1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Public Key layer for parsing key files and structures 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 #if !defined(MBEDTLS_CONFIG_FILE) 23 #include "mbedtls/config.h" 24 #else 25 #include MBEDTLS_CONFIG_FILE 26 #endif 27 28 #if defined(MBEDTLS_PK_PARSE_C) 29 30 #include "mbedtls/pk.h" 31 #include "mbedtls/asn1.h" 32 #include "mbedtls/oid.h" 33 #include "mbedtls/platform_util.h" 34 35 #include <string.h> 36 37 #if defined(MBEDTLS_RSA_C) 38 #include "mbedtls/rsa.h" 39 #endif 40 #if defined(MBEDTLS_ECP_C) 41 #include "mbedtls/ecp.h" 42 #endif 43 #if defined(MBEDTLS_ECDSA_C) 44 #include "mbedtls/ecdsa.h" 45 #endif 46 #if defined(MBEDTLS_PEM_PARSE_C) 47 #include "mbedtls/pem.h" 48 #endif 49 #if defined(MBEDTLS_PKCS5_C) 50 #include "mbedtls/pkcs5.h" 51 #endif 52 #if defined(MBEDTLS_PKCS12_C) 53 #include "mbedtls/pkcs12.h" 54 #endif 55 56 #if defined(MBEDTLS_PLATFORM_C) 57 #include "mbedtls/platform.h" 58 #else 59 #include <stdlib.h> 60 #define mbedtls_calloc calloc 61 #define mbedtls_free free 62 #endif 63 64 /* Parameter validation macros based on platform_util.h */ 65 #define PK_VALIDATE_RET( cond ) \ 66 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) 67 #define PK_VALIDATE( cond ) \ 68 MBEDTLS_INTERNAL_VALIDATE( cond ) 69 70 #if defined(MBEDTLS_FS_IO) 71 /* 72 * Load all data from a file into a given buffer. 73 * 74 * The file is expected to contain either PEM or DER encoded data. 75 * A terminating null byte is always appended. It is included in the announced 76 * length only if the data looks like it is PEM encoded. 77 */ 78 int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) 79 { 80 FILE *f; 81 long size; 82 83 PK_VALIDATE_RET( path != NULL ); 84 PK_VALIDATE_RET( buf != NULL ); 85 PK_VALIDATE_RET( n != NULL ); 86 87 if( ( f = fopen( path, "rb" ) ) == NULL ) 88 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 89 90 fseek( f, 0, SEEK_END ); 91 if( ( size = ftell( f ) ) == -1 ) 92 { 93 fclose( f ); 94 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 95 } 96 fseek( f, 0, SEEK_SET ); 97 98 *n = (size_t) size; 99 100 if( *n + 1 == 0 || 101 ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) 102 { 103 fclose( f ); 104 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 105 } 106 107 if( fread( *buf, 1, *n, f ) != *n ) 108 { 109 fclose( f ); 110 111 mbedtls_platform_zeroize( *buf, *n ); 112 mbedtls_free( *buf ); 113 114 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 115 } 116 117 fclose( f ); 118 119 (*buf)[*n] = '\0'; 120 121 if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL ) 122 ++*n; 123 124 return( 0 ); 125 } 126 127 /* 128 * Load and parse a private key 129 */ 130 int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, 131 const char *path, const char *pwd ) 132 { 133 int ret; 134 size_t n; 135 unsigned char *buf; 136 137 PK_VALIDATE_RET( ctx != NULL ); 138 PK_VALIDATE_RET( path != NULL ); 139 140 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 141 return( ret ); 142 143 if( pwd == NULL ) 144 ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 ); 145 else 146 ret = mbedtls_pk_parse_key( ctx, buf, n, 147 (const unsigned char *) pwd, strlen( pwd ) ); 148 149 mbedtls_platform_zeroize( buf, n ); 150 mbedtls_free( buf ); 151 152 return( ret ); 153 } 154 155 /* 156 * Load and parse a public key 157 */ 158 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path ) 159 { 160 int ret; 161 size_t n; 162 unsigned char *buf; 163 164 PK_VALIDATE_RET( ctx != NULL ); 165 PK_VALIDATE_RET( path != NULL ); 166 167 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 168 return( ret ); 169 170 ret = mbedtls_pk_parse_public_key( ctx, buf, n ); 171 172 mbedtls_platform_zeroize( buf, n ); 173 mbedtls_free( buf ); 174 175 return( ret ); 176 } 177 #endif /* MBEDTLS_FS_IO */ 178 179 #if defined(MBEDTLS_ECP_C) 180 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf 181 * 182 * ECParameters ::= CHOICE { 183 * namedCurve OBJECT IDENTIFIER 184 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 185 * -- implicitCurve NULL 186 * } 187 */ 188 static int pk_get_ecparams( unsigned char **p, const unsigned char *end, 189 mbedtls_asn1_buf *params ) 190 { 191 int ret; 192 193 if ( end - *p < 1 ) 194 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 195 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 196 197 /* Tag may be either OID or SEQUENCE */ 198 params->tag = **p; 199 if( params->tag != MBEDTLS_ASN1_OID 200 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 201 && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) 202 #endif 203 ) 204 { 205 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 206 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 207 } 208 209 if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 ) 210 { 211 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 212 } 213 214 params->p = *p; 215 *p += params->len; 216 217 if( *p != end ) 218 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 219 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 220 221 return( 0 ); 222 } 223 224 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 225 /* 226 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. 227 * WARNING: the resulting group should only be used with 228 * pk_group_id_from_specified(), since its base point may not be set correctly 229 * if it was encoded compressed. 230 * 231 * SpecifiedECDomain ::= SEQUENCE { 232 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), 233 * fieldID FieldID {{FieldTypes}}, 234 * curve Curve, 235 * base ECPoint, 236 * order INTEGER, 237 * cofactor INTEGER OPTIONAL, 238 * hash HashAlgorithm OPTIONAL, 239 * ... 240 * } 241 * 242 * We only support prime-field as field type, and ignore hash and cofactor. 243 */ 244 static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 245 { 246 int ret; 247 unsigned char *p = params->p; 248 const unsigned char * const end = params->p + params->len; 249 const unsigned char *end_field, *end_curve; 250 size_t len; 251 int ver; 252 253 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ 254 if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 ) 255 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 256 257 if( ver < 1 || ver > 3 ) 258 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 259 260 /* 261 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field 262 * fieldType FIELD-ID.&id({IOSet}), 263 * parameters FIELD-ID.&Type({IOSet}{@fieldType}) 264 * } 265 */ 266 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 267 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 268 return( ret ); 269 270 end_field = p + len; 271 272 /* 273 * FIELD-ID ::= TYPE-IDENTIFIER 274 * FieldTypes FIELD-ID ::= { 275 * { Prime-p IDENTIFIED BY prime-field } | 276 * { Characteristic-two IDENTIFIED BY characteristic-two-field } 277 * } 278 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 279 */ 280 if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 ) 281 return( ret ); 282 283 if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) || 284 memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 ) 285 { 286 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 287 } 288 289 p += len; 290 291 /* Prime-p ::= INTEGER -- Field of size p. */ 292 if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 ) 293 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 294 295 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 296 297 if( p != end_field ) 298 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 299 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 300 301 /* 302 * Curve ::= SEQUENCE { 303 * a FieldElement, 304 * b FieldElement, 305 * seed BIT STRING OPTIONAL 306 * -- Shall be present if used in SpecifiedECDomain 307 * -- with version equal to ecdpVer2 or ecdpVer3 308 * } 309 */ 310 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 311 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 312 return( ret ); 313 314 end_curve = p + len; 315 316 /* 317 * FieldElement ::= OCTET STRING 318 * containing an integer in the case of a prime field 319 */ 320 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 321 ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 ) 322 { 323 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 324 } 325 326 p += len; 327 328 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 329 ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 ) 330 { 331 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 332 } 333 334 p += len; 335 336 /* Ignore seed BIT STRING OPTIONAL */ 337 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 ) 338 p += len; 339 340 if( p != end_curve ) 341 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 342 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 343 344 /* 345 * ECPoint ::= OCTET STRING 346 */ 347 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 348 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 349 350 if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G, 351 ( const unsigned char *) p, len ) ) != 0 ) 352 { 353 /* 354 * If we can't read the point because it's compressed, cheat by 355 * reading only the X coordinate and the parity bit of Y. 356 */ 357 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || 358 ( p[0] != 0x02 && p[0] != 0x03 ) || 359 len != mbedtls_mpi_size( &grp->P ) + 1 || 360 mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 || 361 mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 || 362 mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 ) 363 { 364 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 365 } 366 } 367 368 p += len; 369 370 /* 371 * order INTEGER 372 */ 373 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 ) 374 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 375 376 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 377 378 /* 379 * Allow optional elements by purposefully not enforcing p == end here. 380 */ 381 382 return( 0 ); 383 } 384 385 /* 386 * Find the group id associated with an (almost filled) group as generated by 387 * pk_group_from_specified(), or return an error if unknown. 388 */ 389 static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id ) 390 { 391 int ret = 0; 392 mbedtls_ecp_group ref; 393 const mbedtls_ecp_group_id *id; 394 395 mbedtls_ecp_group_init( &ref ); 396 397 for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ ) 398 { 399 /* Load the group associated to that id */ 400 mbedtls_ecp_group_free( &ref ); 401 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) ); 402 403 /* Compare to the group we were given, starting with easy tests */ 404 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits && 405 mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 && 406 mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 && 407 mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 && 408 mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 && 409 mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 && 410 mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 && 411 /* For Y we may only know the parity bit, so compare only that */ 412 mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) ) 413 { 414 break; 415 } 416 417 } 418 419 cleanup: 420 mbedtls_ecp_group_free( &ref ); 421 422 *grp_id = *id; 423 424 if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE ) 425 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 426 427 return( ret ); 428 } 429 430 /* 431 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID 432 */ 433 static int pk_group_id_from_specified( const mbedtls_asn1_buf *params, 434 mbedtls_ecp_group_id *grp_id ) 435 { 436 int ret; 437 mbedtls_ecp_group grp; 438 439 mbedtls_ecp_group_init( &grp ); 440 441 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 ) 442 goto cleanup; 443 444 ret = pk_group_id_from_group( &grp, grp_id ); 445 446 cleanup: 447 mbedtls_ecp_group_free( &grp ); 448 449 return( ret ); 450 } 451 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ 452 453 /* 454 * Use EC parameters to initialise an EC group 455 * 456 * ECParameters ::= CHOICE { 457 * namedCurve OBJECT IDENTIFIER 458 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 459 * -- implicitCurve NULL 460 */ 461 static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 462 { 463 int ret; 464 mbedtls_ecp_group_id grp_id; 465 466 if( params->tag == MBEDTLS_ASN1_OID ) 467 { 468 if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 ) 469 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE ); 470 } 471 else 472 { 473 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 474 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 ) 475 return( ret ); 476 #else 477 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 478 #endif 479 } 480 481 /* 482 * grp may already be initilialized; if so, make sure IDs match 483 */ 484 if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id ) 485 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 486 487 if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 ) 488 return( ret ); 489 490 return( 0 ); 491 } 492 493 /* 494 * EC public key is an EC point 495 * 496 * The caller is responsible for clearing the structure upon failure if 497 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE 498 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. 499 */ 500 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end, 501 mbedtls_ecp_keypair *key ) 502 { 503 int ret; 504 505 if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q, 506 (const unsigned char *) *p, end - *p ) ) == 0 ) 507 { 508 ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q ); 509 } 510 511 /* 512 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed 513 */ 514 *p = (unsigned char *) end; 515 516 return( ret ); 517 } 518 #endif /* MBEDTLS_ECP_C */ 519 520 #if defined(MBEDTLS_RSA_C) 521 /* 522 * RSAPublicKey ::= SEQUENCE { 523 * modulus INTEGER, -- n 524 * publicExponent INTEGER -- e 525 * } 526 */ 527 static int pk_get_rsapubkey( unsigned char **p, 528 const unsigned char *end, 529 mbedtls_rsa_context *rsa ) 530 { 531 int ret; 532 size_t len; 533 534 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 535 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 536 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 537 538 if( *p + len != end ) 539 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 540 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 541 542 /* Import N */ 543 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 544 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 545 546 if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0, 547 NULL, 0, NULL, 0 ) ) != 0 ) 548 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 549 550 *p += len; 551 552 /* Import E */ 553 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 554 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 555 556 if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 557 NULL, 0, *p, len ) ) != 0 ) 558 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 559 560 *p += len; 561 562 if( mbedtls_rsa_complete( rsa ) != 0 || 563 mbedtls_rsa_check_pubkey( rsa ) != 0 ) 564 { 565 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 566 } 567 568 if( *p != end ) 569 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 570 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 571 572 return( 0 ); 573 } 574 #endif /* MBEDTLS_RSA_C */ 575 576 /* Get a PK algorithm identifier 577 * 578 * AlgorithmIdentifier ::= SEQUENCE { 579 * algorithm OBJECT IDENTIFIER, 580 * parameters ANY DEFINED BY algorithm OPTIONAL } 581 */ 582 static int pk_get_pk_alg( unsigned char **p, 583 const unsigned char *end, 584 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params ) 585 { 586 int ret; 587 mbedtls_asn1_buf alg_oid; 588 589 memset( params, 0, sizeof(mbedtls_asn1_buf) ); 590 591 if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 ) 592 return( MBEDTLS_ERR_PK_INVALID_ALG + ret ); 593 594 if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 ) 595 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 596 597 /* 598 * No parameters with RSA (only for EC) 599 */ 600 if( *pk_alg == MBEDTLS_PK_RSA && 601 ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) || 602 params->len != 0 ) ) 603 { 604 return( MBEDTLS_ERR_PK_INVALID_ALG ); 605 } 606 607 return( 0 ); 608 } 609 610 /* 611 * SubjectPublicKeyInfo ::= SEQUENCE { 612 * algorithm AlgorithmIdentifier, 613 * subjectPublicKey BIT STRING } 614 */ 615 int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end, 616 mbedtls_pk_context *pk ) 617 { 618 int ret; 619 size_t len; 620 mbedtls_asn1_buf alg_params; 621 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 622 const mbedtls_pk_info_t *pk_info; 623 624 PK_VALIDATE_RET( p != NULL ); 625 PK_VALIDATE_RET( *p != NULL ); 626 PK_VALIDATE_RET( end != NULL ); 627 PK_VALIDATE_RET( pk != NULL ); 628 629 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 630 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 631 { 632 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 633 } 634 635 end = *p + len; 636 637 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 ) 638 return( ret ); 639 640 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 ) 641 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 642 643 if( *p + len != end ) 644 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 645 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 646 647 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 648 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 649 650 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 651 return( ret ); 652 653 #if defined(MBEDTLS_RSA_C) 654 if( pk_alg == MBEDTLS_PK_RSA ) 655 { 656 ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) ); 657 } else 658 #endif /* MBEDTLS_RSA_C */ 659 #if defined(MBEDTLS_ECP_C) 660 if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY ) 661 { 662 ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp ); 663 if( ret == 0 ) 664 ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) ); 665 } else 666 #endif /* MBEDTLS_ECP_C */ 667 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 668 669 if( ret == 0 && *p != end ) 670 ret = MBEDTLS_ERR_PK_INVALID_PUBKEY 671 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 672 673 if( ret != 0 ) 674 mbedtls_pk_free( pk ); 675 676 return( ret ); 677 } 678 679 #if defined(MBEDTLS_RSA_C) 680 /* 681 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. 682 * 683 * The value zero is: 684 * - never a valid value for an RSA parameter 685 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). 686 * 687 * Since values can't be omitted in PKCS#1, passing a zero value to 688 * rsa_complete() would be incorrect, so reject zero values early. 689 */ 690 static int asn1_get_nonzero_mpi( unsigned char **p, 691 const unsigned char *end, 692 mbedtls_mpi *X ) 693 { 694 int ret; 695 696 ret = mbedtls_asn1_get_mpi( p, end, X ); 697 if( ret != 0 ) 698 return( ret ); 699 700 if( mbedtls_mpi_cmp_int( X, 0 ) == 0 ) 701 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 702 703 return( 0 ); 704 } 705 706 /* 707 * Parse a PKCS#1 encoded private RSA key 708 */ 709 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, 710 const unsigned char *key, 711 size_t keylen ) 712 { 713 int ret, version; 714 size_t len; 715 unsigned char *p, *end; 716 717 mbedtls_mpi T; 718 mbedtls_mpi_init( &T ); 719 720 p = (unsigned char *) key; 721 end = p + keylen; 722 723 /* 724 * This function parses the RSAPrivateKey (PKCS#1) 725 * 726 * RSAPrivateKey ::= SEQUENCE { 727 * version Version, 728 * modulus INTEGER, -- n 729 * publicExponent INTEGER, -- e 730 * privateExponent INTEGER, -- d 731 * prime1 INTEGER, -- p 732 * prime2 INTEGER, -- q 733 * exponent1 INTEGER, -- d mod (p-1) 734 * exponent2 INTEGER, -- d mod (q-1) 735 * coefficient INTEGER, -- (inverse of q) mod p 736 * otherPrimeInfos OtherPrimeInfos OPTIONAL 737 * } 738 */ 739 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 740 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 741 { 742 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 743 } 744 745 end = p + len; 746 747 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 748 { 749 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 750 } 751 752 if( version != 0 ) 753 { 754 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 755 } 756 757 /* Import N */ 758 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 759 ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL, 760 NULL, NULL ) ) != 0 ) 761 goto cleanup; 762 763 /* Import E */ 764 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 765 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 766 NULL, &T ) ) != 0 ) 767 goto cleanup; 768 769 /* Import D */ 770 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 771 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 772 &T, NULL ) ) != 0 ) 773 goto cleanup; 774 775 /* Import P */ 776 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 777 ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL, 778 NULL, NULL ) ) != 0 ) 779 goto cleanup; 780 781 /* Import Q */ 782 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 783 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T, 784 NULL, NULL ) ) != 0 ) 785 goto cleanup; 786 787 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) 788 /* 789 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in 790 * that they can be easily recomputed from D, P and Q. However by 791 * parsing them from the PKCS1 structure it is possible to avoid 792 * recalculating them which both reduces the overhead of loading 793 * RSA private keys into memory and also avoids side channels which 794 * can arise when computing those values, since all of D, P, and Q 795 * are secret. See https://eprint.iacr.org/2020/055 for a 796 * description of one such attack. 797 */ 798 799 /* Import DP */ 800 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 801 ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 ) 802 goto cleanup; 803 804 /* Import DQ */ 805 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 806 ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 ) 807 goto cleanup; 808 809 /* Import QP */ 810 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 811 ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 ) 812 goto cleanup; 813 814 #else 815 /* Verify existance of the CRT params */ 816 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 817 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 818 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ) 819 goto cleanup; 820 #endif 821 822 /* rsa_complete() doesn't complete anything with the default 823 * implementation but is still called: 824 * - for the benefit of alternative implementation that may want to 825 * pre-compute stuff beyond what's provided (eg Montgomery factors) 826 * - as is also sanity-checks the key 827 * 828 * Furthermore, we also check the public part for consistency with 829 * mbedtls_pk_parse_pubkey(), as it includes size minima for example. 830 */ 831 if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 || 832 ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 ) 833 { 834 goto cleanup; 835 } 836 837 if( p != end ) 838 { 839 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 840 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ; 841 } 842 843 cleanup: 844 845 mbedtls_mpi_free( &T ); 846 847 if( ret != 0 ) 848 { 849 /* Wrap error code if it's coming from a lower level */ 850 if( ( ret & 0xff80 ) == 0 ) 851 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret; 852 else 853 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 854 855 mbedtls_rsa_free( rsa ); 856 } 857 858 return( ret ); 859 } 860 #endif /* MBEDTLS_RSA_C */ 861 862 #if defined(MBEDTLS_ECP_C) 863 /* 864 * Parse a SEC1 encoded private EC key 865 */ 866 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, 867 const unsigned char *key, 868 size_t keylen ) 869 { 870 int ret; 871 int version, pubkey_done; 872 size_t len; 873 mbedtls_asn1_buf params; 874 unsigned char *p = (unsigned char *) key; 875 unsigned char *end = p + keylen; 876 unsigned char *end2; 877 878 /* 879 * RFC 5915, or SEC1 Appendix C.4 880 * 881 * ECPrivateKey ::= SEQUENCE { 882 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 883 * privateKey OCTET STRING, 884 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 885 * publicKey [1] BIT STRING OPTIONAL 886 * } 887 */ 888 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 889 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 890 { 891 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 892 } 893 894 end = p + len; 895 896 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 897 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 898 899 if( version != 1 ) 900 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 901 902 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 903 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 904 905 if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 ) 906 { 907 mbedtls_ecp_keypair_free( eck ); 908 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 909 } 910 911 p += len; 912 913 pubkey_done = 0; 914 if( p != end ) 915 { 916 /* 917 * Is 'parameters' present? 918 */ 919 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 920 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 ) 921 { 922 if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 || 923 ( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 ) 924 { 925 mbedtls_ecp_keypair_free( eck ); 926 return( ret ); 927 } 928 } 929 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 930 { 931 mbedtls_ecp_keypair_free( eck ); 932 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 933 } 934 } 935 936 if( p != end ) 937 { 938 /* 939 * Is 'publickey' present? If not, or if we can't read it (eg because it 940 * is compressed), create it from the private key. 941 */ 942 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 943 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 ) 944 { 945 end2 = p + len; 946 947 if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 ) 948 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 949 950 if( p + len != end2 ) 951 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 952 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 953 954 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 ) 955 pubkey_done = 1; 956 else 957 { 958 /* 959 * The only acceptable failure mode of pk_get_ecpubkey() above 960 * is if the point format is not recognized. 961 */ 962 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ) 963 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 964 } 965 } 966 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 967 { 968 mbedtls_ecp_keypair_free( eck ); 969 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 970 } 971 } 972 973 if( ! pubkey_done && 974 ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G, 975 NULL, NULL ) ) != 0 ) 976 { 977 mbedtls_ecp_keypair_free( eck ); 978 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 979 } 980 981 if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 ) 982 { 983 mbedtls_ecp_keypair_free( eck ); 984 return( ret ); 985 } 986 987 return( 0 ); 988 } 989 #endif /* MBEDTLS_ECP_C */ 990 991 /* 992 * Parse an unencrypted PKCS#8 encoded private key 993 * 994 * Notes: 995 * 996 * - This function does not own the key buffer. It is the 997 * responsibility of the caller to take care of zeroizing 998 * and freeing it after use. 999 * 1000 * - The function is responsible for freeing the provided 1001 * PK context on failure. 1002 * 1003 */ 1004 static int pk_parse_key_pkcs8_unencrypted_der( 1005 mbedtls_pk_context *pk, 1006 const unsigned char* key, 1007 size_t keylen ) 1008 { 1009 int ret, version; 1010 size_t len; 1011 mbedtls_asn1_buf params; 1012 unsigned char *p = (unsigned char *) key; 1013 unsigned char *end = p + keylen; 1014 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 1015 const mbedtls_pk_info_t *pk_info; 1016 1017 /* 1018 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) 1019 * 1020 * PrivateKeyInfo ::= SEQUENCE { 1021 * version Version, 1022 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, 1023 * privateKey PrivateKey, 1024 * attributes [0] IMPLICIT Attributes OPTIONAL } 1025 * 1026 * Version ::= INTEGER 1027 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier 1028 * PrivateKey ::= OCTET STRING 1029 * 1030 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey 1031 */ 1032 1033 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1034 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1035 { 1036 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1037 } 1038 1039 end = p + len; 1040 1041 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 1042 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1043 1044 if( version != 0 ) 1045 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret ); 1046 1047 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 ) 1048 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1049 1050 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1051 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1052 1053 if( len < 1 ) 1054 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 1055 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 1056 1057 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 1058 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1059 1060 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 1061 return( ret ); 1062 1063 #if defined(MBEDTLS_RSA_C) 1064 if( pk_alg == MBEDTLS_PK_RSA ) 1065 { 1066 if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 ) 1067 { 1068 mbedtls_pk_free( pk ); 1069 return( ret ); 1070 } 1071 } else 1072 #endif /* MBEDTLS_RSA_C */ 1073 #if defined(MBEDTLS_ECP_C) 1074 if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH ) 1075 { 1076 if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 || 1077 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 ) 1078 { 1079 mbedtls_pk_free( pk ); 1080 return( ret ); 1081 } 1082 } else 1083 #endif /* MBEDTLS_ECP_C */ 1084 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1085 1086 return( 0 ); 1087 } 1088 1089 /* 1090 * Parse an encrypted PKCS#8 encoded private key 1091 * 1092 * To save space, the decryption happens in-place on the given key buffer. 1093 * Also, while this function may modify the keybuffer, it doesn't own it, 1094 * and instead it is the responsibility of the caller to zeroize and properly 1095 * free it after use. 1096 * 1097 */ 1098 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1099 static int pk_parse_key_pkcs8_encrypted_der( 1100 mbedtls_pk_context *pk, 1101 unsigned char *key, size_t keylen, 1102 const unsigned char *pwd, size_t pwdlen ) 1103 { 1104 int ret, decrypted = 0; 1105 size_t len; 1106 unsigned char *buf; 1107 unsigned char *p, *end; 1108 mbedtls_asn1_buf pbe_alg_oid, pbe_params; 1109 #if defined(MBEDTLS_PKCS12_C) 1110 mbedtls_cipher_type_t cipher_alg; 1111 mbedtls_md_type_t md_alg; 1112 #endif 1113 1114 p = key; 1115 end = p + keylen; 1116 1117 if( pwdlen == 0 ) 1118 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1119 1120 /* 1121 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) 1122 * 1123 * EncryptedPrivateKeyInfo ::= SEQUENCE { 1124 * encryptionAlgorithm EncryptionAlgorithmIdentifier, 1125 * encryptedData EncryptedData 1126 * } 1127 * 1128 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1129 * 1130 * EncryptedData ::= OCTET STRING 1131 * 1132 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo 1133 * 1134 */ 1135 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1136 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1137 { 1138 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1139 } 1140 1141 end = p + len; 1142 1143 if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 ) 1144 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1145 1146 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1147 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1148 1149 buf = p; 1150 1151 /* 1152 * Decrypt EncryptedData with appropriate PBE 1153 */ 1154 #if defined(MBEDTLS_PKCS12_C) 1155 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) 1156 { 1157 if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, 1158 cipher_alg, md_alg, 1159 pwd, pwdlen, p, len, buf ) ) != 0 ) 1160 { 1161 if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH ) 1162 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1163 1164 return( ret ); 1165 } 1166 1167 decrypted = 1; 1168 } 1169 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 ) 1170 { 1171 if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params, 1172 MBEDTLS_PKCS12_PBE_DECRYPT, 1173 pwd, pwdlen, 1174 p, len, buf ) ) != 0 ) 1175 { 1176 return( ret ); 1177 } 1178 1179 // Best guess for password mismatch when using RC4. If first tag is 1180 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE 1181 // 1182 if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 1183 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1184 1185 decrypted = 1; 1186 } 1187 else 1188 #endif /* MBEDTLS_PKCS12_C */ 1189 #if defined(MBEDTLS_PKCS5_C) 1190 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 ) 1191 { 1192 if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, 1193 p, len, buf ) ) != 0 ) 1194 { 1195 if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH ) 1196 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1197 1198 return( ret ); 1199 } 1200 1201 decrypted = 1; 1202 } 1203 else 1204 #endif /* MBEDTLS_PKCS5_C */ 1205 { 1206 ((void) pwd); 1207 } 1208 1209 if( decrypted == 0 ) 1210 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 1211 1212 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) ); 1213 } 1214 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1215 1216 /* 1217 * Parse a private key 1218 */ 1219 int mbedtls_pk_parse_key( mbedtls_pk_context *pk, 1220 const unsigned char *key, size_t keylen, 1221 const unsigned char *pwd, size_t pwdlen ) 1222 { 1223 int ret; 1224 const mbedtls_pk_info_t *pk_info; 1225 #if defined(MBEDTLS_PEM_PARSE_C) 1226 size_t len; 1227 mbedtls_pem_context pem; 1228 #endif 1229 1230 PK_VALIDATE_RET( pk != NULL ); 1231 if( keylen == 0 ) 1232 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1233 PK_VALIDATE_RET( key != NULL ); 1234 1235 #if defined(MBEDTLS_PEM_PARSE_C) 1236 mbedtls_pem_init( &pem ); 1237 1238 #if defined(MBEDTLS_RSA_C) 1239 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1240 if( key[keylen - 1] != '\0' ) 1241 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1242 else 1243 ret = mbedtls_pem_read_buffer( &pem, 1244 "-----BEGIN RSA PRIVATE KEY-----", 1245 "-----END RSA PRIVATE KEY-----", 1246 key, pwd, pwdlen, &len ); 1247 1248 if( ret == 0 ) 1249 { 1250 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1251 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1252 ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), 1253 pem.buf, pem.buflen ) ) != 0 ) 1254 { 1255 mbedtls_pk_free( pk ); 1256 } 1257 1258 mbedtls_pem_free( &pem ); 1259 return( ret ); 1260 } 1261 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1262 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1263 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1264 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1265 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1266 return( ret ); 1267 #endif /* MBEDTLS_RSA_C */ 1268 1269 #if defined(MBEDTLS_ECP_C) 1270 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1271 if( key[keylen - 1] != '\0' ) 1272 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1273 else 1274 ret = mbedtls_pem_read_buffer( &pem, 1275 "-----BEGIN EC PRIVATE KEY-----", 1276 "-----END EC PRIVATE KEY-----", 1277 key, pwd, pwdlen, &len ); 1278 if( ret == 0 ) 1279 { 1280 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1281 1282 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1283 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1284 pem.buf, pem.buflen ) ) != 0 ) 1285 { 1286 mbedtls_pk_free( pk ); 1287 } 1288 1289 mbedtls_pem_free( &pem ); 1290 return( ret ); 1291 } 1292 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1293 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1294 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1295 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1296 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1297 return( ret ); 1298 #endif /* MBEDTLS_ECP_C */ 1299 1300 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1301 if( key[keylen - 1] != '\0' ) 1302 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1303 else 1304 ret = mbedtls_pem_read_buffer( &pem, 1305 "-----BEGIN PRIVATE KEY-----", 1306 "-----END PRIVATE KEY-----", 1307 key, NULL, 0, &len ); 1308 if( ret == 0 ) 1309 { 1310 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, 1311 pem.buf, pem.buflen ) ) != 0 ) 1312 { 1313 mbedtls_pk_free( pk ); 1314 } 1315 1316 mbedtls_pem_free( &pem ); 1317 return( ret ); 1318 } 1319 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1320 return( ret ); 1321 1322 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1323 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1324 if( key[keylen - 1] != '\0' ) 1325 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1326 else 1327 ret = mbedtls_pem_read_buffer( &pem, 1328 "-----BEGIN ENCRYPTED PRIVATE KEY-----", 1329 "-----END ENCRYPTED PRIVATE KEY-----", 1330 key, NULL, 0, &len ); 1331 if( ret == 0 ) 1332 { 1333 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, 1334 pem.buf, pem.buflen, 1335 pwd, pwdlen ) ) != 0 ) 1336 { 1337 mbedtls_pk_free( pk ); 1338 } 1339 1340 mbedtls_pem_free( &pem ); 1341 return( ret ); 1342 } 1343 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1344 return( ret ); 1345 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1346 #else 1347 ((void) pwd); 1348 ((void) pwdlen); 1349 #endif /* MBEDTLS_PEM_PARSE_C */ 1350 1351 /* 1352 * At this point we only know it's not a PEM formatted key. Could be any 1353 * of the known DER encoded private key formats 1354 * 1355 * We try the different DER format parsers to see if one passes without 1356 * error 1357 */ 1358 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1359 { 1360 unsigned char *key_copy; 1361 1362 if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL ) 1363 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 1364 1365 memcpy( key_copy, key, keylen ); 1366 1367 ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, 1368 pwd, pwdlen ); 1369 1370 mbedtls_platform_zeroize( key_copy, keylen ); 1371 mbedtls_free( key_copy ); 1372 } 1373 1374 if( ret == 0 ) 1375 return( 0 ); 1376 1377 mbedtls_pk_free( pk ); 1378 mbedtls_pk_init( pk ); 1379 1380 if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH ) 1381 { 1382 return( ret ); 1383 } 1384 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1385 1386 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 ) 1387 return( 0 ); 1388 1389 mbedtls_pk_free( pk ); 1390 mbedtls_pk_init( pk ); 1391 1392 #if defined(MBEDTLS_RSA_C) 1393 1394 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1395 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1396 pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 ) 1397 { 1398 return( 0 ); 1399 } 1400 1401 mbedtls_pk_free( pk ); 1402 mbedtls_pk_init( pk ); 1403 #endif /* MBEDTLS_RSA_C */ 1404 1405 #if defined(MBEDTLS_ECP_C) 1406 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1407 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1408 pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1409 key, keylen ) == 0 ) 1410 { 1411 return( 0 ); 1412 } 1413 mbedtls_pk_free( pk ); 1414 #endif /* MBEDTLS_ECP_C */ 1415 1416 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, 1417 * it is ok to leave the PK context initialized but not 1418 * freed: It is the caller's responsibility to call pk_init() 1419 * before calling this function, and to call pk_free() 1420 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C 1421 * isn't, this leads to mbedtls_pk_free() being called 1422 * twice, once here and once by the caller, but this is 1423 * also ok and in line with the mbedtls_pk_free() calls 1424 * on failed PEM parsing attempts. */ 1425 1426 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1427 } 1428 1429 /* 1430 * Parse a public key 1431 */ 1432 int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, 1433 const unsigned char *key, size_t keylen ) 1434 { 1435 int ret; 1436 unsigned char *p; 1437 #if defined(MBEDTLS_RSA_C) 1438 const mbedtls_pk_info_t *pk_info; 1439 #endif 1440 #if defined(MBEDTLS_PEM_PARSE_C) 1441 size_t len; 1442 mbedtls_pem_context pem; 1443 #endif 1444 1445 PK_VALIDATE_RET( ctx != NULL ); 1446 if( keylen == 0 ) 1447 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1448 PK_VALIDATE_RET( key != NULL || keylen == 0 ); 1449 1450 #if defined(MBEDTLS_PEM_PARSE_C) 1451 mbedtls_pem_init( &pem ); 1452 #if defined(MBEDTLS_RSA_C) 1453 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1454 if( key[keylen - 1] != '\0' ) 1455 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1456 else 1457 ret = mbedtls_pem_read_buffer( &pem, 1458 "-----BEGIN RSA PUBLIC KEY-----", 1459 "-----END RSA PUBLIC KEY-----", 1460 key, NULL, 0, &len ); 1461 1462 if( ret == 0 ) 1463 { 1464 p = pem.buf; 1465 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1466 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1467 1468 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1469 return( ret ); 1470 1471 if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 ) 1472 mbedtls_pk_free( ctx ); 1473 1474 mbedtls_pem_free( &pem ); 1475 return( ret ); 1476 } 1477 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1478 { 1479 mbedtls_pem_free( &pem ); 1480 return( ret ); 1481 } 1482 #endif /* MBEDTLS_RSA_C */ 1483 1484 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1485 if( key[keylen - 1] != '\0' ) 1486 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1487 else 1488 ret = mbedtls_pem_read_buffer( &pem, 1489 "-----BEGIN PUBLIC KEY-----", 1490 "-----END PUBLIC KEY-----", 1491 key, NULL, 0, &len ); 1492 1493 if( ret == 0 ) 1494 { 1495 /* 1496 * Was PEM encoded 1497 */ 1498 p = pem.buf; 1499 1500 ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx ); 1501 mbedtls_pem_free( &pem ); 1502 return( ret ); 1503 } 1504 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1505 { 1506 mbedtls_pem_free( &pem ); 1507 return( ret ); 1508 } 1509 mbedtls_pem_free( &pem ); 1510 #endif /* MBEDTLS_PEM_PARSE_C */ 1511 1512 #if defined(MBEDTLS_RSA_C) 1513 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL ) 1514 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1515 1516 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 ) 1517 return( ret ); 1518 1519 p = (unsigned char *)key; 1520 ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) ); 1521 if( ret == 0 ) 1522 { 1523 return( ret ); 1524 } 1525 mbedtls_pk_free( ctx ); 1526 if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 1527 { 1528 return( ret ); 1529 } 1530 #endif /* MBEDTLS_RSA_C */ 1531 p = (unsigned char *) key; 1532 1533 ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx ); 1534 1535 return( ret ); 1536 } 1537 1538 #endif /* MBEDTLS_PK_PARSE_C */ 1539