1 /* 2 * Public Key layer for parsing key files and structures 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_PK_PARSE_C) 23 24 #include "mbedtls/pk.h" 25 #include "mbedtls/asn1.h" 26 #include "mbedtls/oid.h" 27 #include "mbedtls/platform_util.h" 28 #include "mbedtls/error.h" 29 30 #include <string.h> 31 32 #if defined(MBEDTLS_RSA_C) 33 #include "mbedtls/rsa.h" 34 #endif 35 #if defined(MBEDTLS_ECP_C) 36 #include "mbedtls/ecp.h" 37 #endif 38 #if defined(MBEDTLS_ECDSA_C) 39 #include "mbedtls/ecdsa.h" 40 #endif 41 #if defined(MBEDTLS_PEM_PARSE_C) 42 #include "mbedtls/pem.h" 43 #endif 44 #if defined(MBEDTLS_PKCS5_C) 45 #include "mbedtls/pkcs5.h" 46 #endif 47 #if defined(MBEDTLS_PKCS12_C) 48 #include "mbedtls/pkcs12.h" 49 #endif 50 51 #include "mbedtls/platform.h" 52 53 #if defined(MBEDTLS_FS_IO) 54 /* 55 * Load all data from a file into a given buffer. 56 * 57 * The file is expected to contain either PEM or DER encoded data. 58 * A terminating null byte is always appended. It is included in the announced 59 * length only if the data looks like it is PEM encoded. 60 */ 61 int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) 62 { 63 FILE *f; 64 long size; 65 66 if ((f = fopen(path, "rb")) == NULL) { 67 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 68 } 69 70 /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */ 71 mbedtls_setbuf(f, NULL); 72 73 fseek(f, 0, SEEK_END); 74 if ((size = ftell(f)) == -1) { 75 fclose(f); 76 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 77 } 78 fseek(f, 0, SEEK_SET); 79 80 *n = (size_t) size; 81 82 if (*n + 1 == 0 || 83 (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { 84 fclose(f); 85 return MBEDTLS_ERR_PK_ALLOC_FAILED; 86 } 87 88 if (fread(*buf, 1, *n, f) != *n) { 89 fclose(f); 90 91 mbedtls_platform_zeroize(*buf, *n); 92 mbedtls_free(*buf); 93 94 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 95 } 96 97 fclose(f); 98 99 (*buf)[*n] = '\0'; 100 101 if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { 102 ++*n; 103 } 104 105 return 0; 106 } 107 108 /* 109 * Load and parse a private key 110 */ 111 int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx, 112 const char *path, const char *pwd, 113 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 114 { 115 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 116 size_t n; 117 unsigned char *buf; 118 119 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { 120 return ret; 121 } 122 123 if (pwd == NULL) { 124 ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng); 125 } else { 126 ret = mbedtls_pk_parse_key(ctx, buf, n, 127 (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng); 128 } 129 130 mbedtls_platform_zeroize(buf, n); 131 mbedtls_free(buf); 132 133 return ret; 134 } 135 136 /* 137 * Load and parse a public key 138 */ 139 int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) 140 { 141 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 142 size_t n; 143 unsigned char *buf; 144 145 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { 146 return ret; 147 } 148 149 ret = mbedtls_pk_parse_public_key(ctx, buf, n); 150 151 mbedtls_platform_zeroize(buf, n); 152 mbedtls_free(buf); 153 154 return ret; 155 } 156 #endif /* MBEDTLS_FS_IO */ 157 158 #if defined(MBEDTLS_ECP_C) 159 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf 160 * 161 * ECParameters ::= CHOICE { 162 * namedCurve OBJECT IDENTIFIER 163 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 164 * -- implicitCurve NULL 165 * } 166 */ 167 static int pk_get_ecparams(unsigned char **p, const unsigned char *end, 168 mbedtls_asn1_buf *params) 169 { 170 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 171 172 if (end - *p < 1) { 173 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 174 MBEDTLS_ERR_ASN1_OUT_OF_DATA); 175 } 176 177 /* Tag may be either OID or SEQUENCE */ 178 params->tag = **p; 179 if (params->tag != MBEDTLS_ASN1_OID 180 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 181 && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) 182 #endif 183 ) { 184 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 185 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 186 } 187 188 if ((ret = mbedtls_asn1_get_tag(p, end, ¶ms->len, params->tag)) != 0) { 189 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 190 } 191 192 params->p = *p; 193 *p += params->len; 194 195 if (*p != end) { 196 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 197 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 198 } 199 200 return 0; 201 } 202 203 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 204 /* 205 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. 206 * WARNING: the resulting group should only be used with 207 * pk_group_id_from_specified(), since its base point may not be set correctly 208 * if it was encoded compressed. 209 * 210 * SpecifiedECDomain ::= SEQUENCE { 211 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), 212 * fieldID FieldID {{FieldTypes}}, 213 * curve Curve, 214 * base ECPoint, 215 * order INTEGER, 216 * cofactor INTEGER OPTIONAL, 217 * hash HashAlgorithm OPTIONAL, 218 * ... 219 * } 220 * 221 * We only support prime-field as field type, and ignore hash and cofactor. 222 */ 223 static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) 224 { 225 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 226 unsigned char *p = params->p; 227 const unsigned char * const end = params->p + params->len; 228 const unsigned char *end_field, *end_curve; 229 size_t len; 230 int ver; 231 232 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ 233 if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) { 234 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 235 } 236 237 if (ver < 1 || ver > 3) { 238 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 239 } 240 241 /* 242 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field 243 * fieldType FIELD-ID.&id({IOSet}), 244 * parameters FIELD-ID.&Type({IOSet}{@fieldType}) 245 * } 246 */ 247 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 248 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 249 return ret; 250 } 251 252 end_field = p + len; 253 254 /* 255 * FIELD-ID ::= TYPE-IDENTIFIER 256 * FieldTypes FIELD-ID ::= { 257 * { Prime-p IDENTIFIED BY prime-field } | 258 * { Characteristic-two IDENTIFIED BY characteristic-two-field } 259 * } 260 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 261 */ 262 if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) { 263 return ret; 264 } 265 266 if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) || 267 memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) { 268 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 269 } 270 271 p += len; 272 273 /* Prime-p ::= INTEGER -- Field of size p. */ 274 if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) { 275 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 276 } 277 278 grp->pbits = mbedtls_mpi_bitlen(&grp->P); 279 280 if (p != end_field) { 281 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 282 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 283 } 284 285 /* 286 * Curve ::= SEQUENCE { 287 * a FieldElement, 288 * b FieldElement, 289 * seed BIT STRING OPTIONAL 290 * -- Shall be present if used in SpecifiedECDomain 291 * -- with version equal to ecdpVer2 or ecdpVer3 292 * } 293 */ 294 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 295 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 296 return ret; 297 } 298 299 end_curve = p + len; 300 301 /* 302 * FieldElement ::= OCTET STRING 303 * containing an integer in the case of a prime field 304 */ 305 if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 || 306 (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) { 307 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 308 } 309 310 p += len; 311 312 if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 || 313 (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) { 314 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 315 } 316 317 p += len; 318 319 /* Ignore seed BIT STRING OPTIONAL */ 320 if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) { 321 p += len; 322 } 323 324 if (p != end_curve) { 325 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 326 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 327 } 328 329 /* 330 * ECPoint ::= OCTET STRING 331 */ 332 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { 333 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 334 } 335 336 if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G, 337 (const unsigned char *) p, len)) != 0) { 338 /* 339 * If we can't read the point because it's compressed, cheat by 340 * reading only the X coordinate and the parity bit of Y. 341 */ 342 if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || 343 (p[0] != 0x02 && p[0] != 0x03) || 344 len != mbedtls_mpi_size(&grp->P) + 1 || 345 mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 || 346 mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 || 347 mbedtls_mpi_lset(&grp->G.Z, 1) != 0) { 348 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 349 } 350 } 351 352 p += len; 353 354 /* 355 * order INTEGER 356 */ 357 if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) { 358 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 359 } 360 361 grp->nbits = mbedtls_mpi_bitlen(&grp->N); 362 363 /* 364 * Allow optional elements by purposefully not enforcing p == end here. 365 */ 366 367 return 0; 368 } 369 370 /* 371 * Find the group id associated with an (almost filled) group as generated by 372 * pk_group_from_specified(), or return an error if unknown. 373 */ 374 static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id) 375 { 376 int ret = 0; 377 mbedtls_ecp_group ref; 378 const mbedtls_ecp_group_id *id; 379 380 mbedtls_ecp_group_init(&ref); 381 382 for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) { 383 /* Load the group associated to that id */ 384 mbedtls_ecp_group_free(&ref); 385 MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id)); 386 387 /* Compare to the group we were given, starting with easy tests */ 388 if (grp->pbits == ref.pbits && grp->nbits == ref.nbits && 389 mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 && 390 mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 && 391 mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 && 392 mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 && 393 mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 && 394 mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 && 395 /* For Y we may only know the parity bit, so compare only that */ 396 mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) { 397 break; 398 } 399 400 } 401 402 cleanup: 403 mbedtls_ecp_group_free(&ref); 404 405 *grp_id = *id; 406 407 if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) { 408 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 409 } 410 411 return ret; 412 } 413 414 /* 415 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID 416 */ 417 static int pk_group_id_from_specified(const mbedtls_asn1_buf *params, 418 mbedtls_ecp_group_id *grp_id) 419 { 420 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 421 mbedtls_ecp_group grp; 422 423 mbedtls_ecp_group_init(&grp); 424 425 if ((ret = pk_group_from_specified(params, &grp)) != 0) { 426 goto cleanup; 427 } 428 429 ret = pk_group_id_from_group(&grp, grp_id); 430 431 cleanup: 432 /* The API respecting lifecycle for mbedtls_ecp_group struct is 433 * _init(), _load() and _free(). In pk_group_id_from_specified() the 434 * temporary grp breaks that flow and it's members are populated 435 * by pk_group_id_from_group(). As such mbedtls_ecp_group_free() 436 * which is assuming a group populated by _setup() may not clean-up 437 * properly -> Manually free it's members. 438 */ 439 mbedtls_mpi_free(&grp.N); 440 mbedtls_mpi_free(&grp.P); 441 mbedtls_mpi_free(&grp.A); 442 mbedtls_mpi_free(&grp.B); 443 mbedtls_ecp_point_free(&grp.G); 444 445 return ret; 446 } 447 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ 448 449 /* 450 * Use EC parameters to initialise an EC group 451 * 452 * ECParameters ::= CHOICE { 453 * namedCurve OBJECT IDENTIFIER 454 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 455 * -- implicitCurve NULL 456 */ 457 static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) 458 { 459 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 460 mbedtls_ecp_group_id grp_id; 461 462 if (params->tag == MBEDTLS_ASN1_OID) { 463 if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) { 464 return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE; 465 } 466 } else { 467 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 468 if ((ret = pk_group_id_from_specified(params, &grp_id)) != 0) { 469 return ret; 470 } 471 #else 472 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 473 #endif 474 } 475 476 /* 477 * grp may already be initialized; if so, make sure IDs match 478 */ 479 if (grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id) { 480 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 481 } 482 483 if ((ret = mbedtls_ecp_group_load(grp, grp_id)) != 0) { 484 return ret; 485 } 486 487 return 0; 488 } 489 490 /* 491 * EC public key is an EC point 492 * 493 * The caller is responsible for clearing the structure upon failure if 494 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE 495 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. 496 */ 497 static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, 498 mbedtls_ecp_keypair *key) 499 { 500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 501 502 if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q, 503 (const unsigned char *) *p, end - *p)) == 0) { 504 ret = mbedtls_ecp_check_pubkey(&key->grp, &key->Q); 505 } 506 507 /* 508 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed 509 */ 510 *p = (unsigned char *) end; 511 512 return ret; 513 } 514 #endif /* MBEDTLS_ECP_C */ 515 516 #if defined(MBEDTLS_RSA_C) 517 /* 518 * RSAPublicKey ::= SEQUENCE { 519 * modulus INTEGER, -- n 520 * publicExponent INTEGER -- e 521 * } 522 */ 523 static int pk_get_rsapubkey(unsigned char **p, 524 const unsigned char *end, 525 mbedtls_rsa_context *rsa) 526 { 527 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 528 size_t len; 529 530 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 531 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 532 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); 533 } 534 535 if (*p + len != end) { 536 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, 537 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 538 } 539 540 /* Import N */ 541 if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { 542 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); 543 } 544 545 if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, 546 NULL, 0, NULL, 0)) != 0) { 547 return MBEDTLS_ERR_PK_INVALID_PUBKEY; 548 } 549 550 *p += len; 551 552 /* Import E */ 553 if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { 554 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); 555 } 556 557 if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, 558 NULL, 0, *p, len)) != 0) { 559 return MBEDTLS_ERR_PK_INVALID_PUBKEY; 560 } 561 562 *p += len; 563 564 if (mbedtls_rsa_complete(rsa) != 0 || 565 mbedtls_rsa_check_pubkey(rsa) != 0) { 566 return MBEDTLS_ERR_PK_INVALID_PUBKEY; 567 } 568 569 if (*p != end) { 570 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, 571 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 572 } 573 574 return 0; 575 } 576 #endif /* MBEDTLS_RSA_C */ 577 578 /* Get a PK algorithm identifier 579 * 580 * AlgorithmIdentifier ::= SEQUENCE { 581 * algorithm OBJECT IDENTIFIER, 582 * parameters ANY DEFINED BY algorithm OPTIONAL } 583 */ 584 static int pk_get_pk_alg(unsigned char **p, 585 const unsigned char *end, 586 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params) 587 { 588 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 589 mbedtls_asn1_buf alg_oid; 590 591 memset(params, 0, sizeof(mbedtls_asn1_buf)); 592 593 if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) { 594 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret); 595 } 596 597 if (mbedtls_oid_get_pk_alg(&alg_oid, pk_alg) != 0) { 598 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 599 } 600 601 /* 602 * No parameters with RSA (only for EC) 603 */ 604 if (*pk_alg == MBEDTLS_PK_RSA && 605 ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) || 606 params->len != 0)) { 607 return MBEDTLS_ERR_PK_INVALID_ALG; 608 } 609 610 return 0; 611 } 612 613 /* 614 * SubjectPublicKeyInfo ::= SEQUENCE { 615 * algorithm AlgorithmIdentifier, 616 * subjectPublicKey BIT STRING } 617 */ 618 int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, 619 mbedtls_pk_context *pk) 620 { 621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 622 size_t len; 623 mbedtls_asn1_buf alg_params; 624 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 625 const mbedtls_pk_info_t *pk_info; 626 627 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 628 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 629 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 630 } 631 632 end = *p + len; 633 634 if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params)) != 0) { 635 return ret; 636 } 637 638 if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) { 639 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); 640 } 641 642 if (*p + len != end) { 643 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, 644 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 645 } 646 647 if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) { 648 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 649 } 650 651 if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) { 652 return ret; 653 } 654 655 #if defined(MBEDTLS_RSA_C) 656 if (pk_alg == MBEDTLS_PK_RSA) { 657 ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk)); 658 } else 659 #endif /* MBEDTLS_RSA_C */ 660 #if defined(MBEDTLS_ECP_C) 661 if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) { 662 ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp); 663 if (ret == 0) { 664 ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk)); 665 } 666 } else 667 #endif /* MBEDTLS_ECP_C */ 668 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 669 670 if (ret == 0 && *p != end) { 671 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, 672 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 673 } 674 675 if (ret != 0) { 676 mbedtls_pk_free(pk); 677 } 678 679 return ret; 680 } 681 682 #if defined(MBEDTLS_RSA_C) 683 /* 684 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. 685 * 686 * The value zero is: 687 * - never a valid value for an RSA parameter 688 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). 689 * 690 * Since values can't be omitted in PKCS#1, passing a zero value to 691 * rsa_complete() would be incorrect, so reject zero values early. 692 */ 693 static int asn1_get_nonzero_mpi(unsigned char **p, 694 const unsigned char *end, 695 mbedtls_mpi *X) 696 { 697 int ret; 698 699 ret = mbedtls_asn1_get_mpi(p, end, X); 700 if (ret != 0) { 701 return ret; 702 } 703 704 if (mbedtls_mpi_cmp_int(X, 0) == 0) { 705 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 706 } 707 708 return 0; 709 } 710 711 /* 712 * Parse a PKCS#1 encoded private RSA key 713 */ 714 static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa, 715 const unsigned char *key, 716 size_t keylen) 717 { 718 int ret, version; 719 size_t len; 720 unsigned char *p, *end; 721 722 mbedtls_mpi T; 723 mbedtls_mpi_init(&T); 724 725 p = (unsigned char *) key; 726 end = p + keylen; 727 728 /* 729 * This function parses the RSAPrivateKey (PKCS#1) 730 * 731 * RSAPrivateKey ::= SEQUENCE { 732 * version Version, 733 * modulus INTEGER, -- n 734 * publicExponent INTEGER, -- e 735 * privateExponent INTEGER, -- d 736 * prime1 INTEGER, -- p 737 * prime2 INTEGER, -- q 738 * exponent1 INTEGER, -- d mod (p-1) 739 * exponent2 INTEGER, -- d mod (q-1) 740 * coefficient INTEGER, -- (inverse of q) mod p 741 * otherPrimeInfos OtherPrimeInfos OPTIONAL 742 * } 743 */ 744 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 745 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 746 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 747 } 748 749 end = p + len; 750 751 if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { 752 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 753 } 754 755 if (version != 0) { 756 return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; 757 } 758 759 /* Import N */ 760 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 761 (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, 762 NULL, NULL)) != 0) { 763 goto cleanup; 764 } 765 766 /* Import E */ 767 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 768 (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, 769 NULL, &T)) != 0) { 770 goto cleanup; 771 } 772 773 /* Import D */ 774 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 775 (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, 776 &T, NULL)) != 0) { 777 goto cleanup; 778 } 779 780 /* Import P */ 781 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 782 (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, 783 NULL, NULL)) != 0) { 784 goto cleanup; 785 } 786 787 /* Import Q */ 788 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 789 (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, 790 NULL, NULL)) != 0) { 791 goto cleanup; 792 } 793 794 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) 795 /* 796 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in 797 * that they can be easily recomputed from D, P and Q. However by 798 * parsing them from the PKCS1 structure it is possible to avoid 799 * recalculating them which both reduces the overhead of loading 800 * RSA private keys into memory and also avoids side channels which 801 * can arise when computing those values, since all of D, P, and Q 802 * are secret. See https://eprint.iacr.org/2020/055 for a 803 * description of one such attack. 804 */ 805 806 /* Import DP */ 807 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 808 (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { 809 goto cleanup; 810 } 811 812 /* Import DQ */ 813 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 814 (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { 815 goto cleanup; 816 } 817 818 /* Import QP */ 819 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 820 (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { 821 goto cleanup; 822 } 823 824 #else 825 /* Verify existence of the CRT params */ 826 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 827 (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 828 (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { 829 goto cleanup; 830 } 831 #endif 832 833 /* rsa_complete() doesn't complete anything with the default 834 * implementation but is still called: 835 * - for the benefit of alternative implementation that may want to 836 * pre-compute stuff beyond what's provided (eg Montgomery factors) 837 * - as is also sanity-checks the key 838 * 839 * Furthermore, we also check the public part for consistency with 840 * mbedtls_pk_parse_pubkey(), as it includes size minima for example. 841 */ 842 if ((ret = mbedtls_rsa_complete(rsa)) != 0 || 843 (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { 844 goto cleanup; 845 } 846 847 if (p != end) { 848 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 849 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 850 } 851 852 cleanup: 853 854 mbedtls_mpi_free(&T); 855 856 if (ret != 0) { 857 /* Wrap error code if it's coming from a lower level */ 858 if ((ret & 0xff80) == 0) { 859 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 860 } else { 861 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 862 } 863 864 mbedtls_rsa_free(rsa); 865 } 866 867 return ret; 868 } 869 #endif /* MBEDTLS_RSA_C */ 870 871 #if defined(MBEDTLS_ECP_C) 872 /* 873 * Parse a SEC1 encoded private EC key 874 */ 875 static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck, 876 const unsigned char *key, size_t keylen, 877 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 878 { 879 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 880 int version, pubkey_done; 881 size_t len; 882 mbedtls_asn1_buf params = { 0, 0, NULL }; 883 unsigned char *p = (unsigned char *) key; 884 unsigned char *end = p + keylen; 885 unsigned char *end2; 886 887 /* 888 * RFC 5915, or SEC1 Appendix C.4 889 * 890 * ECPrivateKey ::= SEQUENCE { 891 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 892 * privateKey OCTET STRING, 893 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 894 * publicKey [1] BIT STRING OPTIONAL 895 * } 896 */ 897 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 898 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 899 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 900 } 901 902 end = p + len; 903 904 if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { 905 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 906 } 907 908 if (version != 1) { 909 return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; 910 } 911 912 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { 913 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 914 } 915 916 if ((ret = mbedtls_mpi_read_binary(&eck->d, p, len)) != 0) { 917 mbedtls_ecp_keypair_free(eck); 918 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 919 } 920 921 p += len; 922 923 pubkey_done = 0; 924 if (p != end) { 925 /* 926 * Is 'parameters' present? 927 */ 928 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 929 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 930 0)) == 0) { 931 if ((ret = pk_get_ecparams(&p, p + len, ¶ms)) != 0 || 932 (ret = pk_use_ecparams(¶ms, &eck->grp)) != 0) { 933 mbedtls_ecp_keypair_free(eck); 934 return ret; 935 } 936 } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 937 mbedtls_ecp_keypair_free(eck); 938 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 939 } 940 } 941 942 if (p != end) { 943 /* 944 * Is 'publickey' present? If not, or if we can't read it (eg because it 945 * is compressed), create it from the private key. 946 */ 947 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 948 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 949 1)) == 0) { 950 end2 = p + len; 951 952 if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) { 953 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 954 } 955 956 if (p + len != end2) { 957 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 958 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 959 } 960 961 if ((ret = pk_get_ecpubkey(&p, end2, eck)) == 0) { 962 pubkey_done = 1; 963 } else { 964 /* 965 * The only acceptable failure mode of pk_get_ecpubkey() above 966 * is if the point format is not recognized. 967 */ 968 if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) { 969 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 970 } 971 } 972 } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 973 mbedtls_ecp_keypair_free(eck); 974 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 975 } 976 } 977 978 if (!pubkey_done && 979 (ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, 980 f_rng, p_rng)) != 0) { 981 mbedtls_ecp_keypair_free(eck); 982 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 983 } 984 985 if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) { 986 mbedtls_ecp_keypair_free(eck); 987 return ret; 988 } 989 990 return 0; 991 } 992 #endif /* MBEDTLS_ECP_C */ 993 994 /* 995 * Parse an unencrypted PKCS#8 encoded private key 996 * 997 * Notes: 998 * 999 * - This function does not own the key buffer. It is the 1000 * responsibility of the caller to take care of zeroizing 1001 * and freeing it after use. 1002 * 1003 * - The function is responsible for freeing the provided 1004 * PK context on failure. 1005 * 1006 */ 1007 static int pk_parse_key_pkcs8_unencrypted_der( 1008 mbedtls_pk_context *pk, 1009 const unsigned char *key, size_t keylen, 1010 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1011 { 1012 int ret, version; 1013 size_t len; 1014 mbedtls_asn1_buf params; 1015 unsigned char *p = (unsigned char *) key; 1016 unsigned char *end = p + keylen; 1017 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 1018 const mbedtls_pk_info_t *pk_info; 1019 1020 #if !defined(MBEDTLS_ECP_C) 1021 (void) f_rng; 1022 (void) p_rng; 1023 #endif 1024 1025 /* 1026 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) 1027 * 1028 * PrivateKeyInfo ::= SEQUENCE { 1029 * version Version, 1030 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, 1031 * privateKey PrivateKey, 1032 * attributes [0] IMPLICIT Attributes OPTIONAL } 1033 * 1034 * Version ::= INTEGER 1035 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier 1036 * PrivateKey ::= OCTET STRING 1037 * 1038 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey 1039 */ 1040 1041 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 1042 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 1043 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1044 } 1045 1046 end = p + len; 1047 1048 if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { 1049 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1050 } 1051 1052 if (version != 0) { 1053 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret); 1054 } 1055 1056 if ((ret = pk_get_pk_alg(&p, end, &pk_alg, ¶ms)) != 0) { 1057 return ret; 1058 } 1059 1060 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { 1061 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1062 } 1063 1064 if (len < 1) { 1065 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, 1066 MBEDTLS_ERR_ASN1_OUT_OF_DATA); 1067 } 1068 1069 if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) { 1070 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 1071 } 1072 1073 if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) { 1074 return ret; 1075 } 1076 1077 #if defined(MBEDTLS_RSA_C) 1078 if (pk_alg == MBEDTLS_PK_RSA) { 1079 if ((ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), p, len)) != 0) { 1080 mbedtls_pk_free(pk); 1081 return ret; 1082 } 1083 } else 1084 #endif /* MBEDTLS_RSA_C */ 1085 #if defined(MBEDTLS_ECP_C) 1086 if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) { 1087 if ((ret = pk_use_ecparams(¶ms, &mbedtls_pk_ec(*pk)->grp)) != 0 || 1088 (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len, f_rng, p_rng)) != 0) { 1089 mbedtls_pk_free(pk); 1090 return ret; 1091 } 1092 } else 1093 #endif /* MBEDTLS_ECP_C */ 1094 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 1095 1096 return 0; 1097 } 1098 1099 /* 1100 * Parse an encrypted PKCS#8 encoded private key 1101 * 1102 * To save space, the decryption happens in-place on the given key buffer. 1103 * Also, while this function may modify the keybuffer, it doesn't own it, 1104 * and instead it is the responsibility of the caller to zeroize and properly 1105 * free it after use. 1106 * 1107 */ 1108 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1109 static int pk_parse_key_pkcs8_encrypted_der( 1110 mbedtls_pk_context *pk, 1111 unsigned char *key, size_t keylen, 1112 const unsigned char *pwd, size_t pwdlen, 1113 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1114 { 1115 int ret, decrypted = 0; 1116 size_t len; 1117 unsigned char *buf; 1118 unsigned char *p, *end; 1119 mbedtls_asn1_buf pbe_alg_oid, pbe_params; 1120 #if defined(MBEDTLS_PKCS12_C) 1121 mbedtls_cipher_type_t cipher_alg; 1122 mbedtls_md_type_t md_alg; 1123 #endif 1124 1125 p = key; 1126 end = p + keylen; 1127 1128 if (pwdlen == 0) { 1129 return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; 1130 } 1131 1132 /* 1133 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) 1134 * 1135 * EncryptedPrivateKeyInfo ::= SEQUENCE { 1136 * encryptionAlgorithm EncryptionAlgorithmIdentifier, 1137 * encryptedData EncryptedData 1138 * } 1139 * 1140 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1141 * 1142 * EncryptedData ::= OCTET STRING 1143 * 1144 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo 1145 * 1146 */ 1147 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 1148 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 1149 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1150 } 1151 1152 end = p + len; 1153 1154 if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) { 1155 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1156 } 1157 1158 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) { 1159 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); 1160 } 1161 1162 buf = p; 1163 1164 /* 1165 * Decrypt EncryptedData with appropriate PBE 1166 */ 1167 #if defined(MBEDTLS_PKCS12_C) 1168 if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) { 1169 if ((ret = mbedtls_pkcs12_pbe(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, 1170 cipher_alg, md_alg, 1171 pwd, pwdlen, p, len, buf)) != 0) { 1172 if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) { 1173 return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; 1174 } 1175 1176 return ret; 1177 } 1178 1179 decrypted = 1; 1180 } else 1181 #endif /* MBEDTLS_PKCS12_C */ 1182 #if defined(MBEDTLS_PKCS5_C) 1183 if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) { 1184 if ((ret = mbedtls_pkcs5_pbes2(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, 1185 p, len, buf)) != 0) { 1186 if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) { 1187 return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; 1188 } 1189 1190 return ret; 1191 } 1192 1193 decrypted = 1; 1194 } else 1195 #endif /* MBEDTLS_PKCS5_C */ 1196 { 1197 ((void) pwd); 1198 } 1199 1200 if (decrypted == 0) { 1201 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 1202 } 1203 1204 return pk_parse_key_pkcs8_unencrypted_der(pk, buf, len, f_rng, p_rng); 1205 } 1206 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1207 1208 /* 1209 * Parse a private key 1210 */ 1211 int mbedtls_pk_parse_key(mbedtls_pk_context *pk, 1212 const unsigned char *key, size_t keylen, 1213 const unsigned char *pwd, size_t pwdlen, 1214 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1215 { 1216 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1217 const mbedtls_pk_info_t *pk_info; 1218 #if defined(MBEDTLS_PEM_PARSE_C) 1219 size_t len; 1220 mbedtls_pem_context pem; 1221 #endif 1222 1223 if (keylen == 0) { 1224 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 1225 } 1226 1227 #if defined(MBEDTLS_PEM_PARSE_C) 1228 mbedtls_pem_init(&pem); 1229 1230 #if defined(MBEDTLS_RSA_C) 1231 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1232 if (key[keylen - 1] != '\0') { 1233 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1234 } else { 1235 ret = mbedtls_pem_read_buffer(&pem, 1236 "-----BEGIN RSA PRIVATE KEY-----", 1237 "-----END RSA PRIVATE KEY-----", 1238 key, pwd, pwdlen, &len); 1239 } 1240 1241 if (ret == 0) { 1242 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 1243 if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || 1244 (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), 1245 pem.buf, pem.buflen)) != 0) { 1246 mbedtls_pk_free(pk); 1247 } 1248 1249 mbedtls_pem_free(&pem); 1250 return ret; 1251 } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) { 1252 return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; 1253 } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) { 1254 return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; 1255 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1256 return ret; 1257 } 1258 #endif /* MBEDTLS_RSA_C */ 1259 1260 #if defined(MBEDTLS_ECP_C) 1261 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1262 if (key[keylen - 1] != '\0') { 1263 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1264 } else { 1265 ret = mbedtls_pem_read_buffer(&pem, 1266 "-----BEGIN EC PRIVATE KEY-----", 1267 "-----END EC PRIVATE KEY-----", 1268 key, pwd, pwdlen, &len); 1269 } 1270 if (ret == 0) { 1271 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); 1272 1273 if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || 1274 (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), 1275 pem.buf, pem.buflen, 1276 f_rng, p_rng)) != 0) { 1277 mbedtls_pk_free(pk); 1278 } 1279 1280 mbedtls_pem_free(&pem); 1281 return ret; 1282 } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) { 1283 return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; 1284 } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) { 1285 return MBEDTLS_ERR_PK_PASSWORD_REQUIRED; 1286 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1287 return ret; 1288 } 1289 #endif /* MBEDTLS_ECP_C */ 1290 1291 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1292 if (key[keylen - 1] != '\0') { 1293 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1294 } else { 1295 ret = mbedtls_pem_read_buffer(&pem, 1296 "-----BEGIN PRIVATE KEY-----", 1297 "-----END PRIVATE KEY-----", 1298 key, NULL, 0, &len); 1299 } 1300 if (ret == 0) { 1301 if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk, 1302 pem.buf, pem.buflen, f_rng, p_rng)) != 0) { 1303 mbedtls_pk_free(pk); 1304 } 1305 1306 mbedtls_pem_free(&pem); 1307 return ret; 1308 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1309 return ret; 1310 } 1311 1312 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1313 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1314 if (key[keylen - 1] != '\0') { 1315 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1316 } else { 1317 ret = mbedtls_pem_read_buffer(&pem, 1318 "-----BEGIN ENCRYPTED PRIVATE KEY-----", 1319 "-----END ENCRYPTED PRIVATE KEY-----", 1320 key, NULL, 0, &len); 1321 } 1322 if (ret == 0) { 1323 if ((ret = pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen, 1324 pwd, pwdlen, f_rng, p_rng)) != 0) { 1325 mbedtls_pk_free(pk); 1326 } 1327 1328 mbedtls_pem_free(&pem); 1329 return ret; 1330 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1331 return ret; 1332 } 1333 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1334 #else 1335 ((void) pwd); 1336 ((void) pwdlen); 1337 #endif /* MBEDTLS_PEM_PARSE_C */ 1338 1339 /* 1340 * At this point we only know it's not a PEM formatted key. Could be any 1341 * of the known DER encoded private key formats 1342 * 1343 * We try the different DER format parsers to see if one passes without 1344 * error 1345 */ 1346 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1347 if (pwdlen != 0) { 1348 unsigned char *key_copy; 1349 1350 if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) { 1351 return MBEDTLS_ERR_PK_ALLOC_FAILED; 1352 } 1353 1354 memcpy(key_copy, key, keylen); 1355 1356 ret = pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen, 1357 pwd, pwdlen, f_rng, p_rng); 1358 1359 mbedtls_platform_zeroize(key_copy, keylen); 1360 mbedtls_free(key_copy); 1361 } 1362 1363 if (ret == 0) { 1364 return 0; 1365 } 1366 1367 mbedtls_pk_free(pk); 1368 mbedtls_pk_init(pk); 1369 1370 if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) { 1371 return ret; 1372 } 1373 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1374 1375 ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen, f_rng, p_rng); 1376 if (ret == 0) { 1377 return 0; 1378 } 1379 1380 mbedtls_pk_free(pk); 1381 mbedtls_pk_init(pk); 1382 1383 #if defined(MBEDTLS_RSA_C) 1384 1385 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); 1386 if (mbedtls_pk_setup(pk, pk_info) == 0 && 1387 pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) { 1388 return 0; 1389 } 1390 1391 mbedtls_pk_free(pk); 1392 mbedtls_pk_init(pk); 1393 #endif /* MBEDTLS_RSA_C */ 1394 1395 #if defined(MBEDTLS_ECP_C) 1396 pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); 1397 if (mbedtls_pk_setup(pk, pk_info) == 0 && 1398 pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), 1399 key, keylen, f_rng, p_rng) == 0) { 1400 return 0; 1401 } 1402 mbedtls_pk_free(pk); 1403 #endif /* MBEDTLS_ECP_C */ 1404 1405 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, 1406 * it is ok to leave the PK context initialized but not 1407 * freed: It is the caller's responsibility to call pk_init() 1408 * before calling this function, and to call pk_free() 1409 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C 1410 * isn't, this leads to mbedtls_pk_free() being called 1411 * twice, once here and once by the caller, but this is 1412 * also ok and in line with the mbedtls_pk_free() calls 1413 * on failed PEM parsing attempts. */ 1414 1415 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 1416 } 1417 1418 /* 1419 * Parse a public key 1420 */ 1421 int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, 1422 const unsigned char *key, size_t keylen) 1423 { 1424 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1425 unsigned char *p; 1426 #if defined(MBEDTLS_RSA_C) 1427 const mbedtls_pk_info_t *pk_info; 1428 #endif 1429 #if defined(MBEDTLS_PEM_PARSE_C) 1430 size_t len; 1431 mbedtls_pem_context pem; 1432 #endif 1433 1434 if (keylen == 0) { 1435 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 1436 } 1437 1438 #if defined(MBEDTLS_PEM_PARSE_C) 1439 mbedtls_pem_init(&pem); 1440 #if defined(MBEDTLS_RSA_C) 1441 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1442 if (key[keylen - 1] != '\0') { 1443 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1444 } else { 1445 ret = mbedtls_pem_read_buffer(&pem, 1446 "-----BEGIN RSA PUBLIC KEY-----", 1447 "-----END RSA PUBLIC KEY-----", 1448 key, NULL, 0, &len); 1449 } 1450 1451 if (ret == 0) { 1452 p = pem.buf; 1453 if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) { 1454 mbedtls_pem_free(&pem); 1455 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 1456 } 1457 1458 if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) { 1459 mbedtls_pem_free(&pem); 1460 return ret; 1461 } 1462 1463 if ((ret = pk_get_rsapubkey(&p, p + pem.buflen, mbedtls_pk_rsa(*ctx))) != 0) { 1464 mbedtls_pk_free(ctx); 1465 } 1466 1467 mbedtls_pem_free(&pem); 1468 return ret; 1469 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1470 mbedtls_pem_free(&pem); 1471 return ret; 1472 } 1473 #endif /* MBEDTLS_RSA_C */ 1474 1475 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1476 if (key[keylen - 1] != '\0') { 1477 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1478 } else { 1479 ret = mbedtls_pem_read_buffer(&pem, 1480 "-----BEGIN PUBLIC KEY-----", 1481 "-----END PUBLIC KEY-----", 1482 key, NULL, 0, &len); 1483 } 1484 1485 if (ret == 0) { 1486 /* 1487 * Was PEM encoded 1488 */ 1489 p = pem.buf; 1490 1491 ret = mbedtls_pk_parse_subpubkey(&p, p + pem.buflen, ctx); 1492 mbedtls_pem_free(&pem); 1493 return ret; 1494 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1495 mbedtls_pem_free(&pem); 1496 return ret; 1497 } 1498 mbedtls_pem_free(&pem); 1499 #endif /* MBEDTLS_PEM_PARSE_C */ 1500 1501 #if defined(MBEDTLS_RSA_C) 1502 if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) { 1503 return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 1504 } 1505 1506 if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) { 1507 return ret; 1508 } 1509 1510 p = (unsigned char *) key; 1511 ret = pk_get_rsapubkey(&p, p + keylen, mbedtls_pk_rsa(*ctx)); 1512 if (ret == 0) { 1513 return ret; 1514 } 1515 mbedtls_pk_free(ctx); 1516 if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, 1517 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))) { 1518 return ret; 1519 } 1520 #endif /* MBEDTLS_RSA_C */ 1521 p = (unsigned char *) key; 1522 1523 ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx); 1524 1525 return ret; 1526 } 1527 1528 #endif /* MBEDTLS_PK_PARSE_C */ 1529