[openssl] master update
Matt Caswell
matt at openssl.org
Mon Jun 14 09:02:41 UTC 2021
The branch master has been updated
via 8c7c1c84cbaa38a4053404883d666ea8dff81b3a (commit)
from 1c49be8673713d2ceb03a63be03531d9b28a46bd (commit)
- Log -----------------------------------------------------------------
commit 8c7c1c84cbaa38a4053404883d666ea8dff81b3a
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 8 11:49:06 2021 +0100
Add a generic SubjectPublicKeyInfo decoder
Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.
Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.
Fixes #15646
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ec_backend.c | 29 +++++
crypto/x509/x_pubkey.c | 17 +++
include/crypto/ec.h | 1 +
include/crypto/x509.h | 4 +
providers/decoders.inc | 5 +
providers/implementations/encode_decode/build.info | 3 +-
.../implementations/encode_decode/decode_der2key.c | 18 +--
.../encode_decode/decode_spki2typespki.c | 124 +++++++++++++++++++++
.../encode_decode/endecoder_common.c | 19 +++-
.../encode_decode/endecoder_local.h | 2 +
.../implementations/include/prov/implementations.h | 1 +
11 files changed, 204 insertions(+), 19 deletions(-)
create mode 100644 providers/implementations/encode_decode/decode_spki2typespki.c
diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c
index defcb649fb..9b4467f2be 100644
--- a/crypto/ec/ec_backend.c
+++ b/crypto/ec/ec_backend.c
@@ -726,6 +726,35 @@ int ossl_ec_pt_format_param2id(const OSSL_PARAM *p, int *id)
}
#ifndef FIPS_MODULE
+int ossl_x509_algor_is_sm2(const X509_ALGOR *palg)
+{
+ int ptype = 0;
+ const void *pval = NULL;
+
+ X509_ALGOR_get0(NULL, &ptype, &pval, palg);
+
+ if (ptype == V_ASN1_OBJECT)
+ return OBJ_obj2nid((ASN1_OBJECT *)pval) == NID_sm2;
+
+ if (ptype == V_ASN1_SEQUENCE) {
+ const ASN1_STRING *str = pval;
+ const unsigned char *der = str->data;
+ int derlen = str->length;
+ EC_GROUP *group;
+ int ret;
+
+ if ((group = d2i_ECPKParameters(NULL, &der, derlen)) == NULL)
+ ret = 0;
+ else
+ ret = (EC_GROUP_get_curve_name(group) == NID_sm2);
+
+ EC_GROUP_free(group);
+ return ret;
+ }
+
+ return 0;
+}
+
EC_KEY *ossl_ec_key_param_from_x509_algor(const X509_ALGOR *palg,
OSSL_LIB_CTX *libctx, const char *propq)
{
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index 3f447c4c12..e669ae3574 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -65,6 +65,23 @@ ASN1_SEQUENCE(X509_PUBKEY_INTERNAL) = {
ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING)
} static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL)
+X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp,
+ long len, OSSL_LIB_CTX *libctx)
+{
+ X509_PUBKEY *xpub = OPENSSL_zalloc(sizeof(*xpub));
+
+ if (xpub == NULL)
+ return NULL;
+ return (X509_PUBKEY *)ASN1_item_d2i_ex((ASN1_VALUE **)&xpub, pp, len,
+ ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL),
+ libctx, NULL);
+}
+
+void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub)
+{
+ ASN1_item_free((ASN1_VALUE *)xpub, ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL));
+}
+
static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
{
X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
diff --git a/include/crypto/ec.h b/include/crypto/ec.h
index acb14effc9..77972c3650 100644
--- a/include/crypto/ec.h
+++ b/include/crypto/ec.h
@@ -80,6 +80,7 @@ int ossl_ec_key_fromdata(EC_KEY *ecx, const OSSL_PARAM params[],
int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]);
int ossl_ec_key_is_foreign(const EC_KEY *ec);
EC_KEY *ossl_ec_key_dup(const EC_KEY *key, int selection);
+int ossl_x509_algor_is_sm2(const X509_ALGOR *palg);
EC_KEY *ossl_ec_key_param_from_x509_algor(const X509_ALGOR *palg,
OSSL_LIB_CTX *libctx,
const char *propq);
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index acb1d7b64a..db83db0c92 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -332,6 +332,10 @@ int ossl_x509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
/* Calculate default key identifier according to RFC 5280 section 4.2.1.2 (1) */
ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY *pubkey);
+X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp,
+ long len, OSSL_LIB_CTX *libctx);
+void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
+
RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp);
# ifndef OPENSSL_NO_DH
diff --git a/providers/decoders.inc b/providers/decoders.inc
index 02b2b32c3f..b562a45ee9 100644
--- a/providers/decoders.inc
+++ b/providers/decoders.inc
@@ -80,6 +80,11 @@ DECODER_w_structure("RSA-PSS", der, SubjectPublicKeyInfo, rsapss, yes),
DECODER("RSA", msblob, rsa, yes),
DECODER("RSA", pvk, rsa, yes),
+/*
+ * A decoder that takes a SubjectPublicKeyInfo and figures out the types of key
+ * that it contains. The output is the same SubjectPublicKeyInfo
+ */
+DECODER_w_structure("DER", der, SubjectPublicKeyInfo, der, yes),
DECODER("DER", pem, der, yes),
/*
* A decoder that recognises PKCS#8 EncryptedPrivateKeyInfo structure
diff --git a/providers/implementations/encode_decode/build.info b/providers/implementations/encode_decode/build.info
index 22f11cbceb..d3f6ca4abd 100644
--- a/providers/implementations/encode_decode/build.info
+++ b/providers/implementations/encode_decode/build.info
@@ -7,7 +7,8 @@ $DECODER_GOAL=../../libdefault.a
SOURCE[$ENCODER_GOAL]=endecoder_common.c
SOURCE[$DECODER_GOAL]=decode_der2key.c decode_epki2pki.c decode_pem2der.c \
- decode_msblob2key.c decode_pvk2key.c
+ decode_msblob2key.c decode_pvk2key.c \
+ decode_spki2typespki.c
SOURCE[$ENCODER_GOAL]=encode_key2any.c encode_key2text.c encode_key2ms.c
# encode_key2blob.c is only being included when EC is enabled, because we
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
index 7de44ed75d..fd4a7c6e2a 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -93,22 +93,6 @@ struct der2key_ctx_st {
unsigned int flag_fatal : 1;
};
-static int read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
- unsigned char **data, long *len)
-{
- BUF_MEM *mem = NULL;
- BIO *in = ossl_bio_new_from_core_bio(provctx, cin);
- int ok = (asn1_d2i_read_bio(in, &mem) >= 0);
-
- if (ok) {
- *data = (unsigned char *)mem->data;
- *len = (long)mem->length;
- OPENSSL_free(mem);
- }
- BIO_free(in);
- return ok;
-}
-
typedef void *key_from_pkcs8_t(const PKCS8_PRIV_KEY_INFO *p8inf,
OSSL_LIB_CTX *libctx, const char *propq);
static void *der2key_decode_p8(const unsigned char **input_der,
@@ -214,7 +198,7 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
return 0;
}
- ok = read_der(ctx->provctx, cin, &der, &der_len);
+ ok = ossl_read_der(ctx->provctx, cin, &der, &der_len);
if (!ok)
goto next;
diff --git a/providers/implementations/encode_decode/decode_spki2typespki.c b/providers/implementations/encode_decode/decode_spki2typespki.c
new file mode 100644
index 0000000000..3a4c83e8b5
--- /dev/null
+++ b/providers/implementations/encode_decode/decode_spki2typespki.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/asn1t.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/params.h>
+#include <openssl/x509.h>
+#include "internal/sizes.h"
+#include "crypto/x509.h"
+#include "crypto/ec.h"
+#include "prov/bio.h"
+#include "prov/implementations.h"
+#include "endecoder_local.h"
+
+static OSSL_FUNC_decoder_newctx_fn spki2typespki_newctx;
+static OSSL_FUNC_decoder_freectx_fn spki2typespki_freectx;
+static OSSL_FUNC_decoder_decode_fn spki2typespki_decode;
+
+/*
+ * Context used for SubjectPublicKeyInfo to Type specific SubjectPublicKeyInfo
+ * decoding.
+ */
+struct spki2typespki_ctx_st {
+ PROV_CTX *provctx;
+};
+
+static void *spki2typespki_newctx(void *provctx)
+{
+ struct spki2typespki_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+ if (ctx != NULL)
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void spki2typespki_freectx(void *vctx)
+{
+ struct spki2typespki_ctx_st *ctx = vctx;
+
+ OPENSSL_free(ctx);
+}
+
+static int spki2typespki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
+ OSSL_CALLBACK *data_cb, void *data_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+ struct spki2typespki_ctx_st *ctx = vctx;
+ unsigned char *der, *derp;
+ long len;
+ int ok = 0;
+ int objtype = OSSL_OBJECT_PKEY;
+ X509_PUBKEY *xpub = NULL;
+ X509_ALGOR *algor = NULL;
+ const ASN1_OBJECT *oid = NULL;
+ char dataname[OSSL_MAX_NAME_SIZE];
+ OSSL_PARAM params[5], *p = params;
+
+ if (!ossl_read_der(ctx->provctx, cin, &der, &len))
+ return 1;
+ derp = der;
+ xpub = ossl_d2i_X509_PUBKEY_INTERNAL((const unsigned char **)&derp, len,
+ PROV_LIBCTX_OF(ctx->provctx));
+
+
+ if (xpub == NULL) {
+ /* We return "empty handed". This is not an error. */
+ ok = 1;
+ goto end;
+ }
+
+ if (!X509_PUBKEY_get0_param(NULL, NULL, NULL, &algor, xpub))
+ goto end;
+ X509_ALGOR_get0(&oid, NULL, NULL, algor);
+
+#ifndef OPENSSL_NO_EC
+ /* SM2 abuses the EC oid, so this could actually be SM2 */
+ if (OBJ_obj2nid(oid) == NID_X9_62_id_ecPublicKey
+ && ossl_x509_algor_is_sm2(algor))
+ strcpy(dataname, "SM2");
+ else
+#endif
+ if (!OBJ_obj2txt(dataname, sizeof(dataname), oid, 0))
+ goto end;
+
+ ossl_X509_PUBKEY_INTERNAL_free(xpub);
+ xpub = NULL;
+
+ *p++ =
+ OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE,
+ dataname, 0);
+
+ *p++ =
+ OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_STRUCTURE,
+ "SubjectPublicKeyInfo",
+ 0);
+ *p++ =
+ OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_DATA, der, len);
+ *p++ =
+ OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &objtype);
+
+ *p = OSSL_PARAM_construct_end();
+
+ ok = data_cb(params, data_cbarg);
+
+ end:
+ ossl_X509_PUBKEY_INTERNAL_free(xpub);
+ OPENSSL_free(der);
+ return ok;
+}
+
+const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_der_decoder_functions[] = {
+ { OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))spki2typespki_newctx },
+ { OSSL_FUNC_DECODER_FREECTX, (void (*)(void))spki2typespki_freectx },
+ { OSSL_FUNC_DECODER_DECODE, (void (*)(void))spki2typespki_decode },
+ { 0, NULL }
+};
diff --git a/providers/implementations/encode_decode/endecoder_common.c b/providers/implementations/encode_decode/endecoder_common.c
index c85fe915ac..7d26e2a340 100644
--- a/providers/implementations/encode_decode/endecoder_common.c
+++ b/providers/implementations/encode_decode/endecoder_common.c
@@ -8,7 +8,9 @@
*/
#include <openssl/core.h>
-
+#include <openssl/buffer.h>
+#include "internal/asn1.h"
+#include "prov/bio.h"
#include "endecoder_local.h"
OSSL_FUNC_keymgmt_new_fn *
@@ -82,3 +84,18 @@ void ossl_prov_free_key(const OSSL_DISPATCH *fns, void *key)
kmgmt_free(key);
}
+int ossl_read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data,
+ long *len)
+{
+ BUF_MEM *mem = NULL;
+ BIO *in = ossl_bio_new_from_core_bio(provctx, cin);
+ int ok = (asn1_d2i_read_bio(in, &mem) >= 0);
+
+ if (ok) {
+ *data = (unsigned char *)mem->data;
+ *len = (long)mem->length;
+ OPENSSL_free(mem);
+ }
+ BIO_free(in);
+ return ok;
+}
diff --git a/providers/implementations/encode_decode/endecoder_local.h b/providers/implementations/encode_decode/endecoder_local.h
index ab431b8086..96941e4d16 100644
--- a/providers/implementations/encode_decode/endecoder_local.h
+++ b/providers/implementations/encode_decode/endecoder_local.h
@@ -24,3 +24,5 @@ int ossl_prov_der_from_p8(unsigned char **new_der, long *new_der_len,
void *ossl_prov_import_key(const OSSL_DISPATCH *fns, void *provctx,
int selection, const OSSL_PARAM params[]);
void ossl_prov_free_key(const OSSL_DISPATCH *fns, void *key);
+int ossl_read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data,
+ long *len);
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h
index 7b59e7308d..855bd90919 100644
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -484,6 +484,7 @@ extern const OSSL_DISPATCH ossl_PrivateKeyInfo_der_to_rsapss_decoder_functions[]
extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_rsapss_decoder_functions[];
extern const OSSL_DISPATCH ossl_EncryptedPrivateKeyInfo_der_to_der_decoder_functions[];
+extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_file_store_functions[];
More information about the openssl-commits
mailing list