pvkfmt.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964
  1. /*
  2. * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * Support for PVK format keys and related structures (such a PUBLICKEYBLOB
  11. * and PRIVATEKEYBLOB).
  12. */
  13. /*
  14. * RSA and DSA low level APIs are deprecated for public use, but still ok for
  15. * internal use.
  16. */
  17. #include "internal/deprecated.h"
  18. #include <openssl/pem.h>
  19. #include <openssl/rand.h>
  20. #include <openssl/bn.h>
  21. #include <openssl/dsa.h>
  22. #include <openssl/rsa.h>
  23. #include "internal/cryptlib.h"
  24. #include "crypto/pem.h"
  25. #include "crypto/evp.h"
  26. /*
  27. * Utility function: read a DWORD (4 byte unsigned integer) in little endian
  28. * format
  29. */
  30. static unsigned int read_ledword(const unsigned char **in)
  31. {
  32. const unsigned char *p = *in;
  33. unsigned int ret;
  34. ret = (unsigned int)*p++;
  35. ret |= (unsigned int)*p++ << 8;
  36. ret |= (unsigned int)*p++ << 16;
  37. ret |= (unsigned int)*p++ << 24;
  38. *in = p;
  39. return ret;
  40. }
  41. /*
  42. * Read a BIGNUM in little endian format. The docs say that this should take
  43. * up bitlen/8 bytes.
  44. */
  45. static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
  46. {
  47. *r = BN_lebin2bn(*in, nbyte, NULL);
  48. if (*r == NULL)
  49. return 0;
  50. *in += nbyte;
  51. return 1;
  52. }
  53. /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
  54. # define MS_PUBLICKEYBLOB 0x6
  55. # define MS_PRIVATEKEYBLOB 0x7
  56. # define MS_RSA1MAGIC 0x31415352L
  57. # define MS_RSA2MAGIC 0x32415352L
  58. # define MS_DSS1MAGIC 0x31535344L
  59. # define MS_DSS2MAGIC 0x32535344L
  60. # define MS_KEYALG_RSA_KEYX 0xa400
  61. # define MS_KEYALG_DSS_SIGN 0x2200
  62. # define MS_KEYTYPE_KEYX 0x1
  63. # define MS_KEYTYPE_SIGN 0x2
  64. /* Maximum length of a blob after header */
  65. # define BLOB_MAX_LENGTH 102400
  66. /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
  67. # define MS_PVKMAGIC 0xb0b5f11eL
  68. /* Salt length for PVK files */
  69. # define PVK_SALTLEN 0x10
  70. /* Maximum length in PVK header */
  71. # define PVK_MAX_KEYLEN 102400
  72. /* Maximum salt length */
  73. # define PVK_MAX_SALTLEN 10240
  74. static EVP_PKEY *b2i_rsa(const unsigned char **in,
  75. unsigned int bitlen, int ispub);
  76. #ifndef OPENSSL_NO_DSA
  77. static EVP_PKEY *b2i_dss(const unsigned char **in,
  78. unsigned int bitlen, int ispub);
  79. #endif
  80. int ossl_do_blob_header(const unsigned char **in, unsigned int length,
  81. unsigned int *pmagic, unsigned int *pbitlen,
  82. int *pisdss, int *pispub)
  83. {
  84. const unsigned char *p = *in;
  85. if (length < 16)
  86. return 0;
  87. /* bType */
  88. if (*p == MS_PUBLICKEYBLOB) {
  89. if (*pispub == 0) {
  90. ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  91. return 0;
  92. }
  93. *pispub = 1;
  94. } else if (*p == MS_PRIVATEKEYBLOB) {
  95. if (*pispub == 1) {
  96. ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  97. return 0;
  98. }
  99. *pispub = 0;
  100. } else {
  101. return 0;
  102. }
  103. p++;
  104. /* Version */
  105. if (*p++ != 0x2) {
  106. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER);
  107. return 0;
  108. }
  109. /* Ignore reserved, aiKeyAlg */
  110. p += 6;
  111. *pmagic = read_ledword(&p);
  112. *pbitlen = read_ledword(&p);
  113. *pisdss = 0;
  114. switch (*pmagic) {
  115. case MS_DSS1MAGIC:
  116. *pisdss = 1;
  117. /* fall thru */
  118. case MS_RSA1MAGIC:
  119. if (*pispub == 0) {
  120. ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
  121. return 0;
  122. }
  123. break;
  124. case MS_DSS2MAGIC:
  125. *pisdss = 1;
  126. /* fall thru */
  127. case MS_RSA2MAGIC:
  128. if (*pispub == 1) {
  129. ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
  130. return 0;
  131. }
  132. break;
  133. default:
  134. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
  135. return -1;
  136. }
  137. *in = p;
  138. return 1;
  139. }
  140. static unsigned int blob_length(unsigned bitlen, int isdss, int ispub)
  141. {
  142. unsigned int nbyte = (bitlen + 7) >> 3;
  143. unsigned int hnbyte = (bitlen + 15) >> 4;
  144. if (isdss) {
  145. /*
  146. * Expected length: 20 for q + 3 components bitlen each + 24 for seed
  147. * structure.
  148. */
  149. if (ispub)
  150. return 44 + 3 * nbyte;
  151. /*
  152. * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed
  153. * structure.
  154. */
  155. else
  156. return 64 + 2 * nbyte;
  157. } else {
  158. /* Expected length: 4 for 'e' + 'n' */
  159. if (ispub)
  160. return 4 + nbyte;
  161. else
  162. /*
  163. * Expected length: 4 for 'e' and 7 other components. 2
  164. * components are bitlen size, 5 are bitlen/2
  165. */
  166. return 4 + 2 * nbyte + 5 * hnbyte;
  167. }
  168. }
  169. EVP_PKEY *ossl_b2i(const unsigned char **in, unsigned int length, int *ispub)
  170. {
  171. const unsigned char *p = *in;
  172. unsigned int bitlen, magic;
  173. int isdss;
  174. if (ossl_do_blob_header(&p, length, &magic, &bitlen, &isdss, ispub) <= 0) {
  175. ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
  176. return NULL;
  177. }
  178. length -= 16;
  179. if (length < blob_length(bitlen, isdss, *ispub)) {
  180. ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
  181. return NULL;
  182. }
  183. if (!isdss)
  184. return b2i_rsa(&p, bitlen, *ispub);
  185. #ifndef OPENSSL_NO_DSA
  186. else
  187. return b2i_dss(&p, bitlen, *ispub);
  188. #endif
  189. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
  190. return NULL;
  191. }
  192. EVP_PKEY *ossl_b2i_bio(BIO *in, int *ispub)
  193. {
  194. const unsigned char *p;
  195. unsigned char hdr_buf[16], *buf = NULL;
  196. unsigned int bitlen, magic, length;
  197. int isdss;
  198. EVP_PKEY *ret = NULL;
  199. if (BIO_read(in, hdr_buf, 16) != 16) {
  200. ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
  201. return NULL;
  202. }
  203. p = hdr_buf;
  204. if (ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, ispub) <= 0)
  205. return NULL;
  206. length = blob_length(bitlen, isdss, *ispub);
  207. if (length > BLOB_MAX_LENGTH) {
  208. ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG);
  209. return NULL;
  210. }
  211. buf = OPENSSL_malloc(length);
  212. if (buf == NULL) {
  213. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  214. goto err;
  215. }
  216. p = buf;
  217. if (BIO_read(in, buf, length) != (int)length) {
  218. ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
  219. goto err;
  220. }
  221. if (!isdss)
  222. ret = b2i_rsa(&p, bitlen, *ispub);
  223. #ifndef OPENSSL_NO_DSA
  224. else
  225. ret = b2i_dss(&p, bitlen, *ispub);
  226. #endif
  227. if (ret == NULL)
  228. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
  229. err:
  230. OPENSSL_free(buf);
  231. return ret;
  232. }
  233. #ifndef OPENSSL_NO_DSA
  234. static EVP_PKEY *b2i_dss(const unsigned char **in,
  235. unsigned int bitlen, int ispub)
  236. {
  237. const unsigned char *p = *in;
  238. EVP_PKEY *ret = NULL;
  239. DSA *dsa = NULL;
  240. BN_CTX *ctx = NULL;
  241. BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL;
  242. BIGNUM *pub_key = NULL;
  243. unsigned int nbyte = (bitlen + 7) >> 3;
  244. dsa = DSA_new();
  245. ret = EVP_PKEY_new();
  246. if (dsa == NULL || ret == NULL)
  247. goto memerr;
  248. if (!read_lebn(&p, nbyte, &pbn))
  249. goto memerr;
  250. if (!read_lebn(&p, 20, &qbn))
  251. goto memerr;
  252. if (!read_lebn(&p, nbyte, &gbn))
  253. goto memerr;
  254. if (ispub) {
  255. if (!read_lebn(&p, nbyte, &pub_key))
  256. goto memerr;
  257. } else {
  258. if (!read_lebn(&p, 20, &priv_key))
  259. goto memerr;
  260. /* Set constant time flag before public key calculation */
  261. BN_set_flags(priv_key, BN_FLG_CONSTTIME);
  262. /* Calculate public key */
  263. pub_key = BN_new();
  264. if (pub_key == NULL)
  265. goto memerr;
  266. if ((ctx = BN_CTX_new()) == NULL)
  267. goto memerr;
  268. if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
  269. goto memerr;
  270. BN_CTX_free(ctx);
  271. ctx = NULL;
  272. }
  273. if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
  274. goto memerr;
  275. pbn = qbn = gbn = NULL;
  276. if (!DSA_set0_key(dsa, pub_key, priv_key))
  277. goto memerr;
  278. pub_key = priv_key = NULL;
  279. if (!EVP_PKEY_set1_DSA(ret, dsa))
  280. goto memerr;
  281. DSA_free(dsa);
  282. *in = p;
  283. return ret;
  284. memerr:
  285. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  286. DSA_free(dsa);
  287. BN_free(pbn);
  288. BN_free(qbn);
  289. BN_free(gbn);
  290. BN_free(pub_key);
  291. BN_free(priv_key);
  292. EVP_PKEY_free(ret);
  293. BN_CTX_free(ctx);
  294. return NULL;
  295. }
  296. #endif
  297. static EVP_PKEY *b2i_rsa(const unsigned char **in,
  298. unsigned int bitlen, int ispub)
  299. {
  300. const unsigned char *pin = *in;
  301. EVP_PKEY *ret = NULL;
  302. BIGNUM *e = NULL, *n = NULL, *d = NULL;
  303. BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
  304. RSA *rsa = NULL;
  305. unsigned int nbyte = (bitlen + 7) >> 3;
  306. unsigned int hnbyte = (bitlen + 15) >> 4;
  307. rsa = RSA_new();
  308. ret = EVP_PKEY_new();
  309. if (rsa == NULL || ret == NULL)
  310. goto memerr;
  311. e = BN_new();
  312. if (e == NULL)
  313. goto memerr;
  314. if (!BN_set_word(e, read_ledword(&pin)))
  315. goto memerr;
  316. if (!read_lebn(&pin, nbyte, &n))
  317. goto memerr;
  318. if (!ispub) {
  319. if (!read_lebn(&pin, hnbyte, &p))
  320. goto memerr;
  321. if (!read_lebn(&pin, hnbyte, &q))
  322. goto memerr;
  323. if (!read_lebn(&pin, hnbyte, &dmp1))
  324. goto memerr;
  325. if (!read_lebn(&pin, hnbyte, &dmq1))
  326. goto memerr;
  327. if (!read_lebn(&pin, hnbyte, &iqmp))
  328. goto memerr;
  329. if (!read_lebn(&pin, nbyte, &d))
  330. goto memerr;
  331. if (!RSA_set0_factors(rsa, p, q))
  332. goto memerr;
  333. p = q = NULL;
  334. if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
  335. goto memerr;
  336. dmp1 = dmq1 = iqmp = NULL;
  337. }
  338. if (!RSA_set0_key(rsa, n, e, d))
  339. goto memerr;
  340. n = e = d = NULL;
  341. if (!EVP_PKEY_set1_RSA(ret, rsa))
  342. goto memerr;
  343. RSA_free(rsa);
  344. *in = pin;
  345. return ret;
  346. memerr:
  347. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  348. BN_free(e);
  349. BN_free(n);
  350. BN_free(p);
  351. BN_free(q);
  352. BN_free(dmp1);
  353. BN_free(dmq1);
  354. BN_free(iqmp);
  355. BN_free(d);
  356. RSA_free(rsa);
  357. EVP_PKEY_free(ret);
  358. return NULL;
  359. }
  360. EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length)
  361. {
  362. int ispub = 0;
  363. return ossl_b2i(in, length, &ispub);
  364. }
  365. EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length)
  366. {
  367. int ispub = 1;
  368. return ossl_b2i(in, length, &ispub);
  369. }
  370. EVP_PKEY *b2i_PrivateKey_bio(BIO *in)
  371. {
  372. int ispub = 0;
  373. return ossl_b2i_bio(in, &ispub);
  374. }
  375. EVP_PKEY *b2i_PublicKey_bio(BIO *in)
  376. {
  377. int ispub = 1;
  378. return ossl_b2i_bio(in, &ispub);
  379. }
  380. static void write_ledword(unsigned char **out, unsigned int dw)
  381. {
  382. unsigned char *p = *out;
  383. *p++ = dw & 0xff;
  384. *p++ = (dw >> 8) & 0xff;
  385. *p++ = (dw >> 16) & 0xff;
  386. *p++ = (dw >> 24) & 0xff;
  387. *out = p;
  388. }
  389. static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
  390. {
  391. BN_bn2lebinpad(bn, *out, len);
  392. *out += len;
  393. }
  394. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic);
  395. static void write_rsa(unsigned char **out, RSA *rsa, int ispub);
  396. #ifndef OPENSSL_NO_DSA
  397. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic);
  398. static void write_dsa(unsigned char **out, DSA *dsa, int ispub);
  399. #endif
  400. static int do_i2b(unsigned char **out, const EVP_PKEY *pk, int ispub)
  401. {
  402. unsigned char *p;
  403. unsigned int bitlen = 0, magic = 0, keyalg = 0;
  404. int outlen = -1, noinc = 0;
  405. int pktype;
  406. #ifndef OPENSSL_NO_PROVIDER_CODE
  407. EVP_PKEY *pkcopy = NULL;
  408. if (evp_pkey_is_provided(pk)) {
  409. if (!evp_pkey_copy_downgraded(&pkcopy, pk))
  410. goto end;
  411. pk = pkcopy;
  412. }
  413. #endif
  414. pktype = EVP_PKEY_id(pk);
  415. if (pktype == EVP_PKEY_RSA) {
  416. bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
  417. keyalg = MS_KEYALG_RSA_KEYX;
  418. #ifndef OPENSSL_NO_DSA
  419. } else if (pktype == EVP_PKEY_DSA) {
  420. bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
  421. keyalg = MS_KEYALG_DSS_SIGN;
  422. #endif
  423. }
  424. if (bitlen == 0) {
  425. goto end;
  426. }
  427. outlen = 16 + blob_length(bitlen,
  428. keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
  429. if (out == NULL)
  430. goto end;
  431. if (*out)
  432. p = *out;
  433. else {
  434. if ((p = OPENSSL_malloc(outlen)) == NULL) {
  435. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  436. outlen = -1;
  437. goto end;
  438. }
  439. *out = p;
  440. noinc = 1;
  441. }
  442. if (ispub)
  443. *p++ = MS_PUBLICKEYBLOB;
  444. else
  445. *p++ = MS_PRIVATEKEYBLOB;
  446. *p++ = 0x2;
  447. *p++ = 0;
  448. *p++ = 0;
  449. write_ledword(&p, keyalg);
  450. write_ledword(&p, magic);
  451. write_ledword(&p, bitlen);
  452. if (keyalg == MS_KEYALG_RSA_KEYX)
  453. write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
  454. #ifndef OPENSSL_NO_DSA
  455. else
  456. write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
  457. #endif
  458. if (!noinc)
  459. *out += outlen;
  460. end:
  461. #ifndef OPENSSL_NO_PROVIDER_CODE
  462. EVP_PKEY_free(pkcopy);
  463. #endif
  464. return outlen;
  465. }
  466. static int do_i2b_bio(BIO *out, const EVP_PKEY *pk, int ispub)
  467. {
  468. unsigned char *tmp = NULL;
  469. int outlen, wrlen;
  470. outlen = do_i2b(&tmp, pk, ispub);
  471. if (outlen < 0)
  472. return -1;
  473. wrlen = BIO_write(out, tmp, outlen);
  474. OPENSSL_free(tmp);
  475. if (wrlen == outlen)
  476. return outlen;
  477. return -1;
  478. }
  479. static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
  480. {
  481. int nbyte, hnbyte, bitlen;
  482. const BIGNUM *e;
  483. RSA_get0_key(rsa, NULL, &e, NULL);
  484. if (BN_num_bits(e) > 32)
  485. goto badkey;
  486. bitlen = RSA_bits(rsa);
  487. nbyte = RSA_size(rsa);
  488. hnbyte = (bitlen + 15) >> 4;
  489. if (ispub) {
  490. *pmagic = MS_RSA1MAGIC;
  491. return bitlen;
  492. } else {
  493. const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1;
  494. *pmagic = MS_RSA2MAGIC;
  495. /*
  496. * For private key each component must fit within nbyte or hnbyte.
  497. */
  498. RSA_get0_key(rsa, NULL, NULL, &d);
  499. if (BN_num_bytes(d) > nbyte)
  500. goto badkey;
  501. RSA_get0_factors(rsa, &p, &q);
  502. RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
  503. if ((BN_num_bytes(iqmp) > hnbyte)
  504. || (BN_num_bytes(p) > hnbyte)
  505. || (BN_num_bytes(q) > hnbyte)
  506. || (BN_num_bytes(dmp1) > hnbyte)
  507. || (BN_num_bytes(dmq1) > hnbyte))
  508. goto badkey;
  509. }
  510. return bitlen;
  511. badkey:
  512. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  513. return 0;
  514. }
  515. static void write_rsa(unsigned char **out, RSA *rsa, int ispub)
  516. {
  517. int nbyte, hnbyte;
  518. const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1;
  519. nbyte = RSA_size(rsa);
  520. hnbyte = (RSA_bits(rsa) + 15) >> 4;
  521. RSA_get0_key(rsa, &n, &e, &d);
  522. write_lebn(out, e, 4);
  523. write_lebn(out, n, nbyte);
  524. if (ispub)
  525. return;
  526. RSA_get0_factors(rsa, &p, &q);
  527. RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
  528. write_lebn(out, p, hnbyte);
  529. write_lebn(out, q, hnbyte);
  530. write_lebn(out, dmp1, hnbyte);
  531. write_lebn(out, dmq1, hnbyte);
  532. write_lebn(out, iqmp, hnbyte);
  533. write_lebn(out, d, nbyte);
  534. }
  535. #ifndef OPENSSL_NO_DSA
  536. static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
  537. {
  538. int bitlen;
  539. const BIGNUM *p = NULL, *q = NULL, *g = NULL;
  540. const BIGNUM *pub_key = NULL, *priv_key = NULL;
  541. DSA_get0_pqg(dsa, &p, &q, &g);
  542. DSA_get0_key(dsa, &pub_key, &priv_key);
  543. bitlen = BN_num_bits(p);
  544. if ((bitlen & 7) || (BN_num_bits(q) != 160)
  545. || (BN_num_bits(g) > bitlen))
  546. goto badkey;
  547. if (ispub) {
  548. if (BN_num_bits(pub_key) > bitlen)
  549. goto badkey;
  550. *pmagic = MS_DSS1MAGIC;
  551. } else {
  552. if (BN_num_bits(priv_key) > 160)
  553. goto badkey;
  554. *pmagic = MS_DSS2MAGIC;
  555. }
  556. return bitlen;
  557. badkey:
  558. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
  559. return 0;
  560. }
  561. static void write_dsa(unsigned char **out, DSA *dsa, int ispub)
  562. {
  563. int nbyte;
  564. const BIGNUM *p = NULL, *q = NULL, *g = NULL;
  565. const BIGNUM *pub_key = NULL, *priv_key = NULL;
  566. DSA_get0_pqg(dsa, &p, &q, &g);
  567. DSA_get0_key(dsa, &pub_key, &priv_key);
  568. nbyte = BN_num_bytes(p);
  569. write_lebn(out, p, nbyte);
  570. write_lebn(out, q, 20);
  571. write_lebn(out, g, nbyte);
  572. if (ispub)
  573. write_lebn(out, pub_key, nbyte);
  574. else
  575. write_lebn(out, priv_key, 20);
  576. /* Set "invalid" for seed structure values */
  577. memset(*out, 0xff, 24);
  578. *out += 24;
  579. return;
  580. }
  581. #endif
  582. int i2b_PrivateKey_bio(BIO *out, const EVP_PKEY *pk)
  583. {
  584. return do_i2b_bio(out, pk, 0);
  585. }
  586. int i2b_PublicKey_bio(BIO *out, const EVP_PKEY *pk)
  587. {
  588. return do_i2b_bio(out, pk, 1);
  589. }
  590. int ossl_do_PVK_header(const unsigned char **in, unsigned int length,
  591. int skip_magic,
  592. unsigned int *psaltlen, unsigned int *pkeylen)
  593. {
  594. const unsigned char *p = *in;
  595. unsigned int pvk_magic, is_encrypted;
  596. if (skip_magic) {
  597. if (length < 20) {
  598. ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
  599. return 0;
  600. }
  601. } else {
  602. if (length < 24) {
  603. ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
  604. return 0;
  605. }
  606. pvk_magic = read_ledword(&p);
  607. if (pvk_magic != MS_PVKMAGIC) {
  608. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
  609. return 0;
  610. }
  611. }
  612. /* Skip reserved */
  613. p += 4;
  614. /*
  615. * keytype =
  616. */ read_ledword(&p);
  617. is_encrypted = read_ledword(&p);
  618. *psaltlen = read_ledword(&p);
  619. *pkeylen = read_ledword(&p);
  620. if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
  621. return 0;
  622. if (is_encrypted && *psaltlen == 0) {
  623. ERR_raise(ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER);
  624. return 0;
  625. }
  626. *in = p;
  627. return 1;
  628. }
  629. #ifndef OPENSSL_NO_RC4
  630. static int derive_pvk_key(unsigned char *key,
  631. const unsigned char *salt, unsigned int saltlen,
  632. const unsigned char *pass, int passlen)
  633. {
  634. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  635. int rv = 1;
  636. if (mctx == NULL
  637. || !EVP_DigestInit_ex(mctx, EVP_sha1(), NULL)
  638. || !EVP_DigestUpdate(mctx, salt, saltlen)
  639. || !EVP_DigestUpdate(mctx, pass, passlen)
  640. || !EVP_DigestFinal_ex(mctx, key, NULL))
  641. rv = 0;
  642. EVP_MD_CTX_free(mctx);
  643. return rv;
  644. }
  645. #endif
  646. static EVP_PKEY *do_PVK_body(const unsigned char **in,
  647. unsigned int saltlen, unsigned int keylen,
  648. pem_password_cb *cb, void *u)
  649. {
  650. EVP_PKEY *ret = NULL;
  651. const unsigned char *p = *in;
  652. unsigned char *enctmp = NULL;
  653. unsigned char keybuf[20];
  654. EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
  655. if (saltlen) {
  656. #ifndef OPENSSL_NO_RC4
  657. unsigned int magic;
  658. char psbuf[PEM_BUFSIZE];
  659. int enctmplen, inlen;
  660. unsigned char *q;
  661. if (cb)
  662. inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
  663. else
  664. inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
  665. if (inlen < 0) {
  666. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
  667. goto err;
  668. }
  669. enctmp = OPENSSL_malloc(keylen + 8);
  670. if (enctmp == NULL) {
  671. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  672. goto err;
  673. }
  674. if (!derive_pvk_key(keybuf, p, saltlen,
  675. (unsigned char *)psbuf, inlen))
  676. goto err;
  677. p += saltlen;
  678. /* Copy BLOBHEADER across, decrypt rest */
  679. memcpy(enctmp, p, 8);
  680. p += 8;
  681. if (keylen < 8) {
  682. ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
  683. goto err;
  684. }
  685. inlen = keylen - 8;
  686. q = enctmp + 8;
  687. if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  688. goto err;
  689. if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
  690. goto err;
  691. if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
  692. goto err;
  693. magic = read_ledword((const unsigned char **)&q);
  694. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
  695. q = enctmp + 8;
  696. memset(keybuf + 5, 0, 11);
  697. if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  698. goto err;
  699. if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
  700. goto err;
  701. if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
  702. goto err;
  703. magic = read_ledword((const unsigned char **)&q);
  704. if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
  705. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_DECRYPT);
  706. goto err;
  707. }
  708. }
  709. p = enctmp;
  710. #else
  711. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
  712. goto err;
  713. #endif
  714. }
  715. ret = b2i_PrivateKey(&p, keylen);
  716. err:
  717. EVP_CIPHER_CTX_free(cctx);
  718. if (enctmp != NULL) {
  719. OPENSSL_cleanse(keybuf, sizeof(keybuf));
  720. OPENSSL_free(enctmp);
  721. }
  722. return ret;
  723. }
  724. EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
  725. {
  726. unsigned char pvk_hdr[24], *buf = NULL;
  727. const unsigned char *p;
  728. int buflen;
  729. EVP_PKEY *ret = NULL;
  730. unsigned int saltlen, keylen;
  731. if (BIO_read(in, pvk_hdr, 24) != 24) {
  732. ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
  733. return NULL;
  734. }
  735. p = pvk_hdr;
  736. if (!ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen))
  737. return 0;
  738. buflen = (int)keylen + saltlen;
  739. buf = OPENSSL_malloc(buflen);
  740. if (buf == NULL) {
  741. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  742. return 0;
  743. }
  744. p = buf;
  745. if (BIO_read(in, buf, buflen) != buflen) {
  746. ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
  747. goto err;
  748. }
  749. ret = do_PVK_body(&p, saltlen, keylen, cb, u);
  750. err:
  751. OPENSSL_clear_free(buf, buflen);
  752. return ret;
  753. }
  754. static int i2b_PVK(unsigned char **out, const EVP_PKEY *pk, int enclevel,
  755. pem_password_cb *cb, void *u)
  756. {
  757. int outlen = 24, pklen;
  758. unsigned char *p = NULL, *start = NULL;
  759. EVP_CIPHER_CTX *cctx = NULL;
  760. #ifndef OPENSSL_NO_RC4
  761. unsigned char *salt = NULL;
  762. #endif
  763. if (enclevel)
  764. outlen += PVK_SALTLEN;
  765. pklen = do_i2b(NULL, pk, 0);
  766. if (pklen < 0)
  767. return -1;
  768. outlen += pklen;
  769. if (out == NULL)
  770. return outlen;
  771. if (*out != NULL) {
  772. p = *out;
  773. } else {
  774. start = p = OPENSSL_malloc(outlen);
  775. if (p == NULL) {
  776. ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
  777. return -1;
  778. }
  779. }
  780. cctx = EVP_CIPHER_CTX_new();
  781. if (cctx == NULL)
  782. goto error;
  783. write_ledword(&p, MS_PVKMAGIC);
  784. write_ledword(&p, 0);
  785. if (EVP_PKEY_id(pk) == EVP_PKEY_RSA)
  786. write_ledword(&p, MS_KEYTYPE_KEYX);
  787. #ifndef OPENSSL_NO_DSA
  788. else
  789. write_ledword(&p, MS_KEYTYPE_SIGN);
  790. #endif
  791. write_ledword(&p, enclevel ? 1 : 0);
  792. write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
  793. write_ledword(&p, pklen);
  794. if (enclevel) {
  795. #ifndef OPENSSL_NO_RC4
  796. if (RAND_bytes(p, PVK_SALTLEN) <= 0)
  797. goto error;
  798. salt = p;
  799. p += PVK_SALTLEN;
  800. #endif
  801. }
  802. do_i2b(&p, pk, 0);
  803. if (enclevel != 0) {
  804. #ifndef OPENSSL_NO_RC4
  805. char psbuf[PEM_BUFSIZE];
  806. unsigned char keybuf[20];
  807. int enctmplen, inlen;
  808. if (cb)
  809. inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
  810. else
  811. inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
  812. if (inlen <= 0) {
  813. ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
  814. goto error;
  815. }
  816. if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
  817. (unsigned char *)psbuf, inlen))
  818. goto error;
  819. if (enclevel == 1)
  820. memset(keybuf + 5, 0, 11);
  821. p = salt + PVK_SALTLEN + 8;
  822. if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
  823. goto error;
  824. OPENSSL_cleanse(keybuf, 20);
  825. if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
  826. goto error;
  827. if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen))
  828. goto error;
  829. #else
  830. ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
  831. goto error;
  832. #endif
  833. }
  834. EVP_CIPHER_CTX_free(cctx);
  835. if (*out == NULL)
  836. *out = start;
  837. return outlen;
  838. error:
  839. EVP_CIPHER_CTX_free(cctx);
  840. if (*out == NULL)
  841. OPENSSL_free(start);
  842. return -1;
  843. }
  844. int i2b_PVK_bio(BIO *out, const EVP_PKEY *pk, int enclevel,
  845. pem_password_cb *cb, void *u)
  846. {
  847. unsigned char *tmp = NULL;
  848. int outlen, wrlen;
  849. outlen = i2b_PVK(&tmp, pk, enclevel, cb, u);
  850. if (outlen < 0)
  851. return -1;
  852. wrlen = BIO_write(out, tmp, outlen);
  853. OPENSSL_free(tmp);
  854. if (wrlen == outlen) {
  855. return outlen;
  856. }
  857. ERR_raise(ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE);
  858. return -1;
  859. }