1/* 2 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * Support for PVK format keys and related structures (such a PUBLICKEYBLOB 12 * and PRIVATEKEYBLOB). 13 */ 14 15/* 16 * RSA and DSA low level APIs are deprecated for public use, but still ok for 17 * internal use. 18 */ 19#include "internal/deprecated.h" 20 21#include <openssl/pem.h> 22#include <openssl/rand.h> 23#include <openssl/bn.h> 24#include <openssl/dsa.h> 25#include <openssl/rsa.h> 26#include "internal/cryptlib.h" 27#include "crypto/pem.h" 28#include "crypto/evp.h" 29 30/* 31 * Utility function: read a DWORD (4 byte unsigned integer) in little endian 32 * format 33 */ 34 35static unsigned int read_ledword(const unsigned char **in) 36{ 37 const unsigned char *p = *in; 38 unsigned int ret; 39 40 ret = (unsigned int)*p++; 41 ret |= (unsigned int)*p++ << 8; 42 ret |= (unsigned int)*p++ << 16; 43 ret |= (unsigned int)*p++ << 24; 44 *in = p; 45 return ret; 46} 47 48/* 49 * Read a BIGNUM in little endian format. The docs say that this should take 50 * up bitlen/8 bytes. 51 */ 52 53static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) 54{ 55 *r = BN_lebin2bn(*in, nbyte, NULL); 56 if (*r == NULL) 57 return 0; 58 *in += nbyte; 59 return 1; 60} 61 62/* 63 * Create an EVP_PKEY from a type specific key. 64 * This takes ownership of |key|, as long as the |evp_type| is acceptable 65 * (EVP_PKEY_RSA or EVP_PKEY_DSA), even if the resulting EVP_PKEY wasn't 66 * created. 67 */ 68#define isdss_to_evp_type(isdss) \ 69 (isdss == 0 ? EVP_PKEY_RSA : isdss == 1 ? EVP_PKEY_DSA : EVP_PKEY_NONE) 70static EVP_PKEY *evp_pkey_new0_key(void *key, int evp_type) 71{ 72 EVP_PKEY *pkey = NULL; 73 74 /* 75 * It's assumed that if |key| is NULL, something went wrong elsewhere 76 * and suitable errors are already reported. 77 */ 78 if (key == NULL) 79 return NULL; 80 81 if (!ossl_assert(evp_type == EVP_PKEY_RSA || evp_type == EVP_PKEY_DSA)) { 82 ERR_raise(ERR_LIB_PEM, ERR_R_INTERNAL_ERROR); 83 return NULL; 84 } 85 86 if ((pkey = EVP_PKEY_new()) != NULL) { 87 switch (evp_type) { 88 case EVP_PKEY_RSA: 89 if (EVP_PKEY_set1_RSA(pkey, key)) 90 break; 91 EVP_PKEY_free(pkey); 92 pkey = NULL; 93 break; 94#ifndef OPENSSL_NO_DSA 95 case EVP_PKEY_DSA: 96 if (EVP_PKEY_set1_DSA(pkey, key)) 97 break; 98 EVP_PKEY_free(pkey); 99 pkey = NULL; 100 break; 101#endif 102 } 103 } 104 105 switch (evp_type) { 106 case EVP_PKEY_RSA: 107 RSA_free(key); 108 break; 109#ifndef OPENSSL_NO_DSA 110 case EVP_PKEY_DSA: 111 DSA_free(key); 112 break; 113#endif 114 } 115 116 if (pkey == NULL) 117 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 118 return pkey; 119} 120 121/* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */ 122 123# define MS_PUBLICKEYBLOB 0x6 124# define MS_PRIVATEKEYBLOB 0x7 125# define MS_RSA1MAGIC 0x31415352L 126# define MS_RSA2MAGIC 0x32415352L 127# define MS_DSS1MAGIC 0x31535344L 128# define MS_DSS2MAGIC 0x32535344L 129 130# define MS_KEYALG_RSA_KEYX 0xa400 131# define MS_KEYALG_DSS_SIGN 0x2200 132 133# define MS_KEYTYPE_KEYX 0x1 134# define MS_KEYTYPE_SIGN 0x2 135 136/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ 137# define MS_PVKMAGIC 0xb0b5f11eL 138/* Salt length for PVK files */ 139# define PVK_SALTLEN 0x10 140/* Maximum length in PVK header */ 141# define PVK_MAX_KEYLEN 102400 142/* Maximum salt length */ 143# define PVK_MAX_SALTLEN 10240 144 145/* 146 * Read the MSBLOB header and get relevant data from it. 147 * 148 * |pisdss| and |pispub| have a double role, as they can be used for 149 * discovery as well as to check the the blob meets expectations. 150 * |*pisdss| is the indicator for whether the key is a DSA key or not. 151 * |*pispub| is the indicator for whether the key is public or not. 152 * In both cases, the following input values apply: 153 * 154 * 0 Expected to not be what the variable indicates. 155 * 1 Expected to be what the variable indicates. 156 * -1 No expectations, this function will assign 0 or 1 depending on 157 * header data. 158 */ 159int ossl_do_blob_header(const unsigned char **in, unsigned int length, 160 unsigned int *pmagic, unsigned int *pbitlen, 161 int *pisdss, int *pispub) 162{ 163 const unsigned char *p = *in; 164 165 if (length < 16) 166 return 0; 167 /* bType */ 168 switch (*p) { 169 case MS_PUBLICKEYBLOB: 170 if (*pispub == 0) { 171 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 172 return 0; 173 } 174 *pispub = 1; 175 break; 176 177 case MS_PRIVATEKEYBLOB: 178 if (*pispub == 1) { 179 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 180 return 0; 181 } 182 *pispub = 0; 183 break; 184 185 default: 186 return 0; 187 } 188 p++; 189 /* Version */ 190 if (*p++ != 0x2) { 191 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER); 192 return 0; 193 } 194 /* Ignore reserved, aiKeyAlg */ 195 p += 6; 196 *pmagic = read_ledword(&p); 197 *pbitlen = read_ledword(&p); 198 199 /* Consistency check for private vs public */ 200 switch (*pmagic) { 201 case MS_DSS1MAGIC: 202 case MS_RSA1MAGIC: 203 if (*pispub == 0) { 204 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB); 205 return 0; 206 } 207 break; 208 209 case MS_DSS2MAGIC: 210 case MS_RSA2MAGIC: 211 if (*pispub == 1) { 212 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB); 213 return 0; 214 } 215 break; 216 217 default: 218 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER); 219 return -1; 220 } 221 222 /* Check that we got the expected type */ 223 switch (*pmagic) { 224 case MS_DSS1MAGIC: 225 case MS_DSS2MAGIC: 226 if (*pisdss == 0) { 227 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_DSS_KEY_BLOB); 228 return 0; 229 } 230 *pisdss = 1; 231 break; 232 case MS_RSA1MAGIC: 233 case MS_RSA2MAGIC: 234 if (*pisdss == 1) { 235 ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_RSA_KEY_BLOB); 236 return 0; 237 } 238 *pisdss = 0; 239 break; 240 241 default: 242 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER); 243 return -1; 244 } 245 *in = p; 246 return 1; 247} 248 249unsigned int ossl_blob_length(unsigned bitlen, int isdss, int ispub) 250{ 251 unsigned int nbyte = (bitlen + 7) >> 3; 252 unsigned int hnbyte = (bitlen + 15) >> 4; 253 254 if (isdss) { 255 256 /* 257 * Expected length: 20 for q + 3 components bitlen each + 24 for seed 258 * structure. 259 */ 260 if (ispub) 261 return 44 + 3 * nbyte; 262 /* 263 * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed 264 * structure. 265 */ 266 else 267 return 64 + 2 * nbyte; 268 } else { 269 /* Expected length: 4 for 'e' + 'n' */ 270 if (ispub) 271 return 4 + nbyte; 272 else 273 /* 274 * Expected length: 4 for 'e' and 7 other components. 2 275 * components are bitlen size, 5 are bitlen/2 276 */ 277 return 4 + 2 * nbyte + 5 * hnbyte; 278 } 279 280} 281 282static void *do_b2i_key(const unsigned char **in, unsigned int length, 283 int *isdss, int *ispub) 284{ 285 const unsigned char *p = *in; 286 unsigned int bitlen, magic; 287 void *key = NULL; 288 289 if (ossl_do_blob_header(&p, length, &magic, &bitlen, isdss, ispub) <= 0) { 290 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR); 291 return NULL; 292 } 293 length -= 16; 294 if (length < ossl_blob_length(bitlen, *isdss, *ispub)) { 295 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); 296 return NULL; 297 } 298 if (!*isdss) 299 key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub); 300#ifndef OPENSSL_NO_DSA 301 else 302 key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub); 303#endif 304 305 if (key == NULL) { 306 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE); 307 return NULL; 308 } 309 310 return key; 311} 312 313EVP_PKEY *ossl_b2i(const unsigned char **in, unsigned int length, int *ispub) 314{ 315 int isdss = -1; 316 void *key = do_b2i_key(in, length, &isdss, ispub); 317 318 return evp_pkey_new0_key(key, isdss_to_evp_type(isdss)); 319} 320 321EVP_PKEY *ossl_b2i_bio(BIO *in, int *ispub) 322{ 323 const unsigned char *p; 324 unsigned char hdr_buf[16], *buf = NULL; 325 unsigned int bitlen, magic, length; 326 int isdss = -1; 327 void *key = NULL; 328 EVP_PKEY *pkey = NULL; 329 330 if (BIO_read(in, hdr_buf, 16) != 16) { 331 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); 332 return NULL; 333 } 334 p = hdr_buf; 335 if (ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, ispub) <= 0) 336 return NULL; 337 338 length = ossl_blob_length(bitlen, isdss, *ispub); 339 if (length > BLOB_MAX_LENGTH) { 340 ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG); 341 return NULL; 342 } 343 buf = OPENSSL_malloc(length); 344 if (buf == NULL) { 345 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 346 goto err; 347 } 348 p = buf; 349 if (BIO_read(in, buf, length) != (int)length) { 350 ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); 351 goto err; 352 } 353 354 if (!isdss) 355 key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub); 356#ifndef OPENSSL_NO_DSA 357 else 358 key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub); 359#endif 360 361 if (key == NULL) { 362 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE); 363 goto err; 364 } 365 366 pkey = evp_pkey_new0_key(key, isdss_to_evp_type(isdss)); 367 err: 368 OPENSSL_free(buf); 369 return pkey; 370} 371 372#ifndef OPENSSL_NO_DSA 373DSA *ossl_b2i_DSA_after_header(const unsigned char **in, unsigned int bitlen, 374 int ispub) 375{ 376 const unsigned char *p = *in; 377 DSA *dsa = NULL; 378 BN_CTX *ctx = NULL; 379 BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL; 380 BIGNUM *pub_key = NULL; 381 unsigned int nbyte = (bitlen + 7) >> 3; 382 383 dsa = DSA_new(); 384 if (dsa == NULL) 385 goto memerr; 386 if (!read_lebn(&p, nbyte, &pbn)) 387 goto memerr; 388 389 if (!read_lebn(&p, 20, &qbn)) 390 goto memerr; 391 392 if (!read_lebn(&p, nbyte, &gbn)) 393 goto memerr; 394 395 if (ispub) { 396 if (!read_lebn(&p, nbyte, &pub_key)) 397 goto memerr; 398 } else { 399 if (!read_lebn(&p, 20, &priv_key)) 400 goto memerr; 401 402 /* Set constant time flag before public key calculation */ 403 BN_set_flags(priv_key, BN_FLG_CONSTTIME); 404 405 /* Calculate public key */ 406 pub_key = BN_new(); 407 if (pub_key == NULL) 408 goto memerr; 409 if ((ctx = BN_CTX_new()) == NULL) 410 goto memerr; 411 412 if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx)) 413 goto memerr; 414 415 BN_CTX_free(ctx); 416 ctx = NULL; 417 } 418 if (!DSA_set0_pqg(dsa, pbn, qbn, gbn)) 419 goto memerr; 420 pbn = qbn = gbn = NULL; 421 if (!DSA_set0_key(dsa, pub_key, priv_key)) 422 goto memerr; 423 pub_key = priv_key = NULL; 424 425 *in = p; 426 return dsa; 427 428 memerr: 429 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 430 DSA_free(dsa); 431 BN_free(pbn); 432 BN_free(qbn); 433 BN_free(gbn); 434 BN_free(pub_key); 435 BN_free(priv_key); 436 BN_CTX_free(ctx); 437 return NULL; 438} 439#endif 440 441RSA *ossl_b2i_RSA_after_header(const unsigned char **in, unsigned int bitlen, 442 int ispub) 443{ 444 const unsigned char *pin = *in; 445 BIGNUM *e = NULL, *n = NULL, *d = NULL; 446 BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; 447 RSA *rsa = NULL; 448 unsigned int nbyte = (bitlen + 7) >> 3; 449 unsigned int hnbyte = (bitlen + 15) >> 4; 450 451 rsa = RSA_new(); 452 if (rsa == NULL) 453 goto memerr; 454 e = BN_new(); 455 if (e == NULL) 456 goto memerr; 457 if (!BN_set_word(e, read_ledword(&pin))) 458 goto memerr; 459 if (!read_lebn(&pin, nbyte, &n)) 460 goto memerr; 461 if (!ispub) { 462 if (!read_lebn(&pin, hnbyte, &p)) 463 goto memerr; 464 if (!read_lebn(&pin, hnbyte, &q)) 465 goto memerr; 466 if (!read_lebn(&pin, hnbyte, &dmp1)) 467 goto memerr; 468 if (!read_lebn(&pin, hnbyte, &dmq1)) 469 goto memerr; 470 if (!read_lebn(&pin, hnbyte, &iqmp)) 471 goto memerr; 472 if (!read_lebn(&pin, nbyte, &d)) 473 goto memerr; 474 if (!RSA_set0_factors(rsa, p, q)) 475 goto memerr; 476 p = q = NULL; 477 if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) 478 goto memerr; 479 dmp1 = dmq1 = iqmp = NULL; 480 } 481 if (!RSA_set0_key(rsa, n, e, d)) 482 goto memerr; 483 n = e = d = NULL; 484 485 *in = pin; 486 return rsa; 487 memerr: 488 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 489 BN_free(e); 490 BN_free(n); 491 BN_free(p); 492 BN_free(q); 493 BN_free(dmp1); 494 BN_free(dmq1); 495 BN_free(iqmp); 496 BN_free(d); 497 RSA_free(rsa); 498 return NULL; 499} 500 501EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length) 502{ 503 int ispub = 0; 504 505 return ossl_b2i(in, length, &ispub); 506} 507 508EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length) 509{ 510 int ispub = 1; 511 512 return ossl_b2i(in, length, &ispub); 513} 514 515EVP_PKEY *b2i_PrivateKey_bio(BIO *in) 516{ 517 int ispub = 0; 518 519 return ossl_b2i_bio(in, &ispub); 520} 521 522EVP_PKEY *b2i_PublicKey_bio(BIO *in) 523{ 524 int ispub = 1; 525 526 return ossl_b2i_bio(in, &ispub); 527} 528 529static void write_ledword(unsigned char **out, unsigned int dw) 530{ 531 unsigned char *p = *out; 532 533 *p++ = dw & 0xff; 534 *p++ = (dw >> 8) & 0xff; 535 *p++ = (dw >> 16) & 0xff; 536 *p++ = (dw >> 24) & 0xff; 537 *out = p; 538} 539 540static void write_lebn(unsigned char **out, const BIGNUM *bn, int len) 541{ 542 BN_bn2lebinpad(bn, *out, len); 543 *out += len; 544} 545 546static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *magic); 547static void write_rsa(unsigned char **out, const RSA *rsa, int ispub); 548 549#ifndef OPENSSL_NO_DSA 550static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *magic); 551static void write_dsa(unsigned char **out, const DSA *dsa, int ispub); 552#endif 553 554static int do_i2b(unsigned char **out, const EVP_PKEY *pk, int ispub) 555{ 556 unsigned char *p; 557 unsigned int bitlen = 0, magic = 0, keyalg = 0; 558 int outlen = -1, noinc = 0; 559 560 if (EVP_PKEY_is_a(pk, "RSA")) { 561 bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic); 562 keyalg = MS_KEYALG_RSA_KEYX; 563#ifndef OPENSSL_NO_DSA 564 } else if (EVP_PKEY_is_a(pk, "DSA")) { 565 bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic); 566 keyalg = MS_KEYALG_DSS_SIGN; 567#endif 568 } 569 if (bitlen == 0) { 570 goto end; 571 } 572 outlen = 16 573 + ossl_blob_length(bitlen, keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub); 574 if (out == NULL) 575 goto end; 576 if (*out) 577 p = *out; 578 else { 579 if ((p = OPENSSL_malloc(outlen)) == NULL) { 580 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 581 outlen = -1; 582 goto end; 583 } 584 *out = p; 585 noinc = 1; 586 } 587 if (ispub) 588 *p++ = MS_PUBLICKEYBLOB; 589 else 590 *p++ = MS_PRIVATEKEYBLOB; 591 *p++ = 0x2; 592 *p++ = 0; 593 *p++ = 0; 594 write_ledword(&p, keyalg); 595 write_ledword(&p, magic); 596 write_ledword(&p, bitlen); 597 if (keyalg == MS_KEYALG_RSA_KEYX) 598 write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub); 599#ifndef OPENSSL_NO_DSA 600 else 601 write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub); 602#endif 603 if (!noinc) 604 *out += outlen; 605 end: 606 return outlen; 607} 608 609static int do_i2b_bio(BIO *out, const EVP_PKEY *pk, int ispub) 610{ 611 unsigned char *tmp = NULL; 612 int outlen, wrlen; 613 614 outlen = do_i2b(&tmp, pk, ispub); 615 if (outlen < 0) 616 return -1; 617 wrlen = BIO_write(out, tmp, outlen); 618 OPENSSL_free(tmp); 619 if (wrlen == outlen) 620 return outlen; 621 return -1; 622} 623 624static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *pmagic) 625{ 626 int nbyte, hnbyte, bitlen; 627 const BIGNUM *e; 628 629 RSA_get0_key(rsa, NULL, &e, NULL); 630 if (BN_num_bits(e) > 32) 631 goto badkey; 632 bitlen = RSA_bits(rsa); 633 nbyte = RSA_size(rsa); 634 hnbyte = (bitlen + 15) >> 4; 635 if (ispub) { 636 *pmagic = MS_RSA1MAGIC; 637 return bitlen; 638 } else { 639 const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1; 640 641 *pmagic = MS_RSA2MAGIC; 642 643 /* 644 * For private key each component must fit within nbyte or hnbyte. 645 */ 646 RSA_get0_key(rsa, NULL, NULL, &d); 647 if (BN_num_bytes(d) > nbyte) 648 goto badkey; 649 RSA_get0_factors(rsa, &p, &q); 650 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); 651 if ((BN_num_bytes(iqmp) > hnbyte) 652 || (BN_num_bytes(p) > hnbyte) 653 || (BN_num_bytes(q) > hnbyte) 654 || (BN_num_bytes(dmp1) > hnbyte) 655 || (BN_num_bytes(dmq1) > hnbyte)) 656 goto badkey; 657 } 658 return bitlen; 659 badkey: 660 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 661 return 0; 662} 663 664static void write_rsa(unsigned char **out, const RSA *rsa, int ispub) 665{ 666 int nbyte, hnbyte; 667 const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1; 668 669 nbyte = RSA_size(rsa); 670 hnbyte = (RSA_bits(rsa) + 15) >> 4; 671 RSA_get0_key(rsa, &n, &e, &d); 672 write_lebn(out, e, 4); 673 write_lebn(out, n, nbyte); 674 if (ispub) 675 return; 676 RSA_get0_factors(rsa, &p, &q); 677 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); 678 write_lebn(out, p, hnbyte); 679 write_lebn(out, q, hnbyte); 680 write_lebn(out, dmp1, hnbyte); 681 write_lebn(out, dmq1, hnbyte); 682 write_lebn(out, iqmp, hnbyte); 683 write_lebn(out, d, nbyte); 684} 685 686#ifndef OPENSSL_NO_DSA 687static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *pmagic) 688{ 689 int bitlen; 690 const BIGNUM *p = NULL, *q = NULL, *g = NULL; 691 const BIGNUM *pub_key = NULL, *priv_key = NULL; 692 693 DSA_get0_pqg(dsa, &p, &q, &g); 694 DSA_get0_key(dsa, &pub_key, &priv_key); 695 bitlen = BN_num_bits(p); 696 if ((bitlen & 7) || (BN_num_bits(q) != 160) 697 || (BN_num_bits(g) > bitlen)) 698 goto badkey; 699 if (ispub) { 700 if (BN_num_bits(pub_key) > bitlen) 701 goto badkey; 702 *pmagic = MS_DSS1MAGIC; 703 } else { 704 if (BN_num_bits(priv_key) > 160) 705 goto badkey; 706 *pmagic = MS_DSS2MAGIC; 707 } 708 709 return bitlen; 710 badkey: 711 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS); 712 return 0; 713} 714 715static void write_dsa(unsigned char **out, const DSA *dsa, int ispub) 716{ 717 int nbyte; 718 const BIGNUM *p = NULL, *q = NULL, *g = NULL; 719 const BIGNUM *pub_key = NULL, *priv_key = NULL; 720 721 DSA_get0_pqg(dsa, &p, &q, &g); 722 DSA_get0_key(dsa, &pub_key, &priv_key); 723 nbyte = BN_num_bytes(p); 724 write_lebn(out, p, nbyte); 725 write_lebn(out, q, 20); 726 write_lebn(out, g, nbyte); 727 if (ispub) 728 write_lebn(out, pub_key, nbyte); 729 else 730 write_lebn(out, priv_key, 20); 731 /* Set "invalid" for seed structure values */ 732 memset(*out, 0xff, 24); 733 *out += 24; 734 return; 735} 736#endif 737 738int i2b_PrivateKey_bio(BIO *out, const EVP_PKEY *pk) 739{ 740 return do_i2b_bio(out, pk, 0); 741} 742 743int i2b_PublicKey_bio(BIO *out, const EVP_PKEY *pk) 744{ 745 return do_i2b_bio(out, pk, 1); 746} 747 748int ossl_do_PVK_header(const unsigned char **in, unsigned int length, 749 int skip_magic, 750 unsigned int *psaltlen, unsigned int *pkeylen) 751{ 752 const unsigned char *p = *in; 753 unsigned int pvk_magic, is_encrypted; 754 755 if (skip_magic) { 756 if (length < 20) { 757 ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT); 758 return 0; 759 } 760 } else { 761 if (length < 24) { 762 ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT); 763 return 0; 764 } 765 pvk_magic = read_ledword(&p); 766 if (pvk_magic != MS_PVKMAGIC) { 767 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER); 768 return 0; 769 } 770 } 771 /* Skip reserved */ 772 p += 4; 773 /* 774 * keytype = 775 */ read_ledword(&p); 776 is_encrypted = read_ledword(&p); 777 *psaltlen = read_ledword(&p); 778 *pkeylen = read_ledword(&p); 779 780 if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN) 781 return 0; 782 783 if (is_encrypted && *psaltlen == 0) { 784 ERR_raise(ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER); 785 return 0; 786 } 787 788 *in = p; 789 return 1; 790} 791 792#ifndef OPENSSL_NO_RC4 793static int derive_pvk_key(unsigned char *key, 794 const unsigned char *salt, unsigned int saltlen, 795 const unsigned char *pass, int passlen, 796 OSSL_LIB_CTX *libctx, const char *propq) 797{ 798 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 799 int rv = 0; 800 EVP_MD *sha1 = NULL; 801 802 if ((sha1 = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL) 803 goto err; 804 805 if (mctx == NULL 806 || !EVP_DigestInit_ex(mctx, sha1, NULL) 807 || !EVP_DigestUpdate(mctx, salt, saltlen) 808 || !EVP_DigestUpdate(mctx, pass, passlen) 809 || !EVP_DigestFinal_ex(mctx, key, NULL)) 810 goto err; 811 812 rv = 1; 813err: 814 EVP_MD_CTX_free(mctx); 815 EVP_MD_free(sha1); 816 return rv; 817} 818#endif 819 820static void *do_PVK_body_key(const unsigned char **in, 821 unsigned int saltlen, unsigned int keylen, 822 pem_password_cb *cb, void *u, 823 int *isdss, int *ispub, 824 OSSL_LIB_CTX *libctx, const char *propq) 825{ 826 const unsigned char *p = *in; 827 unsigned char *enctmp = NULL; 828 unsigned char keybuf[20]; 829 void *key = NULL; 830#ifndef OPENSSL_NO_RC4 831 EVP_CIPHER *rc4 = NULL; 832#endif 833 EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); 834 835 if (cctx == NULL) { 836 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 837 goto err; 838 } 839 840 if (saltlen) { 841#ifndef OPENSSL_NO_RC4 842 unsigned int magic; 843 char psbuf[PEM_BUFSIZE]; 844 int enctmplen, inlen; 845 unsigned char *q; 846 847 if (cb) 848 inlen = cb(psbuf, PEM_BUFSIZE, 0, u); 849 else 850 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); 851 if (inlen < 0) { 852 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ); 853 goto err; 854 } 855 enctmp = OPENSSL_malloc(keylen + 8); 856 if (enctmp == NULL) { 857 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 858 goto err; 859 } 860 if (!derive_pvk_key(keybuf, p, saltlen, 861 (unsigned char *)psbuf, inlen, libctx, propq)) 862 goto err; 863 p += saltlen; 864 /* Copy BLOBHEADER across, decrypt rest */ 865 memcpy(enctmp, p, 8); 866 p += 8; 867 if (keylen < 8) { 868 ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT); 869 goto err; 870 } 871 inlen = keylen - 8; 872 q = enctmp + 8; 873 if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL) 874 goto err; 875 if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL)) 876 goto err; 877 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 878 goto err; 879 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) 880 goto err; 881 magic = read_ledword((const unsigned char **)&q); 882 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 883 q = enctmp + 8; 884 memset(keybuf + 5, 0, 11); 885 if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL)) 886 goto err; 887 if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) 888 goto err; 889 if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) 890 goto err; 891 magic = read_ledword((const unsigned char **)&q); 892 if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { 893 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_DECRYPT); 894 goto err; 895 } 896 } 897 p = enctmp; 898#else 899 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER); 900 goto err; 901#endif 902 } 903 904 key = do_b2i_key(&p, keylen, isdss, ispub); 905 err: 906 EVP_CIPHER_CTX_free(cctx); 907#ifndef OPENSSL_NO_RC4 908 EVP_CIPHER_free(rc4); 909#endif 910 if (enctmp != NULL) { 911 OPENSSL_cleanse(keybuf, sizeof(keybuf)); 912 OPENSSL_free(enctmp); 913 } 914 return key; 915} 916 917static void *do_PVK_key_bio(BIO *in, pem_password_cb *cb, void *u, 918 int *isdss, int *ispub, 919 OSSL_LIB_CTX *libctx, const char *propq) 920{ 921 unsigned char pvk_hdr[24], *buf = NULL; 922 const unsigned char *p; 923 int buflen; 924 void *key = NULL; 925 unsigned int saltlen, keylen; 926 927 if (BIO_read(in, pvk_hdr, 24) != 24) { 928 ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT); 929 return NULL; 930 } 931 p = pvk_hdr; 932 933 if (!ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen)) 934 return 0; 935 buflen = (int)keylen + saltlen; 936 buf = OPENSSL_malloc(buflen); 937 if (buf == NULL) { 938 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 939 return 0; 940 } 941 p = buf; 942 if (BIO_read(in, buf, buflen) != buflen) { 943 ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT); 944 goto err; 945 } 946 key = do_PVK_body_key(&p, saltlen, keylen, cb, u, isdss, ispub, libctx, propq); 947 948 err: 949 OPENSSL_clear_free(buf, buflen); 950 return key; 951} 952 953#ifndef OPENSSL_NO_DSA 954DSA *b2i_DSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u, 955 OSSL_LIB_CTX *libctx, const char *propq) 956{ 957 int isdss = 1; 958 int ispub = 0; /* PVK keys are always private */ 959 960 return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq); 961} 962 963DSA *b2i_DSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 964{ 965 return b2i_DSA_PVK_bio_ex(in, cb, u, NULL, NULL); 966} 967#endif 968 969RSA *b2i_RSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u, 970 OSSL_LIB_CTX *libctx, const char *propq) 971{ 972 int isdss = 0; 973 int ispub = 0; /* PVK keys are always private */ 974 975 return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq); 976} 977 978RSA *b2i_RSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 979{ 980 return b2i_RSA_PVK_bio_ex(in, cb, u, NULL, NULL); 981} 982 983EVP_PKEY *b2i_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u, 984 OSSL_LIB_CTX *libctx, const char *propq) 985{ 986 int isdss = -1; 987 int ispub = -1; 988 void *key = do_PVK_key_bio(in, cb, u, &isdss, &ispub, NULL, NULL); 989 990 return evp_pkey_new0_key(key, isdss_to_evp_type(isdss)); 991} 992 993EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) 994{ 995 return b2i_PVK_bio_ex(in, cb, u, NULL, NULL); 996} 997 998static int i2b_PVK(unsigned char **out, const EVP_PKEY *pk, int enclevel, 999 pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx, 1000 const char *propq) 1001{ 1002 int ret = -1; 1003 int outlen = 24, pklen; 1004 unsigned char *p = NULL, *start = NULL; 1005 EVP_CIPHER_CTX *cctx = NULL; 1006#ifndef OPENSSL_NO_RC4 1007 unsigned char *salt = NULL; 1008 EVP_CIPHER *rc4 = NULL; 1009#endif 1010 1011 if (enclevel) 1012 outlen += PVK_SALTLEN; 1013 pklen = do_i2b(NULL, pk, 0); 1014 if (pklen < 0) 1015 return -1; 1016 outlen += pklen; 1017 if (out == NULL) 1018 return outlen; 1019 if (*out != NULL) { 1020 p = *out; 1021 } else { 1022 start = p = OPENSSL_malloc(outlen); 1023 if (p == NULL) { 1024 ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); 1025 return -1; 1026 } 1027 } 1028 1029 cctx = EVP_CIPHER_CTX_new(); 1030 if (cctx == NULL) 1031 goto error; 1032 1033 write_ledword(&p, MS_PVKMAGIC); 1034 write_ledword(&p, 0); 1035 if (EVP_PKEY_get_id(pk) == EVP_PKEY_RSA) 1036 write_ledword(&p, MS_KEYTYPE_KEYX); 1037#ifndef OPENSSL_NO_DSA 1038 else 1039 write_ledword(&p, MS_KEYTYPE_SIGN); 1040#endif 1041 write_ledword(&p, enclevel ? 1 : 0); 1042 write_ledword(&p, enclevel ? PVK_SALTLEN : 0); 1043 write_ledword(&p, pklen); 1044 if (enclevel) { 1045#ifndef OPENSSL_NO_RC4 1046 if (RAND_bytes_ex(libctx, p, PVK_SALTLEN, 0) <= 0) 1047 goto error; 1048 salt = p; 1049 p += PVK_SALTLEN; 1050#endif 1051 } 1052 do_i2b(&p, pk, 0); 1053 if (enclevel != 0) { 1054#ifndef OPENSSL_NO_RC4 1055 char psbuf[PEM_BUFSIZE]; 1056 unsigned char keybuf[20]; 1057 int enctmplen, inlen; 1058 if (cb) 1059 inlen = cb(psbuf, PEM_BUFSIZE, 1, u); 1060 else 1061 inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); 1062 if (inlen <= 0) { 1063 ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ); 1064 goto error; 1065 } 1066 if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, 1067 (unsigned char *)psbuf, inlen, libctx, propq)) 1068 goto error; 1069 if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL) 1070 goto error; 1071 if (enclevel == 1) 1072 memset(keybuf + 5, 0, 11); 1073 p = salt + PVK_SALTLEN + 8; 1074 if (!EVP_EncryptInit_ex(cctx, rc4, NULL, keybuf, NULL)) 1075 goto error; 1076 OPENSSL_cleanse(keybuf, 20); 1077 if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8)) 1078 goto error; 1079 if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen)) 1080 goto error; 1081#else 1082 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER); 1083 goto error; 1084#endif 1085 } 1086 1087 if (*out == NULL) 1088 *out = start; 1089 ret = outlen; 1090 error: 1091 EVP_CIPHER_CTX_free(cctx); 1092#ifndef OPENSSL_NO_RC4 1093 EVP_CIPHER_free(rc4); 1094#endif 1095 if (*out == NULL) 1096 OPENSSL_free(start); 1097 1098 return ret; 1099} 1100 1101int i2b_PVK_bio_ex(BIO *out, const EVP_PKEY *pk, int enclevel, 1102 pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx, 1103 const char *propq) 1104{ 1105 unsigned char *tmp = NULL; 1106 int outlen, wrlen; 1107 1108 outlen = i2b_PVK(&tmp, pk, enclevel, cb, u, libctx, propq); 1109 if (outlen < 0) 1110 return -1; 1111 wrlen = BIO_write(out, tmp, outlen); 1112 OPENSSL_free(tmp); 1113 if (wrlen == outlen) { 1114 return outlen; 1115 } 1116 ERR_raise(ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE); 1117 return -1; 1118} 1119 1120int i2b_PVK_bio(BIO *out, const EVP_PKEY *pk, int enclevel, 1121 pem_password_cb *cb, void *u) 1122{ 1123 return i2b_PVK_bio_ex(out, pk, enclevel, cb, u, NULL, NULL); 1124} 1125 1126