1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Public Key layer for parsing key files and structures 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 #if !defined(MBEDTLS_CONFIG_FILE) 23 #include "mbedtls/config.h" 24 #else 25 #include MBEDTLS_CONFIG_FILE 26 #endif 27 28 #if defined(MBEDTLS_PK_PARSE_C) 29 30 #include "mbedtls/pk.h" 31 #include "mbedtls/asn1.h" 32 #include "mbedtls/oid.h" 33 #include "mbedtls/platform_util.h" 34 35 #include <string.h> 36 37 #if defined(MBEDTLS_RSA_C) 38 #include "mbedtls/rsa.h" 39 #endif 40 #if defined(MBEDTLS_ECP_C) 41 #include "mbedtls/ecp.h" 42 #endif 43 #if defined(MBEDTLS_ECDSA_C) 44 #include "mbedtls/ecdsa.h" 45 #endif 46 #if defined(MBEDTLS_PEM_PARSE_C) 47 #include "mbedtls/pem.h" 48 #endif 49 #if defined(MBEDTLS_PKCS5_C) 50 #include "mbedtls/pkcs5.h" 51 #endif 52 #if defined(MBEDTLS_PKCS12_C) 53 #include "mbedtls/pkcs12.h" 54 #endif 55 56 #if defined(MBEDTLS_PLATFORM_C) 57 #include "mbedtls/platform.h" 58 #else 59 #include <stdlib.h> 60 #define mbedtls_calloc calloc 61 #define mbedtls_free free 62 #endif 63 64 /* Parameter validation macros based on platform_util.h */ 65 #define PK_VALIDATE_RET( cond ) \ 66 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) 67 #define PK_VALIDATE( cond ) \ 68 MBEDTLS_INTERNAL_VALIDATE( cond ) 69 70 #if defined(MBEDTLS_FS_IO) 71 /* 72 * Load all data from a file into a given buffer. 73 * 74 * The file is expected to contain either PEM or DER encoded data. 75 * A terminating null byte is always appended. It is included in the announced 76 * length only if the data looks like it is PEM encoded. 77 */ 78 int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) 79 { 80 FILE *f; 81 long size; 82 83 PK_VALIDATE_RET( path != NULL ); 84 PK_VALIDATE_RET( buf != NULL ); 85 PK_VALIDATE_RET( n != NULL ); 86 87 if( ( f = fopen( path, "rb" ) ) == NULL ) 88 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 89 90 fseek( f, 0, SEEK_END ); 91 if( ( size = ftell( f ) ) == -1 ) 92 { 93 fclose( f ); 94 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 95 } 96 fseek( f, 0, SEEK_SET ); 97 98 *n = (size_t) size; 99 100 if( *n + 1 == 0 || 101 ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) 102 { 103 fclose( f ); 104 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 105 } 106 107 if( fread( *buf, 1, *n, f ) != *n ) 108 { 109 fclose( f ); 110 111 mbedtls_platform_zeroize( *buf, *n ); 112 mbedtls_free( *buf ); 113 114 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 115 } 116 117 fclose( f ); 118 119 (*buf)[*n] = '\0'; 120 121 if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL ) 122 ++*n; 123 124 return( 0 ); 125 } 126 127 /* 128 * Load and parse a private key 129 */ 130 int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, 131 const char *path, const char *pwd ) 132 { 133 int ret; 134 size_t n; 135 unsigned char *buf; 136 137 PK_VALIDATE_RET( ctx != NULL ); 138 PK_VALIDATE_RET( path != NULL ); 139 140 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 141 return( ret ); 142 143 if( pwd == NULL ) 144 ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 ); 145 else 146 ret = mbedtls_pk_parse_key( ctx, buf, n, 147 (const unsigned char *) pwd, strlen( pwd ) ); 148 149 mbedtls_platform_zeroize( buf, n ); 150 mbedtls_free( buf ); 151 152 return( ret ); 153 } 154 155 /* 156 * Load and parse a public key 157 */ 158 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path ) 159 { 160 int ret; 161 size_t n; 162 unsigned char *buf; 163 164 PK_VALIDATE_RET( ctx != NULL ); 165 PK_VALIDATE_RET( path != NULL ); 166 167 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 168 return( ret ); 169 170 ret = mbedtls_pk_parse_public_key( ctx, buf, n ); 171 172 mbedtls_platform_zeroize( buf, n ); 173 mbedtls_free( buf ); 174 175 return( ret ); 176 } 177 #endif /* MBEDTLS_FS_IO */ 178 179 #if defined(MBEDTLS_ECP_C) 180 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf 181 * 182 * ECParameters ::= CHOICE { 183 * namedCurve OBJECT IDENTIFIER 184 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 185 * -- implicitCurve NULL 186 * } 187 */ 188 static int pk_get_ecparams( unsigned char **p, const unsigned char *end, 189 mbedtls_asn1_buf *params ) 190 { 191 int ret; 192 193 if ( end - *p < 1 ) 194 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 195 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 196 197 /* Tag may be either OID or SEQUENCE */ 198 params->tag = **p; 199 if( params->tag != MBEDTLS_ASN1_OID 200 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 201 && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) 202 #endif 203 ) 204 { 205 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 206 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 207 } 208 209 if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 ) 210 { 211 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 212 } 213 214 params->p = *p; 215 *p += params->len; 216 217 if( *p != end ) 218 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 219 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 220 221 return( 0 ); 222 } 223 224 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 225 /* 226 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. 227 * WARNING: the resulting group should only be used with 228 * pk_group_id_from_specified(), since its base point may not be set correctly 229 * if it was encoded compressed. 230 * 231 * SpecifiedECDomain ::= SEQUENCE { 232 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), 233 * fieldID FieldID {{FieldTypes}}, 234 * curve Curve, 235 * base ECPoint, 236 * order INTEGER, 237 * cofactor INTEGER OPTIONAL, 238 * hash HashAlgorithm OPTIONAL, 239 * ... 240 * } 241 * 242 * We only support prime-field as field type, and ignore hash and cofactor. 243 */ 244 static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 245 { 246 int ret; 247 unsigned char *p = params->p; 248 const unsigned char * const end = params->p + params->len; 249 const unsigned char *end_field, *end_curve; 250 size_t len; 251 int ver; 252 253 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ 254 if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 ) 255 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 256 257 if( ver < 1 || ver > 3 ) 258 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 259 260 /* 261 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field 262 * fieldType FIELD-ID.&id({IOSet}), 263 * parameters FIELD-ID.&Type({IOSet}{@fieldType}) 264 * } 265 */ 266 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 267 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 268 return( ret ); 269 270 end_field = p + len; 271 272 /* 273 * FIELD-ID ::= TYPE-IDENTIFIER 274 * FieldTypes FIELD-ID ::= { 275 * { Prime-p IDENTIFIED BY prime-field } | 276 * { Characteristic-two IDENTIFIED BY characteristic-two-field } 277 * } 278 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 279 */ 280 if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 ) 281 return( ret ); 282 283 if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) || 284 memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 ) 285 { 286 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 287 } 288 289 p += len; 290 291 /* Prime-p ::= INTEGER -- Field of size p. */ 292 if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 ) 293 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 294 295 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 296 297 if( p != end_field ) 298 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 299 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 300 301 /* 302 * Curve ::= SEQUENCE { 303 * a FieldElement, 304 * b FieldElement, 305 * seed BIT STRING OPTIONAL 306 * -- Shall be present if used in SpecifiedECDomain 307 * -- with version equal to ecdpVer2 or ecdpVer3 308 * } 309 */ 310 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 311 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 312 return( ret ); 313 314 end_curve = p + len; 315 316 /* 317 * FieldElement ::= OCTET STRING 318 * containing an integer in the case of a prime field 319 */ 320 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 321 ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 ) 322 { 323 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 324 } 325 326 p += len; 327 328 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 329 ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 ) 330 { 331 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 332 } 333 334 p += len; 335 336 /* Ignore seed BIT STRING OPTIONAL */ 337 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 ) 338 p += len; 339 340 if( p != end_curve ) 341 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 342 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 343 344 /* 345 * ECPoint ::= OCTET STRING 346 */ 347 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 348 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 349 350 if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G, 351 ( const unsigned char *) p, len ) ) != 0 ) 352 { 353 /* 354 * If we can't read the point because it's compressed, cheat by 355 * reading only the X coordinate and the parity bit of Y. 356 */ 357 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || 358 ( p[0] != 0x02 && p[0] != 0x03 ) || 359 len != mbedtls_mpi_size( &grp->P ) + 1 || 360 mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 || 361 mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 || 362 mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 ) 363 { 364 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 365 } 366 } 367 368 p += len; 369 370 /* 371 * order INTEGER 372 */ 373 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 ) 374 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 375 376 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 377 378 /* 379 * Allow optional elements by purposefully not enforcing p == end here. 380 */ 381 382 return( 0 ); 383 } 384 385 /* 386 * Find the group id associated with an (almost filled) group as generated by 387 * pk_group_from_specified(), or return an error if unknown. 388 */ 389 static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id ) 390 { 391 int ret = 0; 392 mbedtls_ecp_group ref; 393 const mbedtls_ecp_group_id *id; 394 395 mbedtls_ecp_group_init( &ref ); 396 397 for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ ) 398 { 399 /* Load the group associated to that id */ 400 mbedtls_ecp_group_free( &ref ); 401 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) ); 402 403 /* Compare to the group we were given, starting with easy tests */ 404 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits && 405 mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 && 406 mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 && 407 mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 && 408 mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 && 409 mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 && 410 mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 && 411 /* For Y we may only know the parity bit, so compare only that */ 412 mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) ) 413 { 414 break; 415 } 416 417 } 418 419 cleanup: 420 mbedtls_ecp_group_free( &ref ); 421 422 *grp_id = *id; 423 424 if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE ) 425 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 426 427 return( ret ); 428 } 429 430 /* 431 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID 432 */ 433 static int pk_group_id_from_specified( const mbedtls_asn1_buf *params, 434 mbedtls_ecp_group_id *grp_id ) 435 { 436 int ret; 437 mbedtls_ecp_group grp; 438 439 mbedtls_ecp_group_init( &grp ); 440 441 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 ) 442 goto cleanup; 443 444 ret = pk_group_id_from_group( &grp, grp_id ); 445 446 cleanup: 447 mbedtls_ecp_group_free( &grp ); 448 449 return( ret ); 450 } 451 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ 452 453 /* 454 * Use EC parameters to initialise an EC group 455 * 456 * ECParameters ::= CHOICE { 457 * namedCurve OBJECT IDENTIFIER 458 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 459 * -- implicitCurve NULL 460 */ 461 static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 462 { 463 int ret; 464 mbedtls_ecp_group_id grp_id; 465 466 if( params->tag == MBEDTLS_ASN1_OID ) 467 { 468 if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 ) 469 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE ); 470 } 471 else 472 { 473 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 474 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 ) 475 return( ret ); 476 #else 477 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 478 #endif 479 } 480 481 /* 482 * grp may already be initilialized; if so, make sure IDs match 483 */ 484 if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id ) 485 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 486 487 if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 ) 488 return( ret ); 489 490 return( 0 ); 491 } 492 493 /* 494 * EC public key is an EC point 495 * 496 * The caller is responsible for clearing the structure upon failure if 497 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE 498 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. 499 */ 500 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end, 501 mbedtls_ecp_keypair *key ) 502 { 503 int ret; 504 505 if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q, 506 (const unsigned char *) *p, end - *p ) ) == 0 ) 507 { 508 ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q ); 509 } 510 511 /* 512 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed 513 */ 514 *p = (unsigned char *) end; 515 516 return( ret ); 517 } 518 #endif /* MBEDTLS_ECP_C */ 519 520 #if defined(MBEDTLS_RSA_C) 521 /* 522 * RSAPublicKey ::= SEQUENCE { 523 * modulus INTEGER, -- n 524 * publicExponent INTEGER -- e 525 * } 526 */ 527 static int pk_get_rsapubkey( unsigned char **p, 528 const unsigned char *end, 529 mbedtls_rsa_context *rsa ) 530 { 531 int ret; 532 size_t len; 533 534 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 535 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 536 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 537 538 if( *p + len != end ) 539 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 540 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 541 542 /* Import N */ 543 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 544 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 545 546 if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0, 547 NULL, 0, NULL, 0 ) ) != 0 ) 548 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 549 550 *p += len; 551 552 /* Import E */ 553 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 554 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 555 556 if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 557 NULL, 0, *p, len ) ) != 0 ) 558 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 559 560 *p += len; 561 562 if( mbedtls_rsa_complete( rsa ) != 0 || 563 mbedtls_rsa_check_pubkey( rsa ) != 0 ) 564 { 565 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 566 } 567 568 if( *p != end ) 569 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 570 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 571 572 return( 0 ); 573 } 574 #endif /* MBEDTLS_RSA_C */ 575 576 /* Get a PK algorithm identifier 577 * 578 * AlgorithmIdentifier ::= SEQUENCE { 579 * algorithm OBJECT IDENTIFIER, 580 * parameters ANY DEFINED BY algorithm OPTIONAL } 581 */ 582 static int pk_get_pk_alg( unsigned char **p, 583 const unsigned char *end, 584 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params ) 585 { 586 int ret; 587 mbedtls_asn1_buf alg_oid; 588 589 memset( params, 0, sizeof(mbedtls_asn1_buf) ); 590 591 if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 ) 592 return( MBEDTLS_ERR_PK_INVALID_ALG + ret ); 593 594 if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 ) 595 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 596 597 /* 598 * No parameters with RSA (only for EC) 599 */ 600 if( *pk_alg == MBEDTLS_PK_RSA && 601 ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) || 602 params->len != 0 ) ) 603 { 604 return( MBEDTLS_ERR_PK_INVALID_ALG ); 605 } 606 607 return( 0 ); 608 } 609 610 /* 611 * SubjectPublicKeyInfo ::= SEQUENCE { 612 * algorithm AlgorithmIdentifier, 613 * subjectPublicKey BIT STRING } 614 */ 615 int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end, 616 mbedtls_pk_context *pk ) 617 { 618 int ret; 619 size_t len; 620 mbedtls_asn1_buf alg_params; 621 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 622 const mbedtls_pk_info_t *pk_info; 623 624 PK_VALIDATE_RET( p != NULL ); 625 PK_VALIDATE_RET( *p != NULL ); 626 PK_VALIDATE_RET( end != NULL ); 627 PK_VALIDATE_RET( pk != NULL ); 628 629 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 630 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 631 { 632 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 633 } 634 635 end = *p + len; 636 637 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 ) 638 return( ret ); 639 640 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 ) 641 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 642 643 if( *p + len != end ) 644 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 645 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 646 647 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 648 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 649 650 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 651 return( ret ); 652 653 #if defined(MBEDTLS_RSA_C) 654 if( pk_alg == MBEDTLS_PK_RSA ) 655 { 656 ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) ); 657 } else 658 #endif /* MBEDTLS_RSA_C */ 659 #if defined(MBEDTLS_ECP_C) 660 if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY ) 661 { 662 ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp ); 663 if( ret == 0 ) 664 ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) ); 665 } else 666 #endif /* MBEDTLS_ECP_C */ 667 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 668 669 if( ret == 0 && *p != end ) 670 ret = MBEDTLS_ERR_PK_INVALID_PUBKEY 671 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 672 673 if( ret != 0 ) 674 mbedtls_pk_free( pk ); 675 676 return( ret ); 677 } 678 679 #if defined(MBEDTLS_RSA_C) 680 /* 681 * Parse a PKCS#1 encoded private RSA key 682 */ 683 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, 684 const unsigned char *key, 685 size_t keylen ) 686 { 687 int ret, version; 688 size_t len; 689 unsigned char *p, *end; 690 691 mbedtls_mpi T; 692 mbedtls_mpi_init( &T ); 693 694 p = (unsigned char *) key; 695 end = p + keylen; 696 697 /* 698 * This function parses the RSAPrivateKey (PKCS#1) 699 * 700 * RSAPrivateKey ::= SEQUENCE { 701 * version Version, 702 * modulus INTEGER, -- n 703 * publicExponent INTEGER, -- e 704 * privateExponent INTEGER, -- d 705 * prime1 INTEGER, -- p 706 * prime2 INTEGER, -- q 707 * exponent1 INTEGER, -- d mod (p-1) 708 * exponent2 INTEGER, -- d mod (q-1) 709 * coefficient INTEGER, -- (inverse of q) mod p 710 * otherPrimeInfos OtherPrimeInfos OPTIONAL 711 * } 712 */ 713 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 714 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 715 { 716 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 717 } 718 719 end = p + len; 720 721 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 722 { 723 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 724 } 725 726 if( version != 0 ) 727 { 728 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 729 } 730 731 /* Import N */ 732 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 733 MBEDTLS_ASN1_INTEGER ) ) != 0 || 734 ( ret = mbedtls_rsa_import_raw( rsa, p, len, NULL, 0, NULL, 0, 735 NULL, 0, NULL, 0 ) ) != 0 ) 736 goto cleanup; 737 p += len; 738 739 /* Import E */ 740 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 741 MBEDTLS_ASN1_INTEGER ) ) != 0 || 742 ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 743 NULL, 0, p, len ) ) != 0 ) 744 goto cleanup; 745 p += len; 746 747 /* Import D */ 748 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 749 MBEDTLS_ASN1_INTEGER ) ) != 0 || 750 ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 751 p, len, NULL, 0 ) ) != 0 ) 752 goto cleanup; 753 p += len; 754 755 /* Import P */ 756 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 757 MBEDTLS_ASN1_INTEGER ) ) != 0 || 758 ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, p, len, NULL, 0, 759 NULL, 0, NULL, 0 ) ) != 0 ) 760 goto cleanup; 761 p += len; 762 763 /* Import Q */ 764 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 765 MBEDTLS_ASN1_INTEGER ) ) != 0 || 766 ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, p, len, 767 NULL, 0, NULL, 0 ) ) != 0 ) 768 goto cleanup; 769 p += len; 770 771 /* Complete the RSA private key */ 772 if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ) 773 goto cleanup; 774 775 /* Check optional parameters */ 776 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 || 777 ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 || 778 ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ) 779 goto cleanup; 780 781 if( p != end ) 782 { 783 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 784 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ; 785 } 786 787 cleanup: 788 789 mbedtls_mpi_free( &T ); 790 791 if( ret != 0 ) 792 { 793 /* Wrap error code if it's coming from a lower level */ 794 if( ( ret & 0xff80 ) == 0 ) 795 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret; 796 else 797 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 798 799 mbedtls_rsa_free( rsa ); 800 } 801 802 return( ret ); 803 } 804 #endif /* MBEDTLS_RSA_C */ 805 806 #if defined(MBEDTLS_ECP_C) 807 /* 808 * Parse a SEC1 encoded private EC key 809 */ 810 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, 811 const unsigned char *key, 812 size_t keylen ) 813 { 814 int ret; 815 int version, pubkey_done; 816 size_t len; 817 mbedtls_asn1_buf params; 818 unsigned char *p = (unsigned char *) key; 819 unsigned char *end = p + keylen; 820 unsigned char *end2; 821 822 /* 823 * RFC 5915, or SEC1 Appendix C.4 824 * 825 * ECPrivateKey ::= SEQUENCE { 826 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 827 * privateKey OCTET STRING, 828 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 829 * publicKey [1] BIT STRING OPTIONAL 830 * } 831 */ 832 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 833 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 834 { 835 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 836 } 837 838 end = p + len; 839 840 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 841 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 842 843 if( version != 1 ) 844 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 845 846 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 847 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 848 849 if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 ) 850 { 851 mbedtls_ecp_keypair_free( eck ); 852 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 853 } 854 855 p += len; 856 857 pubkey_done = 0; 858 if( p != end ) 859 { 860 /* 861 * Is 'parameters' present? 862 */ 863 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 864 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 ) 865 { 866 if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 || 867 ( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 ) 868 { 869 mbedtls_ecp_keypair_free( eck ); 870 return( ret ); 871 } 872 } 873 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 874 { 875 mbedtls_ecp_keypair_free( eck ); 876 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 877 } 878 } 879 880 if( p != end ) 881 { 882 /* 883 * Is 'publickey' present? If not, or if we can't read it (eg because it 884 * is compressed), create it from the private key. 885 */ 886 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 887 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 ) 888 { 889 end2 = p + len; 890 891 if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 ) 892 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 893 894 if( p + len != end2 ) 895 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 896 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 897 898 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 ) 899 pubkey_done = 1; 900 else 901 { 902 /* 903 * The only acceptable failure mode of pk_get_ecpubkey() above 904 * is if the point format is not recognized. 905 */ 906 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ) 907 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 908 } 909 } 910 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 911 { 912 mbedtls_ecp_keypair_free( eck ); 913 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 914 } 915 } 916 917 if( ! pubkey_done && 918 ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G, 919 NULL, NULL ) ) != 0 ) 920 { 921 mbedtls_ecp_keypair_free( eck ); 922 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 923 } 924 925 if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 ) 926 { 927 mbedtls_ecp_keypair_free( eck ); 928 return( ret ); 929 } 930 931 return( 0 ); 932 } 933 #endif /* MBEDTLS_ECP_C */ 934 935 /* 936 * Parse an unencrypted PKCS#8 encoded private key 937 * 938 * Notes: 939 * 940 * - This function does not own the key buffer. It is the 941 * responsibility of the caller to take care of zeroizing 942 * and freeing it after use. 943 * 944 * - The function is responsible for freeing the provided 945 * PK context on failure. 946 * 947 */ 948 static int pk_parse_key_pkcs8_unencrypted_der( 949 mbedtls_pk_context *pk, 950 const unsigned char* key, 951 size_t keylen ) 952 { 953 int ret, version; 954 size_t len; 955 mbedtls_asn1_buf params; 956 unsigned char *p = (unsigned char *) key; 957 unsigned char *end = p + keylen; 958 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 959 const mbedtls_pk_info_t *pk_info; 960 961 /* 962 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) 963 * 964 * PrivateKeyInfo ::= SEQUENCE { 965 * version Version, 966 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, 967 * privateKey PrivateKey, 968 * attributes [0] IMPLICIT Attributes OPTIONAL } 969 * 970 * Version ::= INTEGER 971 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier 972 * PrivateKey ::= OCTET STRING 973 * 974 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey 975 */ 976 977 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 978 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 979 { 980 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 981 } 982 983 end = p + len; 984 985 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 986 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 987 988 if( version != 0 ) 989 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret ); 990 991 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 ) 992 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 993 994 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 995 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 996 997 if( len < 1 ) 998 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 999 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 1000 1001 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 1002 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1003 1004 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 1005 return( ret ); 1006 1007 #if defined(MBEDTLS_RSA_C) 1008 if( pk_alg == MBEDTLS_PK_RSA ) 1009 { 1010 if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 ) 1011 { 1012 mbedtls_pk_free( pk ); 1013 return( ret ); 1014 } 1015 } else 1016 #endif /* MBEDTLS_RSA_C */ 1017 #if defined(MBEDTLS_ECP_C) 1018 if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH ) 1019 { 1020 if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 || 1021 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 ) 1022 { 1023 mbedtls_pk_free( pk ); 1024 return( ret ); 1025 } 1026 } else 1027 #endif /* MBEDTLS_ECP_C */ 1028 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1029 1030 return( 0 ); 1031 } 1032 1033 /* 1034 * Parse an encrypted PKCS#8 encoded private key 1035 * 1036 * To save space, the decryption happens in-place on the given key buffer. 1037 * Also, while this function may modify the keybuffer, it doesn't own it, 1038 * and instead it is the responsibility of the caller to zeroize and properly 1039 * free it after use. 1040 * 1041 */ 1042 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1043 static int pk_parse_key_pkcs8_encrypted_der( 1044 mbedtls_pk_context *pk, 1045 unsigned char *key, size_t keylen, 1046 const unsigned char *pwd, size_t pwdlen ) 1047 { 1048 int ret, decrypted = 0; 1049 size_t len; 1050 unsigned char *buf; 1051 unsigned char *p, *end; 1052 mbedtls_asn1_buf pbe_alg_oid, pbe_params; 1053 #if defined(MBEDTLS_PKCS12_C) 1054 mbedtls_cipher_type_t cipher_alg; 1055 mbedtls_md_type_t md_alg; 1056 #endif 1057 1058 p = key; 1059 end = p + keylen; 1060 1061 if( pwdlen == 0 ) 1062 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1063 1064 /* 1065 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) 1066 * 1067 * EncryptedPrivateKeyInfo ::= SEQUENCE { 1068 * encryptionAlgorithm EncryptionAlgorithmIdentifier, 1069 * encryptedData EncryptedData 1070 * } 1071 * 1072 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1073 * 1074 * EncryptedData ::= OCTET STRING 1075 * 1076 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo 1077 * 1078 */ 1079 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1080 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1081 { 1082 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1083 } 1084 1085 end = p + len; 1086 1087 if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 ) 1088 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1089 1090 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1091 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1092 1093 buf = p; 1094 1095 /* 1096 * Decrypt EncryptedData with appropriate PBE 1097 */ 1098 #if defined(MBEDTLS_PKCS12_C) 1099 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) 1100 { 1101 if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, 1102 cipher_alg, md_alg, 1103 pwd, pwdlen, p, len, buf ) ) != 0 ) 1104 { 1105 if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH ) 1106 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1107 1108 return( ret ); 1109 } 1110 1111 decrypted = 1; 1112 } 1113 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 ) 1114 { 1115 if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params, 1116 MBEDTLS_PKCS12_PBE_DECRYPT, 1117 pwd, pwdlen, 1118 p, len, buf ) ) != 0 ) 1119 { 1120 return( ret ); 1121 } 1122 1123 // Best guess for password mismatch when using RC4. If first tag is 1124 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE 1125 // 1126 if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 1127 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1128 1129 decrypted = 1; 1130 } 1131 else 1132 #endif /* MBEDTLS_PKCS12_C */ 1133 #if defined(MBEDTLS_PKCS5_C) 1134 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 ) 1135 { 1136 if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, 1137 p, len, buf ) ) != 0 ) 1138 { 1139 if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH ) 1140 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1141 1142 return( ret ); 1143 } 1144 1145 decrypted = 1; 1146 } 1147 else 1148 #endif /* MBEDTLS_PKCS5_C */ 1149 { 1150 ((void) pwd); 1151 } 1152 1153 if( decrypted == 0 ) 1154 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 1155 1156 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) ); 1157 } 1158 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1159 1160 /* 1161 * Parse a private key 1162 */ 1163 int mbedtls_pk_parse_key( mbedtls_pk_context *pk, 1164 const unsigned char *key, size_t keylen, 1165 const unsigned char *pwd, size_t pwdlen ) 1166 { 1167 int ret; 1168 const mbedtls_pk_info_t *pk_info; 1169 #if defined(MBEDTLS_PEM_PARSE_C) 1170 size_t len; 1171 mbedtls_pem_context pem; 1172 #endif 1173 1174 PK_VALIDATE_RET( pk != NULL ); 1175 if( keylen == 0 ) 1176 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1177 PK_VALIDATE_RET( key != NULL ); 1178 1179 #if defined(MBEDTLS_PEM_PARSE_C) 1180 mbedtls_pem_init( &pem ); 1181 1182 #if defined(MBEDTLS_RSA_C) 1183 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1184 if( key[keylen - 1] != '\0' ) 1185 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1186 else 1187 ret = mbedtls_pem_read_buffer( &pem, 1188 "-----BEGIN RSA PRIVATE KEY-----", 1189 "-----END RSA PRIVATE KEY-----", 1190 key, pwd, pwdlen, &len ); 1191 1192 if( ret == 0 ) 1193 { 1194 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1195 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1196 ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), 1197 pem.buf, pem.buflen ) ) != 0 ) 1198 { 1199 mbedtls_pk_free( pk ); 1200 } 1201 1202 mbedtls_pem_free( &pem ); 1203 return( ret ); 1204 } 1205 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1206 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1207 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1208 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1209 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1210 return( ret ); 1211 #endif /* MBEDTLS_RSA_C */ 1212 1213 #if defined(MBEDTLS_ECP_C) 1214 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1215 if( key[keylen - 1] != '\0' ) 1216 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1217 else 1218 ret = mbedtls_pem_read_buffer( &pem, 1219 "-----BEGIN EC PRIVATE KEY-----", 1220 "-----END EC PRIVATE KEY-----", 1221 key, pwd, pwdlen, &len ); 1222 if( ret == 0 ) 1223 { 1224 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1225 1226 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1227 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1228 pem.buf, pem.buflen ) ) != 0 ) 1229 { 1230 mbedtls_pk_free( pk ); 1231 } 1232 1233 mbedtls_pem_free( &pem ); 1234 return( ret ); 1235 } 1236 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1237 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1238 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1239 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1240 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1241 return( ret ); 1242 #endif /* MBEDTLS_ECP_C */ 1243 1244 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1245 if( key[keylen - 1] != '\0' ) 1246 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1247 else 1248 ret = mbedtls_pem_read_buffer( &pem, 1249 "-----BEGIN PRIVATE KEY-----", 1250 "-----END PRIVATE KEY-----", 1251 key, NULL, 0, &len ); 1252 if( ret == 0 ) 1253 { 1254 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, 1255 pem.buf, pem.buflen ) ) != 0 ) 1256 { 1257 mbedtls_pk_free( pk ); 1258 } 1259 1260 mbedtls_pem_free( &pem ); 1261 return( ret ); 1262 } 1263 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1264 return( ret ); 1265 1266 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1267 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1268 if( key[keylen - 1] != '\0' ) 1269 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1270 else 1271 ret = mbedtls_pem_read_buffer( &pem, 1272 "-----BEGIN ENCRYPTED PRIVATE KEY-----", 1273 "-----END ENCRYPTED PRIVATE KEY-----", 1274 key, NULL, 0, &len ); 1275 if( ret == 0 ) 1276 { 1277 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, 1278 pem.buf, pem.buflen, 1279 pwd, pwdlen ) ) != 0 ) 1280 { 1281 mbedtls_pk_free( pk ); 1282 } 1283 1284 mbedtls_pem_free( &pem ); 1285 return( ret ); 1286 } 1287 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1288 return( ret ); 1289 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1290 #else 1291 ((void) pwd); 1292 ((void) pwdlen); 1293 #endif /* MBEDTLS_PEM_PARSE_C */ 1294 1295 /* 1296 * At this point we only know it's not a PEM formatted key. Could be any 1297 * of the known DER encoded private key formats 1298 * 1299 * We try the different DER format parsers to see if one passes without 1300 * error 1301 */ 1302 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1303 { 1304 unsigned char *key_copy; 1305 1306 if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL ) 1307 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 1308 1309 memcpy( key_copy, key, keylen ); 1310 1311 ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, 1312 pwd, pwdlen ); 1313 1314 mbedtls_platform_zeroize( key_copy, keylen ); 1315 mbedtls_free( key_copy ); 1316 } 1317 1318 if( ret == 0 ) 1319 return( 0 ); 1320 1321 mbedtls_pk_free( pk ); 1322 mbedtls_pk_init( pk ); 1323 1324 if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH ) 1325 { 1326 return( ret ); 1327 } 1328 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1329 1330 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 ) 1331 return( 0 ); 1332 1333 mbedtls_pk_free( pk ); 1334 mbedtls_pk_init( pk ); 1335 1336 #if defined(MBEDTLS_RSA_C) 1337 1338 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1339 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1340 pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 ) 1341 { 1342 return( 0 ); 1343 } 1344 1345 mbedtls_pk_free( pk ); 1346 mbedtls_pk_init( pk ); 1347 #endif /* MBEDTLS_RSA_C */ 1348 1349 #if defined(MBEDTLS_ECP_C) 1350 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1351 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1352 pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1353 key, keylen ) == 0 ) 1354 { 1355 return( 0 ); 1356 } 1357 mbedtls_pk_free( pk ); 1358 #endif /* MBEDTLS_ECP_C */ 1359 1360 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, 1361 * it is ok to leave the PK context initialized but not 1362 * freed: It is the caller's responsibility to call pk_init() 1363 * before calling this function, and to call pk_free() 1364 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C 1365 * isn't, this leads to mbedtls_pk_free() being called 1366 * twice, once here and once by the caller, but this is 1367 * also ok and in line with the mbedtls_pk_free() calls 1368 * on failed PEM parsing attempts. */ 1369 1370 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1371 } 1372 1373 /* 1374 * Parse a public key 1375 */ 1376 int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, 1377 const unsigned char *key, size_t keylen ) 1378 { 1379 int ret; 1380 unsigned char *p; 1381 #if defined(MBEDTLS_RSA_C) 1382 const mbedtls_pk_info_t *pk_info; 1383 #endif 1384 #if defined(MBEDTLS_PEM_PARSE_C) 1385 size_t len; 1386 mbedtls_pem_context pem; 1387 #endif 1388 1389 PK_VALIDATE_RET( ctx != NULL ); 1390 if( keylen == 0 ) 1391 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1392 PK_VALIDATE_RET( key != NULL || keylen == 0 ); 1393 1394 #if defined(MBEDTLS_PEM_PARSE_C) 1395 mbedtls_pem_init( &pem ); 1396 #if defined(MBEDTLS_RSA_C) 1397 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1398 if( key[keylen - 1] != '\0' ) 1399 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1400 else 1401 ret = mbedtls_pem_read_buffer( &pem, 1402 "-----BEGIN RSA PUBLIC KEY-----", 1403 "-----END RSA PUBLIC KEY-----", 1404 key, NULL, 0, &len ); 1405 1406 if( ret == 0 ) 1407 { 1408 p = pem.buf; 1409 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1410 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1411 1412 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1413 return( ret ); 1414 1415 if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 ) 1416 mbedtls_pk_free( ctx ); 1417 1418 mbedtls_pem_free( &pem ); 1419 return( ret ); 1420 } 1421 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1422 { 1423 mbedtls_pem_free( &pem ); 1424 return( ret ); 1425 } 1426 #endif /* MBEDTLS_RSA_C */ 1427 1428 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1429 if( key[keylen - 1] != '\0' ) 1430 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1431 else 1432 ret = mbedtls_pem_read_buffer( &pem, 1433 "-----BEGIN PUBLIC KEY-----", 1434 "-----END PUBLIC KEY-----", 1435 key, NULL, 0, &len ); 1436 1437 if( ret == 0 ) 1438 { 1439 /* 1440 * Was PEM encoded 1441 */ 1442 p = pem.buf; 1443 1444 ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx ); 1445 mbedtls_pem_free( &pem ); 1446 return( ret ); 1447 } 1448 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1449 { 1450 mbedtls_pem_free( &pem ); 1451 return( ret ); 1452 } 1453 mbedtls_pem_free( &pem ); 1454 #endif /* MBEDTLS_PEM_PARSE_C */ 1455 1456 #if defined(MBEDTLS_RSA_C) 1457 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1458 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1459 1460 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1461 return( ret ); 1462 1463 p = (unsigned char *)key; 1464 ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) ); 1465 if( ret == 0 ) 1466 { 1467 return( ret ); 1468 } 1469 mbedtls_pk_free( ctx ); 1470 if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 1471 { 1472 return( ret ); 1473 } 1474 #endif /* MBEDTLS_RSA_C */ 1475 p = (unsigned char *) key; 1476 1477 ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx ); 1478 1479 return( ret ); 1480 } 1481 1482 #endif /* MBEDTLS_PK_PARSE_C */ 1483