1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Public Key layer for parsing key files and structures 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 #if !defined(MBEDTLS_CONFIG_FILE) 23 #include "mbedtls/config.h" 24 #else 25 #include MBEDTLS_CONFIG_FILE 26 #endif 27 28 #if defined(MBEDTLS_PK_PARSE_C) 29 30 #include "mbedtls/pk.h" 31 #include "mbedtls/asn1.h" 32 #include "mbedtls/oid.h" 33 #include "mbedtls/platform_util.h" 34 #include "mbedtls/error.h" 35 36 #include <string.h> 37 38 #if defined(MBEDTLS_RSA_C) 39 #include "mbedtls/rsa.h" 40 #endif 41 #if defined(MBEDTLS_ECP_C) 42 #include "mbedtls/ecp.h" 43 #endif 44 #if defined(MBEDTLS_ECDSA_C) 45 #include "mbedtls/ecdsa.h" 46 #endif 47 #if defined(MBEDTLS_PEM_PARSE_C) 48 #include "mbedtls/pem.h" 49 #endif 50 #if defined(MBEDTLS_PKCS5_C) 51 #include "mbedtls/pkcs5.h" 52 #endif 53 #if defined(MBEDTLS_PKCS12_C) 54 #include "mbedtls/pkcs12.h" 55 #endif 56 57 #if defined(MBEDTLS_PLATFORM_C) 58 #include "mbedtls/platform.h" 59 #else 60 #include <stdlib.h> 61 #define mbedtls_calloc calloc 62 #define mbedtls_free free 63 #endif 64 65 /* Parameter validation macros based on platform_util.h */ 66 #define PK_VALIDATE_RET( cond ) \ 67 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) 68 #define PK_VALIDATE( cond ) \ 69 MBEDTLS_INTERNAL_VALIDATE( cond ) 70 71 #if defined(MBEDTLS_FS_IO) 72 /* 73 * Load all data from a file into a given buffer. 74 * 75 * The file is expected to contain either PEM or DER encoded data. 76 * A terminating null byte is always appended. It is included in the announced 77 * length only if the data looks like it is PEM encoded. 78 */ 79 int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) 80 { 81 FILE *f; 82 long size; 83 84 PK_VALIDATE_RET( path != NULL ); 85 PK_VALIDATE_RET( buf != NULL ); 86 PK_VALIDATE_RET( n != NULL ); 87 88 if( ( f = fopen( path, "rb" ) ) == NULL ) 89 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 90 91 fseek( f, 0, SEEK_END ); 92 if( ( size = ftell( f ) ) == -1 ) 93 { 94 fclose( f ); 95 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 96 } 97 fseek( f, 0, SEEK_SET ); 98 99 *n = (size_t) size; 100 101 if( *n + 1 == 0 || 102 ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) 103 { 104 fclose( f ); 105 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 106 } 107 108 if( fread( *buf, 1, *n, f ) != *n ) 109 { 110 fclose( f ); 111 112 mbedtls_platform_zeroize( *buf, *n ); 113 mbedtls_free( *buf ); 114 115 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 116 } 117 118 fclose( f ); 119 120 (*buf)[*n] = '\0'; 121 122 if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL ) 123 ++*n; 124 125 return( 0 ); 126 } 127 128 /* 129 * Load and parse a private key 130 */ 131 int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, 132 const char *path, const char *pwd ) 133 { 134 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 135 size_t n; 136 unsigned char *buf; 137 138 PK_VALIDATE_RET( ctx != NULL ); 139 PK_VALIDATE_RET( path != NULL ); 140 141 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 142 return( ret ); 143 144 if( pwd == NULL ) 145 ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 ); 146 else 147 ret = mbedtls_pk_parse_key( ctx, buf, n, 148 (const unsigned char *) pwd, strlen( pwd ) ); 149 150 mbedtls_platform_zeroize( buf, n ); 151 mbedtls_free( buf ); 152 153 return( ret ); 154 } 155 156 /* 157 * Load and parse a public key 158 */ 159 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path ) 160 { 161 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 162 size_t n; 163 unsigned char *buf; 164 165 PK_VALIDATE_RET( ctx != NULL ); 166 PK_VALIDATE_RET( path != NULL ); 167 168 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 169 return( ret ); 170 171 ret = mbedtls_pk_parse_public_key( ctx, buf, n ); 172 173 mbedtls_platform_zeroize( buf, n ); 174 mbedtls_free( buf ); 175 176 return( ret ); 177 } 178 #endif /* MBEDTLS_FS_IO */ 179 180 #if defined(MBEDTLS_ECP_C) 181 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf 182 * 183 * ECParameters ::= CHOICE { 184 * namedCurve OBJECT IDENTIFIER 185 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 186 * -- implicitCurve NULL 187 * } 188 */ 189 static int pk_get_ecparams( unsigned char **p, const unsigned char *end, 190 mbedtls_asn1_buf *params ) 191 { 192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 193 194 if ( end - *p < 1 ) 195 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 196 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 197 198 /* Tag may be either OID or SEQUENCE */ 199 params->tag = **p; 200 if( params->tag != MBEDTLS_ASN1_OID 201 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 202 && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) 203 #endif 204 ) 205 { 206 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 207 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 208 } 209 210 if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 ) 211 { 212 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 213 } 214 215 params->p = *p; 216 *p += params->len; 217 218 if( *p != end ) 219 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 220 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 221 222 return( 0 ); 223 } 224 225 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 226 /* 227 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. 228 * WARNING: the resulting group should only be used with 229 * pk_group_id_from_specified(), since its base point may not be set correctly 230 * if it was encoded compressed. 231 * 232 * SpecifiedECDomain ::= SEQUENCE { 233 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), 234 * fieldID FieldID {{FieldTypes}}, 235 * curve Curve, 236 * base ECPoint, 237 * order INTEGER, 238 * cofactor INTEGER OPTIONAL, 239 * hash HashAlgorithm OPTIONAL, 240 * ... 241 * } 242 * 243 * We only support prime-field as field type, and ignore hash and cofactor. 244 */ 245 static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 246 { 247 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 248 unsigned char *p = params->p; 249 const unsigned char * const end = params->p + params->len; 250 const unsigned char *end_field, *end_curve; 251 size_t len; 252 int ver; 253 254 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ 255 if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 ) 256 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 257 258 if( ver < 1 || ver > 3 ) 259 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 260 261 /* 262 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field 263 * fieldType FIELD-ID.&id({IOSet}), 264 * parameters FIELD-ID.&Type({IOSet}{@fieldType}) 265 * } 266 */ 267 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 268 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 269 return( ret ); 270 271 end_field = p + len; 272 273 /* 274 * FIELD-ID ::= TYPE-IDENTIFIER 275 * FieldTypes FIELD-ID ::= { 276 * { Prime-p IDENTIFIED BY prime-field } | 277 * { Characteristic-two IDENTIFIED BY characteristic-two-field } 278 * } 279 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 280 */ 281 if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 ) 282 return( ret ); 283 284 if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) || 285 memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 ) 286 { 287 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 288 } 289 290 p += len; 291 292 /* Prime-p ::= INTEGER -- Field of size p. */ 293 if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 ) 294 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 295 296 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 297 298 if( p != end_field ) 299 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 300 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 301 302 /* 303 * Curve ::= SEQUENCE { 304 * a FieldElement, 305 * b FieldElement, 306 * seed BIT STRING OPTIONAL 307 * -- Shall be present if used in SpecifiedECDomain 308 * -- with version equal to ecdpVer2 or ecdpVer3 309 * } 310 */ 311 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 312 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 313 return( ret ); 314 315 end_curve = p + len; 316 317 /* 318 * FieldElement ::= OCTET STRING 319 * containing an integer in the case of a prime field 320 */ 321 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 322 ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 ) 323 { 324 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 325 } 326 327 p += len; 328 329 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 330 ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 ) 331 { 332 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 333 } 334 335 p += len; 336 337 /* Ignore seed BIT STRING OPTIONAL */ 338 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 ) 339 p += len; 340 341 if( p != end_curve ) 342 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 343 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 344 345 /* 346 * ECPoint ::= OCTET STRING 347 */ 348 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 349 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 350 351 if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G, 352 ( const unsigned char *) p, len ) ) != 0 ) 353 { 354 /* 355 * If we can't read the point because it's compressed, cheat by 356 * reading only the X coordinate and the parity bit of Y. 357 */ 358 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || 359 ( p[0] != 0x02 && p[0] != 0x03 ) || 360 len != mbedtls_mpi_size( &grp->P ) + 1 || 361 mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 || 362 mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 || 363 mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 ) 364 { 365 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 366 } 367 } 368 369 p += len; 370 371 /* 372 * order INTEGER 373 */ 374 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 ) 375 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 376 377 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 378 379 /* 380 * Allow optional elements by purposefully not enforcing p == end here. 381 */ 382 383 return( 0 ); 384 } 385 386 /* 387 * Find the group id associated with an (almost filled) group as generated by 388 * pk_group_from_specified(), or return an error if unknown. 389 */ 390 static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id ) 391 { 392 int ret = 0; 393 mbedtls_ecp_group ref; 394 const mbedtls_ecp_group_id *id; 395 396 mbedtls_ecp_group_init( &ref ); 397 398 for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ ) 399 { 400 /* Load the group associated to that id */ 401 mbedtls_ecp_group_free( &ref ); 402 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) ); 403 404 /* Compare to the group we were given, starting with easy tests */ 405 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits && 406 mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 && 407 mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 && 408 mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 && 409 mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 && 410 mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 && 411 mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 && 412 /* For Y we may only know the parity bit, so compare only that */ 413 mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) ) 414 { 415 break; 416 } 417 418 } 419 420 cleanup: 421 mbedtls_ecp_group_free( &ref ); 422 423 *grp_id = *id; 424 425 if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE ) 426 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 427 428 return( ret ); 429 } 430 431 /* 432 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID 433 */ 434 static int pk_group_id_from_specified( const mbedtls_asn1_buf *params, 435 mbedtls_ecp_group_id *grp_id ) 436 { 437 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 438 mbedtls_ecp_group grp; 439 440 mbedtls_ecp_group_init( &grp ); 441 442 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 ) 443 goto cleanup; 444 445 ret = pk_group_id_from_group( &grp, grp_id ); 446 447 cleanup: 448 mbedtls_ecp_group_free( &grp ); 449 450 return( ret ); 451 } 452 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ 453 454 /* 455 * Use EC parameters to initialise an EC group 456 * 457 * ECParameters ::= CHOICE { 458 * namedCurve OBJECT IDENTIFIER 459 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 460 * -- implicitCurve NULL 461 */ 462 static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 463 { 464 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 465 mbedtls_ecp_group_id grp_id; 466 467 if( params->tag == MBEDTLS_ASN1_OID ) 468 { 469 if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 ) 470 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE ); 471 } 472 else 473 { 474 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 475 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 ) 476 return( ret ); 477 #else 478 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 479 #endif 480 } 481 482 /* 483 * grp may already be initilialized; if so, make sure IDs match 484 */ 485 if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id ) 486 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 487 488 if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 ) 489 return( ret ); 490 491 return( 0 ); 492 } 493 494 /* 495 * EC public key is an EC point 496 * 497 * The caller is responsible for clearing the structure upon failure if 498 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE 499 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. 500 */ 501 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end, 502 mbedtls_ecp_keypair *key ) 503 { 504 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 505 506 if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q, 507 (const unsigned char *) *p, end - *p ) ) == 0 ) 508 { 509 ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q ); 510 } 511 512 /* 513 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed 514 */ 515 *p = (unsigned char *) end; 516 517 return( ret ); 518 } 519 #endif /* MBEDTLS_ECP_C */ 520 521 #if defined(MBEDTLS_RSA_C) 522 /* 523 * RSAPublicKey ::= SEQUENCE { 524 * modulus INTEGER, -- n 525 * publicExponent INTEGER -- e 526 * } 527 */ 528 static int pk_get_rsapubkey( unsigned char **p, 529 const unsigned char *end, 530 mbedtls_rsa_context *rsa ) 531 { 532 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 533 size_t len; 534 535 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 536 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 537 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 538 539 if( *p + len != end ) 540 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 541 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 542 543 /* Import N */ 544 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 545 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 546 547 if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0, 548 NULL, 0, NULL, 0 ) ) != 0 ) 549 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 550 551 *p += len; 552 553 /* Import E */ 554 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 555 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 556 557 if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 558 NULL, 0, *p, len ) ) != 0 ) 559 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 560 561 *p += len; 562 563 if( mbedtls_rsa_complete( rsa ) != 0 || 564 mbedtls_rsa_check_pubkey( rsa ) != 0 ) 565 { 566 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 567 } 568 569 if( *p != end ) 570 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 571 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 572 573 return( 0 ); 574 } 575 #endif /* MBEDTLS_RSA_C */ 576 577 /* Get a PK algorithm identifier 578 * 579 * AlgorithmIdentifier ::= SEQUENCE { 580 * algorithm OBJECT IDENTIFIER, 581 * parameters ANY DEFINED BY algorithm OPTIONAL } 582 */ 583 static int pk_get_pk_alg( unsigned char **p, 584 const unsigned char *end, 585 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params ) 586 { 587 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 588 mbedtls_asn1_buf alg_oid; 589 590 memset( params, 0, sizeof(mbedtls_asn1_buf) ); 591 592 if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 ) 593 return( MBEDTLS_ERR_PK_INVALID_ALG + ret ); 594 595 if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 ) 596 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 597 598 /* 599 * No parameters with RSA (only for EC) 600 */ 601 if( *pk_alg == MBEDTLS_PK_RSA && 602 ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) || 603 params->len != 0 ) ) 604 { 605 return( MBEDTLS_ERR_PK_INVALID_ALG ); 606 } 607 608 return( 0 ); 609 } 610 611 /* 612 * SubjectPublicKeyInfo ::= SEQUENCE { 613 * algorithm AlgorithmIdentifier, 614 * subjectPublicKey BIT STRING } 615 */ 616 int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end, 617 mbedtls_pk_context *pk ) 618 { 619 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 620 size_t len; 621 mbedtls_asn1_buf alg_params; 622 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 623 const mbedtls_pk_info_t *pk_info; 624 625 PK_VALIDATE_RET( p != NULL ); 626 PK_VALIDATE_RET( *p != NULL ); 627 PK_VALIDATE_RET( end != NULL ); 628 PK_VALIDATE_RET( pk != NULL ); 629 630 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 631 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 632 { 633 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 634 } 635 636 end = *p + len; 637 638 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 ) 639 return( ret ); 640 641 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 ) 642 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 643 644 if( *p + len != end ) 645 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 646 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 647 648 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 649 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 650 651 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 652 return( ret ); 653 654 #if defined(MBEDTLS_RSA_C) 655 if( pk_alg == MBEDTLS_PK_RSA ) 656 { 657 ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) ); 658 } else 659 #endif /* MBEDTLS_RSA_C */ 660 #if defined(MBEDTLS_ECP_C) 661 if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY ) 662 { 663 ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp ); 664 if( ret == 0 ) 665 ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) ); 666 } else 667 #endif /* MBEDTLS_ECP_C */ 668 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 669 670 if( ret == 0 && *p != end ) 671 ret = MBEDTLS_ERR_PK_INVALID_PUBKEY 672 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 673 674 if( ret != 0 ) 675 mbedtls_pk_free( pk ); 676 677 return( ret ); 678 } 679 680 #if defined(MBEDTLS_RSA_C) 681 /* 682 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. 683 * 684 * The value zero is: 685 * - never a valid value for an RSA parameter 686 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). 687 * 688 * Since values can't be omitted in PKCS#1, passing a zero value to 689 * rsa_complete() would be incorrect, so reject zero values early. 690 */ 691 static int asn1_get_nonzero_mpi( unsigned char **p, 692 const unsigned char *end, 693 mbedtls_mpi *X ) 694 { 695 int ret; 696 697 ret = mbedtls_asn1_get_mpi( p, end, X ); 698 if( ret != 0 ) 699 return( ret ); 700 701 if( mbedtls_mpi_cmp_int( X, 0 ) == 0 ) 702 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 703 704 return( 0 ); 705 } 706 707 /* 708 * Parse a PKCS#1 encoded private RSA key 709 */ 710 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, 711 const unsigned char *key, 712 size_t keylen ) 713 { 714 int ret, version; 715 size_t len; 716 unsigned char *p, *end; 717 718 mbedtls_mpi T; 719 mbedtls_mpi_init( &T ); 720 721 p = (unsigned char *) key; 722 end = p + keylen; 723 724 /* 725 * This function parses the RSAPrivateKey (PKCS#1) 726 * 727 * RSAPrivateKey ::= SEQUENCE { 728 * version Version, 729 * modulus INTEGER, -- n 730 * publicExponent INTEGER, -- e 731 * privateExponent INTEGER, -- d 732 * prime1 INTEGER, -- p 733 * prime2 INTEGER, -- q 734 * exponent1 INTEGER, -- d mod (p-1) 735 * exponent2 INTEGER, -- d mod (q-1) 736 * coefficient INTEGER, -- (inverse of q) mod p 737 * otherPrimeInfos OtherPrimeInfos OPTIONAL 738 * } 739 */ 740 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 741 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 742 { 743 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 744 } 745 746 end = p + len; 747 748 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 749 { 750 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 751 } 752 753 if( version != 0 ) 754 { 755 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 756 } 757 758 /* Import N */ 759 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 760 ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL, 761 NULL, NULL ) ) != 0 ) 762 goto cleanup; 763 764 /* Import E */ 765 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 766 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 767 NULL, &T ) ) != 0 ) 768 goto cleanup; 769 770 /* Import D */ 771 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 772 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 773 &T, NULL ) ) != 0 ) 774 goto cleanup; 775 776 /* Import P */ 777 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 778 ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL, 779 NULL, NULL ) ) != 0 ) 780 goto cleanup; 781 782 /* Import Q */ 783 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 784 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T, 785 NULL, NULL ) ) != 0 ) 786 goto cleanup; 787 788 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) 789 /* 790 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in 791 * that they can be easily recomputed from D, P and Q. However by 792 * parsing them from the PKCS1 structure it is possible to avoid 793 * recalculating them which both reduces the overhead of loading 794 * RSA private keys into memory and also avoids side channels which 795 * can arise when computing those values, since all of D, P, and Q 796 * are secret. See https://eprint.iacr.org/2020/055 for a 797 * description of one such attack. 798 */ 799 800 /* Import DP */ 801 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 802 ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 ) 803 goto cleanup; 804 805 /* Import DQ */ 806 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 807 ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 ) 808 goto cleanup; 809 810 /* Import QP */ 811 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 812 ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 ) 813 goto cleanup; 814 815 #else 816 /* Verify existance of the CRT params */ 817 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 818 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 819 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ) 820 goto cleanup; 821 #endif 822 823 /* rsa_complete() doesn't complete anything with the default 824 * implementation but is still called: 825 * - for the benefit of alternative implementation that may want to 826 * pre-compute stuff beyond what's provided (eg Montgomery factors) 827 * - as is also sanity-checks the key 828 * 829 * Furthermore, we also check the public part for consistency with 830 * mbedtls_pk_parse_pubkey(), as it includes size minima for example. 831 */ 832 if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 || 833 ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 ) 834 { 835 goto cleanup; 836 } 837 838 if( p != end ) 839 { 840 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 841 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ; 842 } 843 844 cleanup: 845 846 mbedtls_mpi_free( &T ); 847 848 if( ret != 0 ) 849 { 850 /* Wrap error code if it's coming from a lower level */ 851 if( ( ret & 0xff80 ) == 0 ) 852 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret; 853 else 854 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 855 856 mbedtls_rsa_free( rsa ); 857 } 858 859 return( ret ); 860 } 861 #endif /* MBEDTLS_RSA_C */ 862 863 #if defined(MBEDTLS_ECP_C) 864 /* 865 * Parse a SEC1 encoded private EC key 866 */ 867 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, 868 const unsigned char *key, 869 size_t keylen ) 870 { 871 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 872 int version, pubkey_done; 873 size_t len; 874 mbedtls_asn1_buf params; 875 unsigned char *p = (unsigned char *) key; 876 unsigned char *end = p + keylen; 877 unsigned char *end2; 878 879 /* 880 * RFC 5915, or SEC1 Appendix C.4 881 * 882 * ECPrivateKey ::= SEQUENCE { 883 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 884 * privateKey OCTET STRING, 885 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 886 * publicKey [1] BIT STRING OPTIONAL 887 * } 888 */ 889 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 890 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 891 { 892 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 893 } 894 895 end = p + len; 896 897 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 898 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 899 900 if( version != 1 ) 901 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 902 903 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 904 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 905 906 if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 ) 907 { 908 mbedtls_ecp_keypair_free( eck ); 909 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 910 } 911 912 p += len; 913 914 pubkey_done = 0; 915 if( p != end ) 916 { 917 /* 918 * Is 'parameters' present? 919 */ 920 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 921 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 ) 922 { 923 if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 || 924 ( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 ) 925 { 926 mbedtls_ecp_keypair_free( eck ); 927 return( ret ); 928 } 929 } 930 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 931 { 932 mbedtls_ecp_keypair_free( eck ); 933 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 934 } 935 } 936 937 if( p != end ) 938 { 939 /* 940 * Is 'publickey' present? If not, or if we can't read it (eg because it 941 * is compressed), create it from the private key. 942 */ 943 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 944 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 ) 945 { 946 end2 = p + len; 947 948 if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 ) 949 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 950 951 if( p + len != end2 ) 952 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 953 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 954 955 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 ) 956 pubkey_done = 1; 957 else 958 { 959 /* 960 * The only acceptable failure mode of pk_get_ecpubkey() above 961 * is if the point format is not recognized. 962 */ 963 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ) 964 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 965 } 966 } 967 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 968 { 969 mbedtls_ecp_keypair_free( eck ); 970 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 971 } 972 } 973 974 if( ! pubkey_done && 975 ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G, 976 NULL, NULL ) ) != 0 ) 977 { 978 mbedtls_ecp_keypair_free( eck ); 979 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 980 } 981 982 if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 ) 983 { 984 mbedtls_ecp_keypair_free( eck ); 985 return( ret ); 986 } 987 988 return( 0 ); 989 } 990 #endif /* MBEDTLS_ECP_C */ 991 992 /* 993 * Parse an unencrypted PKCS#8 encoded private key 994 * 995 * Notes: 996 * 997 * - This function does not own the key buffer. It is the 998 * responsibility of the caller to take care of zeroizing 999 * and freeing it after use. 1000 * 1001 * - The function is responsible for freeing the provided 1002 * PK context on failure. 1003 * 1004 */ 1005 static int pk_parse_key_pkcs8_unencrypted_der( 1006 mbedtls_pk_context *pk, 1007 const unsigned char* key, 1008 size_t keylen ) 1009 { 1010 int ret, version; 1011 size_t len; 1012 mbedtls_asn1_buf params; 1013 unsigned char *p = (unsigned char *) key; 1014 unsigned char *end = p + keylen; 1015 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 1016 const mbedtls_pk_info_t *pk_info; 1017 1018 /* 1019 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) 1020 * 1021 * PrivateKeyInfo ::= SEQUENCE { 1022 * version Version, 1023 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, 1024 * privateKey PrivateKey, 1025 * attributes [0] IMPLICIT Attributes OPTIONAL } 1026 * 1027 * Version ::= INTEGER 1028 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier 1029 * PrivateKey ::= OCTET STRING 1030 * 1031 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey 1032 */ 1033 1034 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1035 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1036 { 1037 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1038 } 1039 1040 end = p + len; 1041 1042 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 1043 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1044 1045 if( version != 0 ) 1046 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret ); 1047 1048 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 ) 1049 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1050 1051 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1052 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1053 1054 if( len < 1 ) 1055 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 1056 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 1057 1058 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 1059 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1060 1061 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 1062 return( ret ); 1063 1064 #if defined(MBEDTLS_RSA_C) 1065 if( pk_alg == MBEDTLS_PK_RSA ) 1066 { 1067 if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 ) 1068 { 1069 mbedtls_pk_free( pk ); 1070 return( ret ); 1071 } 1072 } else 1073 #endif /* MBEDTLS_RSA_C */ 1074 #if defined(MBEDTLS_ECP_C) 1075 if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH ) 1076 { 1077 if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 || 1078 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 ) 1079 { 1080 mbedtls_pk_free( pk ); 1081 return( ret ); 1082 } 1083 } else 1084 #endif /* MBEDTLS_ECP_C */ 1085 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1086 1087 return( 0 ); 1088 } 1089 1090 /* 1091 * Parse an encrypted PKCS#8 encoded private key 1092 * 1093 * To save space, the decryption happens in-place on the given key buffer. 1094 * Also, while this function may modify the keybuffer, it doesn't own it, 1095 * and instead it is the responsibility of the caller to zeroize and properly 1096 * free it after use. 1097 * 1098 */ 1099 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1100 static int pk_parse_key_pkcs8_encrypted_der( 1101 mbedtls_pk_context *pk, 1102 unsigned char *key, size_t keylen, 1103 const unsigned char *pwd, size_t pwdlen ) 1104 { 1105 int ret, decrypted = 0; 1106 size_t len; 1107 unsigned char *buf; 1108 unsigned char *p, *end; 1109 mbedtls_asn1_buf pbe_alg_oid, pbe_params; 1110 #if defined(MBEDTLS_PKCS12_C) 1111 mbedtls_cipher_type_t cipher_alg; 1112 mbedtls_md_type_t md_alg; 1113 #endif 1114 1115 p = key; 1116 end = p + keylen; 1117 1118 if( pwdlen == 0 ) 1119 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1120 1121 /* 1122 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) 1123 * 1124 * EncryptedPrivateKeyInfo ::= SEQUENCE { 1125 * encryptionAlgorithm EncryptionAlgorithmIdentifier, 1126 * encryptedData EncryptedData 1127 * } 1128 * 1129 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1130 * 1131 * EncryptedData ::= OCTET STRING 1132 * 1133 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo 1134 * 1135 */ 1136 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1137 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1138 { 1139 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1140 } 1141 1142 end = p + len; 1143 1144 if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 ) 1145 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1146 1147 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1148 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1149 1150 buf = p; 1151 1152 /* 1153 * Decrypt EncryptedData with appropriate PBE 1154 */ 1155 #if defined(MBEDTLS_PKCS12_C) 1156 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) 1157 { 1158 if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, 1159 cipher_alg, md_alg, 1160 pwd, pwdlen, p, len, buf ) ) != 0 ) 1161 { 1162 if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH ) 1163 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1164 1165 return( ret ); 1166 } 1167 1168 decrypted = 1; 1169 } 1170 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 ) 1171 { 1172 if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params, 1173 MBEDTLS_PKCS12_PBE_DECRYPT, 1174 pwd, pwdlen, 1175 p, len, buf ) ) != 0 ) 1176 { 1177 return( ret ); 1178 } 1179 1180 // Best guess for password mismatch when using RC4. If first tag is 1181 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE 1182 // 1183 if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 1184 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1185 1186 decrypted = 1; 1187 } 1188 else 1189 #endif /* MBEDTLS_PKCS12_C */ 1190 #if defined(MBEDTLS_PKCS5_C) 1191 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 ) 1192 { 1193 if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, 1194 p, len, buf ) ) != 0 ) 1195 { 1196 if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH ) 1197 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1198 1199 return( ret ); 1200 } 1201 1202 decrypted = 1; 1203 } 1204 else 1205 #endif /* MBEDTLS_PKCS5_C */ 1206 { 1207 ((void) pwd); 1208 } 1209 1210 if( decrypted == 0 ) 1211 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 1212 1213 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) ); 1214 } 1215 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1216 1217 /* 1218 * Parse a private key 1219 */ 1220 int mbedtls_pk_parse_key( mbedtls_pk_context *pk, 1221 const unsigned char *key, size_t keylen, 1222 const unsigned char *pwd, size_t pwdlen ) 1223 { 1224 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1225 const mbedtls_pk_info_t *pk_info; 1226 #if defined(MBEDTLS_PEM_PARSE_C) 1227 size_t len; 1228 mbedtls_pem_context pem; 1229 #endif 1230 1231 PK_VALIDATE_RET( pk != NULL ); 1232 if( keylen == 0 ) 1233 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1234 PK_VALIDATE_RET( key != NULL ); 1235 1236 #if defined(MBEDTLS_PEM_PARSE_C) 1237 mbedtls_pem_init( &pem ); 1238 1239 #if defined(MBEDTLS_RSA_C) 1240 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1241 if( key[keylen - 1] != '\0' ) 1242 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1243 else 1244 ret = mbedtls_pem_read_buffer( &pem, 1245 "-----BEGIN RSA PRIVATE KEY-----", 1246 "-----END RSA PRIVATE KEY-----", 1247 key, pwd, pwdlen, &len ); 1248 1249 if( ret == 0 ) 1250 { 1251 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1252 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1253 ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), 1254 pem.buf, pem.buflen ) ) != 0 ) 1255 { 1256 mbedtls_pk_free( pk ); 1257 } 1258 1259 mbedtls_pem_free( &pem ); 1260 return( ret ); 1261 } 1262 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1263 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1264 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1265 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1266 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1267 return( ret ); 1268 #endif /* MBEDTLS_RSA_C */ 1269 1270 #if defined(MBEDTLS_ECP_C) 1271 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1272 if( key[keylen - 1] != '\0' ) 1273 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1274 else 1275 ret = mbedtls_pem_read_buffer( &pem, 1276 "-----BEGIN EC PRIVATE KEY-----", 1277 "-----END EC PRIVATE KEY-----", 1278 key, pwd, pwdlen, &len ); 1279 if( ret == 0 ) 1280 { 1281 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1282 1283 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1284 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1285 pem.buf, pem.buflen ) ) != 0 ) 1286 { 1287 mbedtls_pk_free( pk ); 1288 } 1289 1290 mbedtls_pem_free( &pem ); 1291 return( ret ); 1292 } 1293 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1294 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1295 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1296 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1297 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1298 return( ret ); 1299 #endif /* MBEDTLS_ECP_C */ 1300 1301 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1302 if( key[keylen - 1] != '\0' ) 1303 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1304 else 1305 ret = mbedtls_pem_read_buffer( &pem, 1306 "-----BEGIN PRIVATE KEY-----", 1307 "-----END PRIVATE KEY-----", 1308 key, NULL, 0, &len ); 1309 if( ret == 0 ) 1310 { 1311 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, 1312 pem.buf, pem.buflen ) ) != 0 ) 1313 { 1314 mbedtls_pk_free( pk ); 1315 } 1316 1317 mbedtls_pem_free( &pem ); 1318 return( ret ); 1319 } 1320 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1321 return( ret ); 1322 1323 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1324 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1325 if( key[keylen - 1] != '\0' ) 1326 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1327 else 1328 ret = mbedtls_pem_read_buffer( &pem, 1329 "-----BEGIN ENCRYPTED PRIVATE KEY-----", 1330 "-----END ENCRYPTED PRIVATE KEY-----", 1331 key, NULL, 0, &len ); 1332 if( ret == 0 ) 1333 { 1334 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, 1335 pem.buf, pem.buflen, 1336 pwd, pwdlen ) ) != 0 ) 1337 { 1338 mbedtls_pk_free( pk ); 1339 } 1340 1341 mbedtls_pem_free( &pem ); 1342 return( ret ); 1343 } 1344 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1345 return( ret ); 1346 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1347 #else 1348 ((void) pwd); 1349 ((void) pwdlen); 1350 #endif /* MBEDTLS_PEM_PARSE_C */ 1351 1352 /* 1353 * At this point we only know it's not a PEM formatted key. Could be any 1354 * of the known DER encoded private key formats 1355 * 1356 * We try the different DER format parsers to see if one passes without 1357 * error 1358 */ 1359 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1360 { 1361 unsigned char *key_copy; 1362 1363 if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL ) 1364 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 1365 1366 memcpy( key_copy, key, keylen ); 1367 1368 ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, 1369 pwd, pwdlen ); 1370 1371 mbedtls_platform_zeroize( key_copy, keylen ); 1372 mbedtls_free( key_copy ); 1373 } 1374 1375 if( ret == 0 ) 1376 return( 0 ); 1377 1378 mbedtls_pk_free( pk ); 1379 mbedtls_pk_init( pk ); 1380 1381 if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH ) 1382 { 1383 return( ret ); 1384 } 1385 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1386 1387 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 ) 1388 return( 0 ); 1389 1390 mbedtls_pk_free( pk ); 1391 mbedtls_pk_init( pk ); 1392 1393 #if defined(MBEDTLS_RSA_C) 1394 1395 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1396 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1397 pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 ) 1398 { 1399 return( 0 ); 1400 } 1401 1402 mbedtls_pk_free( pk ); 1403 mbedtls_pk_init( pk ); 1404 #endif /* MBEDTLS_RSA_C */ 1405 1406 #if defined(MBEDTLS_ECP_C) 1407 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1408 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1409 pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1410 key, keylen ) == 0 ) 1411 { 1412 return( 0 ); 1413 } 1414 mbedtls_pk_free( pk ); 1415 #endif /* MBEDTLS_ECP_C */ 1416 1417 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, 1418 * it is ok to leave the PK context initialized but not 1419 * freed: It is the caller's responsibility to call pk_init() 1420 * before calling this function, and to call pk_free() 1421 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C 1422 * isn't, this leads to mbedtls_pk_free() being called 1423 * twice, once here and once by the caller, but this is 1424 * also ok and in line with the mbedtls_pk_free() calls 1425 * on failed PEM parsing attempts. */ 1426 1427 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1428 } 1429 1430 /* 1431 * Parse a public key 1432 */ 1433 int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, 1434 const unsigned char *key, size_t keylen ) 1435 { 1436 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1437 unsigned char *p; 1438 #if defined(MBEDTLS_RSA_C) 1439 const mbedtls_pk_info_t *pk_info; 1440 #endif 1441 #if defined(MBEDTLS_PEM_PARSE_C) 1442 size_t len; 1443 mbedtls_pem_context pem; 1444 #endif 1445 1446 PK_VALIDATE_RET( ctx != NULL ); 1447 if( keylen == 0 ) 1448 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1449 PK_VALIDATE_RET( key != NULL || keylen == 0 ); 1450 1451 #if defined(MBEDTLS_PEM_PARSE_C) 1452 mbedtls_pem_init( &pem ); 1453 #if defined(MBEDTLS_RSA_C) 1454 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1455 if( key[keylen - 1] != '\0' ) 1456 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1457 else 1458 ret = mbedtls_pem_read_buffer( &pem, 1459 "-----BEGIN RSA PUBLIC KEY-----", 1460 "-----END RSA PUBLIC KEY-----", 1461 key, NULL, 0, &len ); 1462 1463 if( ret == 0 ) 1464 { 1465 p = pem.buf; 1466 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1467 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1468 1469 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1470 return( ret ); 1471 1472 if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 ) 1473 mbedtls_pk_free( ctx ); 1474 1475 mbedtls_pem_free( &pem ); 1476 return( ret ); 1477 } 1478 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1479 { 1480 mbedtls_pem_free( &pem ); 1481 return( ret ); 1482 } 1483 #endif /* MBEDTLS_RSA_C */ 1484 1485 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1486 if( key[keylen - 1] != '\0' ) 1487 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1488 else 1489 ret = mbedtls_pem_read_buffer( &pem, 1490 "-----BEGIN PUBLIC KEY-----", 1491 "-----END PUBLIC KEY-----", 1492 key, NULL, 0, &len ); 1493 1494 if( ret == 0 ) 1495 { 1496 /* 1497 * Was PEM encoded 1498 */ 1499 p = pem.buf; 1500 1501 ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx ); 1502 mbedtls_pem_free( &pem ); 1503 return( ret ); 1504 } 1505 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1506 { 1507 mbedtls_pem_free( &pem ); 1508 return( ret ); 1509 } 1510 mbedtls_pem_free( &pem ); 1511 #endif /* MBEDTLS_PEM_PARSE_C */ 1512 1513 #if defined(MBEDTLS_RSA_C) 1514 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1515 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1516 1517 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1518 return( ret ); 1519 1520 p = (unsigned char *)key; 1521 ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) ); 1522 if( ret == 0 ) 1523 { 1524 return( ret ); 1525 } 1526 mbedtls_pk_free( ctx ); 1527 if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 1528 { 1529 return( ret ); 1530 } 1531 #endif /* MBEDTLS_RSA_C */ 1532 p = (unsigned char *) key; 1533 1534 ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx ); 1535 1536 return( ret ); 1537 } 1538 1539 #endif /* MBEDTLS_PK_PARSE_C */ 1540