->enc_len;
  291. /*
  292. * we take the encryption data from the internal stuff rather
  293. * than what the user has passed us ... as we have to match
  294. * exactly for some strange reason
  295. */
  296. objstr = OBJ_nid2sn(EVP_CIPHER_nid(xi->enc_cipher.cipher));
  297. if (objstr == NULL) {
  298. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
  299. goto err;
  300. }
  301. /* Create the right magic header stuff */
  302. buf[0] = '\0';
  303. PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
  304. PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc),
  305. (const char *)iv);
  306. /* use the normal code to write things out */
  307. i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
  308. if (i <= 0)
  309. goto err;
  310. } else {
  311. /* Add DSA/DH */
  312. /* normal optionally encrypted stuff */
  313. if (PEM_write_bio_RSAPrivateKey(bp,
  314. EVP_PKEY_get0_RSA(xi->x_pkey->dec_pkey),
  315. enc, kstr, klen, cb, u) <= 0)
  316. goto err;
  317. }
  318. }
  319. /* if we have a certificate then write it out now */
  320. if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
  321. goto err;
  322. /*
  323. * we are ignoring anything else that is loaded into the X509_INFO
  324. * structure for the moment ... as I don't need it so I'm not coding it
  325. * here and Eric can do it when this makes it into the base library --tjh
  326. */
  327. ret = 1;
  328. err:
  329. OPENSSL_cleanse(buf, PEM_BUFSIZE);
  330. return ret;
  331. }