[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Mon Oct 30 17:22:32 UTC 2017


The branch master has been updated
       via  d85722d31ac9ff0dc54c06cdc8d125acf56ca27a (commit)
       via  751148e2b0d1048522d754d55319166435cdda86 (commit)
      from  5e006082199e9a0f37ba35116ff217bc643dd317 (commit)


- Log -----------------------------------------------------------------
commit d85722d31ac9ff0dc54c06cdc8d125acf56ca27a
Author: Richard Levitte <levitte at openssl.org>
Date:   Fri Oct 27 22:42:04 2017 +0200

    EVP_PKEY_asn1_add0(): Check that this method isn't already registered
    
    No two public key ASN.1 methods with the same pkey_id can be
    registered at the same time.
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/4596)

commit 751148e2b0d1048522d754d55319166435cdda86
Author: Richard Levitte <levitte at openssl.org>
Date:   Fri Oct 27 00:11:11 2017 +0200

    Document EVP_PKEY_ASN1_METHOD and associated functions
    
    [skip ci]
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/4596)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/ameth_lib.c              |   5 +
 doc/man3/EVP_PKEY_ASN1_METHOD.pod    | 369 +++++++++++++++++++++++++++++++++++
 doc/man3/EVP_PKEY_asn1_get_count.pod |  80 ++++++++
 3 files changed, 454 insertions(+)
 create mode 100644 doc/man3/EVP_PKEY_ASN1_METHOD.pod
 create mode 100644 doc/man3/EVP_PKEY_asn1_get_count.pod

diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index 5f523b2..87a3eba 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -137,6 +137,11 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe,
 
 int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
 {
+    if (pkey_asn1_find(ameth->pkey_id) != NULL) {
+        EVPerr(EVP_F_EVP_PKEY_ASN1_ADD0,
+               EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED);
+        return 0;
+    }
     if (app_methods == NULL) {
         app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
         if (app_methods == NULL)
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
new file mode 100644
index 0000000..88df5b9
--- /dev/null
+++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
@@ -0,0 +1,369 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_ASN1_METHOD,
+- manipulating and registering EVP_PKEY_ASN1_METHOD structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
+
+ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
+                                         const char *pem_str,
+                                         const char *info);
+ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
+                         const EVP_PKEY_ASN1_METHOD *src);
+ void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth);
+ int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth);
+ int EVP_PKEY_asn1_add_alias(int to, int from);
+
+ void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth,
+                               int (*pub_decode) (EVP_PKEY *pk,
+                                                  X509_PUBKEY *pub),
+                               int (*pub_encode) (X509_PUBKEY *pub,
+                                                  const EVP_PKEY *pk),
+                               int (*pub_cmp) (const EVP_PKEY *a,
+                                               const EVP_PKEY *b),
+                               int (*pub_print) (BIO *out,
+                                                 const EVP_PKEY *pkey,
+                                                 int indent, ASN1_PCTX *pctx),
+                               int (*pkey_size) (const EVP_PKEY *pk),
+                               int (*pkey_bits) (const EVP_PKEY *pk));
+ void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth,
+                                int (*priv_decode) (EVP_PKEY *pk,
+                                                    const PKCS8_PRIV_KEY_INFO
+                                                    *p8inf),
+                                int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8,
+                                                    const EVP_PKEY *pk),
+                                int (*priv_print) (BIO *out,
+                                                   const EVP_PKEY *pkey,
+                                                   int indent,
+                                                   ASN1_PCTX *pctx));
+ void EVP_PKEY_asn1_set_param(EVP_PKEY_ASN1_METHOD *ameth,
+                              int (*param_decode) (EVP_PKEY *pkey,
+                                                   const unsigned char **pder,
+                                                   int derlen),
+                              int (*param_encode) (const EVP_PKEY *pkey,
+                                                   unsigned char **pder),
+                              int (*param_missing) (const EVP_PKEY *pk),
+                              int (*param_copy) (EVP_PKEY *to,
+                                                 const EVP_PKEY *from),
+                              int (*param_cmp) (const EVP_PKEY *a,
+                                                const EVP_PKEY *b),
+                              int (*param_print) (BIO *out,
+                                                  const EVP_PKEY *pkey,
+                                                  int indent,
+                                                  ASN1_PCTX *pctx));
+
+ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
+                             void (*pkey_free) (EVP_PKEY *pkey));
+ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
+                             int (*pkey_ctrl) (EVP_PKEY *pkey, int op,
+                                               long arg1, void *arg2));
+ void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
+                             int (*item_verify) (EVP_MD_CTX *ctx,
+                                                 const ASN1_ITEM *it,
+                                                 void *asn,
+                                                 X509_ALGOR *a,
+                                                 ASN1_BIT_STRING *sig,
+                                                 EVP_PKEY *pkey),
+                             int (*item_sign) (EVP_MD_CTX *ctx,
+                                               const ASN1_ITEM *it,
+                                               void *asn,
+                                               X509_ALGOR *alg1,
+                                               X509_ALGOR *alg2,
+                                               ASN1_BIT_STRING *sig));
+
+ void EVP_PKEY_asn1_set_siginf(EVP_PKEY_ASN1_METHOD *ameth,
+                               int (*siginf_set) (X509_SIG_INFO *siginf,
+                                                  const X509_ALGOR *alg,
+                                                  const ASN1_STRING *sig));
+
+ void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
+                              int (*pkey_check) (const EVP_PKEY *pk));
+
+ void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth,
+                                      int (*pkey_security_bits) (const EVP_PKEY
+                                                                 *pk));
+
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+B<EVP_PKEY_ASN1_METHOD> is a structure which holds a set of ASN.1
+conversion, printing and information methods for a specific public key
+algorithm.
+
+There are two places where the B<EVP_PKEY_ASN1_METHOD> objects are
+stored: one is a built-in array representing the standard methods for
+different algorithms, and the other one is a stack of user-defined
+application-specific methods, which can be manipulated by using
+L<EVP_PKEY_asn1_add0(3)>.
+
+=head2 Methods
+
+The methods are the underlying implementations of a particular public
+key algorithm present by the B<EVP_PKEY> object.
+
+ int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
+ int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
+ int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+ int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                   ASN1_PCTX *pctx);
+
+The pub_decode() and pub_encode() methods are called to decode /
+encode B<X509_PUBKEY> ASN.1 parameters to / from B<pk>.
+They MUST return 0 on error, 1 on success.
+They're called by L<X509_PUBKEY_get0(3)> and L<X509_PUBKEY_set(3)>.
+
+The pub_cmp() method is called when two public keys are to be
+compared.
+It MUST return 1 when the keys are equal, 0 otherwise.
+It's called by L<EVP_PKEY_cmp(3)>.
+
+The pub_print() method is called to print a public key in humanly
+readable text to B<out>, indented B<indent> spaces.
+It MUST return 0 on error, 1 on success.
+It's called by L<EVP_PKEY_print_public(3)>.
+
+ int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
+ int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
+ int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                    ASN1_PCTX *pctx);
+
+The priv_decode() and priv_encode() methods are called to decode /
+encode B<PKCS8_PRIV_KEY_INFO> form private key to / from B<pk>.
+They MUST return 0 on error, 1 on success.
+They're called by L<EVP_PKCS82PKEY(3)> and L<EVP_PKEY2PKCS8(3)>.
+
+The priv_print() method is called to print a private key in humanly
+readable text to B<out>, indented B<indent> spaces.
+It MUST return 0 on error, 1 on success.
+It's called by L<EVP_PKEY_print_private(3)>.
+
+ int (*pkey_size) (const EVP_PKEY *pk);
+ int (*pkey_bits) (const EVP_PKEY *pk);
+ int (*pkey_security_bits) (const EVP_PKEY *pk);
+
+The pkey_size() method returns the key size in bytes.
+It's called by L<EVP_PKEY_size(3)>.
+
+The pkey_bits() method returns the key size in bits.
+It's called by L<EVP_PKEY_bits(3)>.
+
+ int (*param_decode) (EVP_PKEY *pkey,
+                      const unsigned char **pder, int derlen);
+ int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+ int (*param_missing) (const EVP_PKEY *pk);
+ int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
+ int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+ int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                     ASN1_PCTX *pctx);
+
+The param_decode() and param_encode() methods are called to decode /
+encode DER formatted parameters to / from B<pk>.
+They MUST return 0 on error, 1 on success.
+They're called by L<PEM_read_bio_Parameters(3)> and the B<file:>
+L<OSSL_STORE_LOADER(3)>.
+
+The param_missing() method returns 0 if a key parameter is missing,
+otherwise 1.
+It's called by L<EVP_PKEY_missing_parameters(3)>.
+
+The param_copy() method copies key parameters from B<from> to B<to>.
+It MUST return 0 on error, 1 on success.
+It's called by L<EVP_PKEY_copy_parameters(3)>.
+
+The param_cmp() method compares the parameters of keys B<a> and B<b>.
+It MUST return 1 when the keys are equal, 0 when not equal, or a
+negative number on error.
+It's called by L<EVP_PKEY_cmp_parameters(3)>.
+
+The param_print() method prints the private key parameters in humanly
+readable text to B<out>, indented B<indent> spaces.
+It MUST return 0 on error, 1 on success.
+It's called by L<EVP_PKEY_print_params(3)>.
+
+ int (*sig_print) (BIO *out,
+                   const X509_ALGOR *sigalg, const ASN1_STRING *sig,
+                   int indent, ASN1_PCTX *pctx);
+
+The sig_print() method prints a signature in humanly readable text to
+B<out>, indented B<indent> spaces.
+B<sigalg> contains the exact signature algorithm.
+If the signature in B<sig> doesn't correspond to what this method
+expects, X509_signature_dump() must be used as a last resort.
+It MUST return 0 on error, 1 on success.
+It's called by L<X509_signature_print(3)>.
+
+ void (*pkey_free) (EVP_PKEY *pkey);
+
+The pkey_free() method helps freeing the internals of B<pkey>.
+It's called by L<EVP_PKEY_free(3)>, L<EVP_PKEY_set_type(3)>,
+L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>.
+
+ int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
+
+The pkey_ctrl() method adds extra algorithm specific control.
+It's called by L<EVP_PKEY_get_default_digest_nid(3)>,
+L<EVP_PKEY_set1_tls_encodedpoint(3)>,
+L<EVP_PKEY_get1_tls_encodedpoint(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
+L<PKCS7_RECIP_INFO_set(3)>, ...
+
+ int (*old_priv_decode) (EVP_PKEY *pkey,
+                         const unsigned char **pder, int derlen);
+ int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+
+The old_priv_decode() and old_priv_encode() methods decode / encode
+they private key B<pkey> from / to a DER formatted array.
+These are exclusively used to help decoding / encoding older (pre
+PKCS#8) PEM formatted encrypted private keys.
+old_priv_decode() MUST return 0 on error, 1 on success.
+old_priv_encode() MUST the return same kind of values as
+i2d_PrivateKey().
+They're called by L<d2i_PrivateKey(3)> and L<i2d_PrivateKey(3)>.
+
+ int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                     X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
+ int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                   X509_ALGOR *alg1, X509_ALGOR *alg2,
+                   ASN1_BIT_STRING *sig);
+
+The item_sign() and  item_verify() methods make it possible to have
+algorithm specific signatures and verification of them.
+
+item_sign() MUST return one of:
+
+=over 4
+
+=item <=0
+
+error
+
+=item 1
+
+item_sign() did everything, OpenSSL internals just needs to pass the
+signature length back.
+
+=item 2
+
+item_sign() did nothing, OpenSSL internal standard routines are
+expected to continue with the default signature production.
+
+=item 3
+
+item_sign() set the algorithm identifier B<algor1> and B<algor2>,
+OpenSSL internals should just sign using those algorithms.
+
+=back
+
+item_verify() MUST return one of:
+
+=over 4
+
+=item <=0
+
+error
+
+=item 1
+
+item_sign() did everything, OpenSSL internals just needs to pass the
+signature length back.
+
+=item 2
+
+item_sign() did nothing, OpenSSL internal standard routines are
+expected to continue with the default signature production.
+
+=back
+
+item_verify() and item_sign() are called by L<ASN1_item_verify(3)> and
+L<ASN1_item_sign(3)>, and by extension, L<X509_verify(3)>,
+L<X509_REQ_verify(3)>, L<X509_sign(3)>, L<X509_REQ_sign(3)>, ...
+
+ int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+                    const ASN1_STRING *sig);
+
+The siginf_set() method is used to set custom B<X509_SIG_INFO>
+parameters.
+It MUST return 0 on error, or 1 on success.
+It's called as part of L<X509_check_purpose(3)>, L<X509_check_ca(3)>
+and L<X509_check_issued(3)>.
+
+ int (*pkey_check) (const EVP_PKEY *pk);
+
+The pkey_check() method is used to check the validity of B<pk>.
+It MUST return 0 for an invalid key, or 1 for a valid key.
+It's called by L<EVP_PKEY_check(3)>.
+
+=head2 Functions
+
+EVP_PKEY_asn1_new() creates and returns a new B<EVP_PKEY_ASN1_METHOD>
+object, and associates the given B<id>, B<flags>, B<pem_str> and
+B<info>.
+B<id> is a NID, B<pem_str> is the PEM type string, B<info> is a
+descriptive string.
+The following B<flags> are supported:
+
+ ASN1_PKEY_SIGPARAM_NULL
+
+If B<ASN1_PKEY_SIGPARAM_NULL> is set, then the signature algorithm
+parameters are given the type B<V_ASN1_NULL> by default, otherwise
+they will be given the type B<V_ASN1_UNDEF> (i.e. the parameter is
+omitted).
+See L<X509_ALGOR_set0(3)> for more information.
+
+EVP_PKEY_asn1_copy() copies an B<EVP_PKEY_ASN1_METHOD> object from
+B<src> to B<dst>.
+This function is not thread safe, it's recommended to only use this
+when initializing the application.
+
+EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed
+by B<ameth>.
+
+EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of
+methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is
+already there.
+This function is not thread safe, it's recommended to only use this
+when initializing the application.
+
+EVP_PKEY_asn1_add_alias() creates an alias with the NID B<to> for the
+B<EVP_PKEY_ASN1_METHOD> with NID B<from> unless another
+B<EVP_PKEY_ASN1_METHOD> with the same NID is already added.
+This function is not thread safe, it's recommended to only use this
+when initializing the application.
+
+EVP_PKEY_asn1_set_public(), EVP_PKEY_asn1_set_private(),
+EVP_PKEY_asn1_set_param(), EVP_PKEY_asn1_set_free(),
+EVP_PKEY_asn1_set_ctrl(), EVP_PKEY_asn1_set_item(),
+EVP_PKEY_asn1_set_siginf(), EVP_PKEY_asn1_set_check(), and
+EVP_PKEY_asn1_set_security_bits() set the diverse methods of the given
+B<EVP_PKEY_ASN1_METHOD> object.
+
+EVP_PKEY_get0_asn1() finds the B<EVP_PKEY_ASN1_METHOD> associated
+with the key B<pkey>.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_asn1_new() returns NULL on error, or a pointer to an
+B<EVP_PKEY_ASN1_METHOD> object otherwise.
+
+EVP_PKEY_asn1_add0() and EVP_PKEY_asn1_add_alias() return 0 on error,
+or 1 on success.
+
+EVP_PKEY_get0_asn1() returns NULL on error, or a pointer to a constant
+B<EVP_PKEY_ASN1_METHOD> object otherwise.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_PKEY_asn1_get_count.pod b/doc/man3/EVP_PKEY_asn1_get_count.pod
new file mode 100644
index 0000000..9ad2dae
--- /dev/null
+++ b/doc/man3/EVP_PKEY_asn1_get_count.pod
@@ -0,0 +1,80 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_asn1_find,
+EVP_PKEY_asn1_find_str,
+EVP_PKEY_asn1_get_count,
+EVP_PKEY_asn1_get0,
+EVP_PKEY_asn1_get0_info
+- enumerate public key ASN.1 methods
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_PKEY_asn1_get_count(void);
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe,
+                                                    const char *str, int len);
+ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id,
+                             int *ppkey_flags, const char **pinfo,
+                             const char **ppem_str,
+                             const EVP_PKEY_ASN1_METHOD *ameth);
+
+=head1 DESCRIPTION
+
+EVP_PKEY_asn1_count() returns a count of the number of public key
+ASN.1 methods available: it includes standard methods and any methods
+added by the application.
+
+EVP_PKEY_asn1_get0() returns the public key ASN.1 method B<idx>.
+The value of B<idx> must be between zero and EVP_PKEY_asn1_get_count()
+- 1.
+
+EVP_PKEY_asn1_find() looks up the B<EVP_PKEY_ASN1_METHOD> with NID
+B<type>.
+If B<pe> isn't B<NULL>, then it will look up an engine implementing a
+B<EVP_PKEY_ASN1_METHOD> for the NID B<type> and return that instead,
+and also set B<*pe> to point at the engine that implements it.
+
+EVP_PKEY_asn1_find_str() looks up the B<EVP_PKEY_ASN1_METHOD> with PEM
+type string B<str>.
+Just like EVP_PKEY_asn1_find(), if B<pe> isn't B<NULL>, then it will
+look up an engine implementing a B<EVP_PKEY_ASN1_METHOD> for the NID
+B<type> and return that instead, and also set B<*pe> to point at the
+engine that implements it.
+
+EVP_PKEY_asn1_get0_info() returns the public key ID, base public key
+ID (both NIDs), any flags, the method description and PEM type string
+associated with the public key ASN.1 method B<*ameth>. 
+
+EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and
+EVP_PKEY_asn1_find_str() are not thread safe, but as long as all
+B<EVP_PKEY_ASN1_METHOD> objects are added before the application gets
+threaded, using them is safe.  See L<EVP_PKEY_asn1_add0(3)>.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_asn1_count() returns the number of available public key methods.
+
+EVP_PKEY_asn1_get0() return a public key method or B<NULL> if B<idx> is
+out of range.
+
+EVP_PKEY_asn1_get0_info() returns 0 on failure, 1 on success.
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_asn1_new(3)>, L<EVP_PKEY_asn1_add0(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut


More information about the openssl-commits mailing list