The branch master has been updated via d4458e59f62b0d102069e53da41f1d5305a66912 (commit) via 0195cdd28fde7d0897e368fdcd4e92509425faad (commit) via 602bfb8b98125f6745cd40dbc5fce9614ae5e418 (commit) via 821b3956ec698927281a5b29c55cd87eb7b2793d (commit) via 98408852c167d895a662dcda824fd5170cad3f7d (commit) via 73dd5d67c506cfeb9bf6183f0c19832c7d3f174d (commit) from d7b5f06ede163851d39f5a8b507bd0670deeaa21 (commit)
- Log ----------------------------------------------------------------- commit d4458e59f62b0d102069e53da41f1d5305a66912 Author: Richard Levitte <levi...@openssl.org> Date: Fri Sep 3 15:00:47 2021 +0200 test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files Fixes #16224 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) commit 0195cdd28fde7d0897e368fdcd4e92509425faad Author: Richard Levitte <levi...@openssl.org> Date: Wed Sep 1 22:18:45 2021 +0200 ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output Since EncryptedPrivateKeyInfo is a recognised structure, it's reasonable to think that someone might want to specify it. To be noted is that if someone specifies the structure PrivateKeyInfo but has also passed a passphrase callback, the result will still become a EncryptedPrivateKeyInfo structure. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) commit 602bfb8b98125f6745cd40dbc5fce9614ae5e418 Author: Richard Levitte <levi...@openssl.org> Date: Wed Sep 1 17:34:38 2021 +0200 Adjust test/endecoder_test.c The protected tests need to specify the structure EncryptedPrivateKeyInfo rather than PrivateKeyInfo, since that's the outermost structure. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) commit 821b3956ec698927281a5b29c55cd87eb7b2793d Author: Richard Levitte <levi...@openssl.org> Date: Mon Aug 30 13:22:18 2021 +0200 OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs When the user expects to load a certificate or a CRL through the OSSL_STORE loading function, the 'file:' implementation sets the corresponding structure names in the internal decoder context. This is especially geared for PEM files, which often contain a mix of objects, and password prompting should be avoided for objects that need them, but aren't what the caller is looking for. Fixes #16224 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) commit 98408852c167d895a662dcda824fd5170cad3f7d Author: Richard Levitte <levi...@openssl.org> Date: Mon Aug 30 13:19:30 2021 +0200 PEM to DER decoder: Specify object type and data structure more consistently The data structure wasn't given for recognised certificates or CRLs. It's better, though, to specify it for those objects as well, so they can be used to filter what actually gets decoded, which will be helpful for our OSSL_STORE 'file:' scheme implementation. Fixes #16224 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) commit 73dd5d67c506cfeb9bf6183f0c19832c7d3f174d Author: Richard Levitte <levi...@openssl.org> Date: Mon Aug 30 13:16:42 2021 +0200 DECODER: check the first decoded structure name against user given structure In a chain of decoders, the first that specifies an input structure gets it compared with the structure specified by the user, if there is one. If they aren't the same, that decoder is skipped. Because the first structure can appear anywhere along a chain of decoders, not just the decoders associated with the resulting OpenSSL type, the code that checked the structure name when building up the chain of decoders is removed. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466) ----------------------------------------------------------------------- Summary of changes: crypto/encode_decode/decoder_lib.c | 23 ++++++++++++++ crypto/encode_decode/decoder_pkey.c | 35 --------------------- providers/encoders.inc | 29 +++++++++++++++-- .../implementations/encode_decode/decode_pem2der.c | 9 +++--- .../implementations/encode_decode/encode_key2any.c | 36 +++++++++++++++++++++- .../implementations/include/prov/implementations.h | 22 +++++++++++++ providers/implementations/storemgmt/file_store.c | 25 +++++++++++++++ test/endecode_test.c | 4 +-- test/recipes/25-test_verify.t | 33 +++++++++++++++++++- 9 files changed, 170 insertions(+), 46 deletions(-) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 938f97c282..10a38b6f82 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -38,6 +38,7 @@ struct decoder_process_data_st { */ unsigned int flag_next_level_called : 1; unsigned int flag_construct_called : 1; + unsigned int flag_input_structure_checked : 1; }; static int decoder_process(const OSSL_PARAM params[], void *arg); @@ -904,6 +905,26 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) continue; } + /* + * If the decoder we're currently considering specifies a structure, + * and this check hasn't already been done earlier in this chain of + * decoder_process() calls, check that it matches the user provided + * input structure, if one is given. + */ + if (!data->flag_input_structure_checked + && ctx->input_structure != NULL + && new_input_structure != NULL) { + data->flag_input_structure_checked = 1; + if (strcasecmp(new_input_structure, ctx->input_structure) != 0) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) %s [%u] the previous decoder's data structure doesn't match the input structure given by the user, skipping...\n", + (void *)new_data.ctx, LEVEL, (unsigned int)i); + } OSSL_TRACE_END(DECODER); + continue; + } + } + /* * Checking the return value of BIO_reset() or BIO_seek() is unsafe. * Furthermore, BIO_reset() is unsafe to use if the source BIO happens @@ -933,6 +954,8 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) ERR_set_mark(); new_data.current_decoder_inst_index = i; + new_data.flag_input_structure_checked + = data->flag_input_structure_checked; ok = new_decoder->decode(new_decoderctx, cbio, new_data.ctx->selection, decoder_process, &new_data, diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index edbea4face..475117a463 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -215,32 +215,6 @@ static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) } } -/* - * The input structure check is only done on the initial decoder - * implementations. - */ -static int decoder_check_input_structure(OSSL_DECODER_CTX *ctx, - OSSL_DECODER_INSTANCE *di) -{ - int di_is_was_set = 0; - const char *di_is = - OSSL_DECODER_INSTANCE_get_input_structure(di, &di_is_was_set); - - /* - * If caller didn't give an input structure name, the decoder is accepted - * unconditionally with regards to the input structure. - */ - if (ctx->input_structure == NULL) - return 1; - /* - * If the caller did give an input structure name, the decoder must have - * a matching input structure to be accepted. - */ - if (di_is != NULL && strcasecmp(ctx->input_structure, di_is) == 0) - return 1; - return 0; -} - struct collect_decoder_data_st { STACK_OF(OPENSSL_CSTRING) *names; OSSL_DECODER_CTX *ctx; @@ -310,15 +284,6 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); - if (!decoder_check_input_structure(data->ctx, di)) { - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - " REJECTED: not the desired input structure\n"); - } OSSL_TRACE_END(DECODER); - ossl_decoder_instance_free(di); - /* Not a fatal error. Just return */ - return; - } if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { ossl_decoder_instance_free(di); data->error_occurred = 1; diff --git a/providers/encoders.inc b/providers/encoders.inc index 193a9175a7..95e287c8b9 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -15,6 +15,7 @@ #define ENCODER_STRUCTURE_type_specific_params "type-specific" #define ENCODER_STRUCTURE_type_specific "type-specific" #define ENCODER_STRUCTURE_type_specific_no_pub "type-specific" +#define ENCODER_STRUCTURE_EncryptedPrivateKeyInfo "EncryptedPrivateKeyInfo" #define ENCODER_STRUCTURE_PrivateKeyInfo "PrivateKeyInfo" #define ENCODER_STRUCTURE_SubjectPublicKeyInfo "SubjectPublicKeyInfo" #define ENCODER_STRUCTURE_DH "dh" @@ -127,28 +128,36 @@ ENCODER("DSA", dsa, yes, pvk), #endif /* - * Entries for PKCS#8 (PrivateKeyInfo) and SubjectPublicKeyInfo. - * The "der" ones are added convenience for any user that wants to use - * OSSL_ENCODER directly. + * Entries for encrypted PKCS#8 (EncryptedPrivateKeyInfo), unencrypted PKCS#8 + * (PrivateKeyInfo) and SubjectPublicKeyInfo. The "der" ones are added + * convenience for any user that wants to use OSSL_ENCODER directly. * The "pem" ones also support PEM_write_bio_PrivateKey() and * PEM_write_bio_PUBKEY(). */ +ENCODER_w_structure("RSA", rsa, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("RSA", rsa, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("RSA", rsa, yes, der, PrivateKeyInfo), ENCODER_w_structure("RSA", rsa, yes, pem, PrivateKeyInfo), ENCODER_w_structure("RSA", rsa, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("RSA", rsa, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("RSA-PSS", rsapss, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("RSA-PSS", rsapss, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("RSA-PSS", rsapss, yes, der, PrivateKeyInfo), ENCODER_w_structure("RSA-PSS", rsapss, yes, pem, PrivateKeyInfo), ENCODER_w_structure("RSA-PSS", rsapss, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("RSA-PSS", rsapss, yes, pem, SubjectPublicKeyInfo), #ifndef OPENSSL_NO_DH +ENCODER_w_structure("DH", dh, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("DH", dh, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("DH", dh, yes, der, PrivateKeyInfo), ENCODER_w_structure("DH", dh, yes, pem, PrivateKeyInfo), ENCODER_w_structure("DH", dh, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("DH", dh, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("DHX", dhx, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("DHX", dhx, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("DHX", dhx, yes, der, PrivateKeyInfo), ENCODER_w_structure("DHX", dhx, yes, pem, PrivateKeyInfo), ENCODER_w_structure("DHX", dhx, yes, der, SubjectPublicKeyInfo), @@ -156,6 +165,8 @@ ENCODER_w_structure("DHX", dhx, yes, pem, SubjectPublicKeyInfo), #endif #ifndef OPENSSL_NO_DSA +ENCODER_w_structure("DSA", dsa, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("DSA", dsa, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("DSA", dsa, yes, der, PrivateKeyInfo), ENCODER_w_structure("DSA", dsa, yes, pem, PrivateKeyInfo), ENCODER_w_structure("DSA", dsa, yes, der, SubjectPublicKeyInfo), @@ -163,32 +174,44 @@ ENCODER_w_structure("DSA", dsa, yes, pem, SubjectPublicKeyInfo), #endif #ifndef OPENSSL_NO_EC +ENCODER_w_structure("EC", ec, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("EC", ec, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("EC", ec, yes, der, PrivateKeyInfo), ENCODER_w_structure("EC", ec, yes, pem, PrivateKeyInfo), ENCODER_w_structure("EC", ec, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("EC", ec, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("X25519", x25519, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("X25519", x25519, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("X25519", x25519, yes, der, PrivateKeyInfo), ENCODER_w_structure("X25519", x25519, yes, pem, PrivateKeyInfo), ENCODER_w_structure("X25519", x25519, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("X25519", x25519, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("X448", x448, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("X448", x448, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("X448", x448, yes, der, PrivateKeyInfo), ENCODER_w_structure("X448", x448, yes, pem, PrivateKeyInfo), ENCODER_w_structure("X448", x448, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("X448", x448, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("ED25519", ed25519, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("ED25519", ed25519, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("ED25519", ed25519, yes, der, PrivateKeyInfo), ENCODER_w_structure("ED25519", ed25519, yes, pem, PrivateKeyInfo), ENCODER_w_structure("ED25519", ed25519, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("ED25519", ed25519, yes, pem, SubjectPublicKeyInfo), +ENCODER_w_structure("ED448", ed448, yes, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("ED448", ed448, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("ED448", ed448, yes, der, PrivateKeyInfo), ENCODER_w_structure("ED448", ed448, yes, pem, PrivateKeyInfo), ENCODER_w_structure("ED448", ed448, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("ED448", ed448, yes, pem, SubjectPublicKeyInfo), # ifndef OPENSSL_NO_SM2 +ENCODER_w_structure("SM2", sm2, no, der, EncryptedPrivateKeyInfo), +ENCODER_w_structure("SM2", sm2, no, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("SM2", sm2, no, der, PrivateKeyInfo), ENCODER_w_structure("SM2", sm2, no, pem, PrivateKeyInfo), ENCODER_w_structure("SM2", sm2, no, der, SubjectPublicKeyInfo), diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 5db3689f30..6c537d26ae 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -123,10 +123,10 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, * though there is no provider interface to handle such objects, yet. * However, this is beneficial for the OSSL_STORE result handler. */ - { PEM_STRING_X509, OSSL_OBJECT_CERT, NULL, NULL }, - { PEM_STRING_X509_TRUSTED, OSSL_OBJECT_CERT, NULL, NULL }, - { PEM_STRING_X509_OLD, OSSL_OBJECT_CERT, NULL, NULL }, - { PEM_STRING_X509_CRL, OSSL_OBJECT_CRL, NULL, NULL } + { PEM_STRING_X509, OSSL_OBJECT_CERT, NULL, "Certificate" }, + { PEM_STRING_X509_TRUSTED, OSSL_OBJECT_CERT, NULL, "Certificate" }, + { PEM_STRING_X509_OLD, OSSL_OBJECT_CERT, NULL, "Certificate" }, + { PEM_STRING_X509_CRL, OSSL_OBJECT_CRL, NULL, "CertificateList" } }; struct pem2der_ctx_st *ctx = vctx; char *pem_name = NULL, *pem_header = NULL; @@ -178,6 +178,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, char *data_type = (char *)pem_name_map[i].data_type; char *data_structure = (char *)pem_name_map[i].data_structure; + objtype = pem_name_map[i].object_type; if (data_type != NULL) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 855866cbfe..f142f2b242 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -167,7 +167,6 @@ static X509_PUBKEY *key_to_pubkey(const void *key, int key_nid, * key_to_epki_* produce encoded output with the private key data in a * EncryptedPrivateKeyInfo structure (defined by PKCS#8). They require * that there's an intent to encrypt, anything else is an error. - * They are currently only called from the corresponding key_to_pki_ function. * * key_to_pki_* primarly produce encoded output with the private key data * in a PrivateKeyInfo structure (also defined by PKCS#8). However, if @@ -510,6 +509,8 @@ static int dh_pki_priv_to_der(const void *dh, unsigned char **pder) return ret; } +# define dh_epki_priv_to_der dh_pki_priv_to_der + static int dh_type_specific_params_to_der(const void *dh, unsigned char **pder) { if (DH_test_flags(dh, DH_FLAG_TYPE_DHX)) @@ -623,6 +624,8 @@ static int dsa_pki_priv_to_der(const void *dsa, unsigned char **pder) return ret; } +# define dsa_epki_priv_to_der dsa_pki_priv_to_der + # define dsa_type_specific_priv_to_der (i2d_of_void *)i2d_DSAPrivateKey # define dsa_type_specific_pub_to_der (i2d_of_void *)i2d_DSAPublicKey # define dsa_type_specific_params_to_der (i2d_of_void *)i2d_DSAparams @@ -721,6 +724,8 @@ static int ec_pki_priv_to_der(const void *veckey, unsigned char **pder) return ret; /* return the length of the der encoded data */ } +# define ec_epki_priv_to_der ec_pki_priv_to_der + # define ec_type_specific_params_to_der (i2d_of_void *)i2d_ECParameters # define ec_type_specific_pub_to_der (i2d_of_void *)i2o_ECPublicKey # define ec_type_specific_priv_to_der (i2d_of_void *)i2d_ECPrivateKey @@ -786,6 +791,8 @@ static int ecx_pki_priv_to_der(const void *vecxkey, unsigned char **pder) return keybloblen; } +# define ecx_epki_priv_to_der ecx_pki_priv_to_der + /* * ED25519, ED448, X25519 and X448 only has PKCS#8 / SubjectPublicKeyInfo * representation, so we don't define ecx_type_specific_[priv,pub,params]_to_der. @@ -889,6 +896,7 @@ static int prepare_rsa_params(const void *rsa, int nid, int save, * field as well as the SubjectPublicKeyInfo |subjectPublicKey| field. */ #define rsa_pki_priv_to_der rsa_type_specific_priv_to_der +#define rsa_epki_priv_to_der rsa_type_specific_priv_to_der #define rsa_spki_pub_to_der rsa_type_specific_pub_to_der #define rsa_type_specific_priv_to_der (i2d_of_void *)i2d_RSAPrivateKey #define rsa_type_specific_pub_to_der (i2d_of_void *)i2d_RSAPublicKey @@ -1116,6 +1124,10 @@ static int key2any_encode(struct key2any_ctx_st *ctx, OSSL_CORE_BIO *cout, #define DO_PrivateKeyInfo(impl, type, output) \ DO_PRIVATE_KEY(impl, type, pki, output) +#define DO_EncryptedPrivateKeyInfo_selection_mask DO_PRIVATE_KEY_selection_mask +#define DO_EncryptedPrivateKeyInfo(impl, type, output) \ + DO_PRIVATE_KEY(impl, type, epki, output) + /* SubjectPublicKeyInfo is a structure for public keys only */ #define DO_SubjectPublicKeyInfo_selection_mask DO_PUBLIC_KEY_selection_mask #define DO_SubjectPublicKeyInfo(impl, type, output) \ @@ -1328,53 +1340,75 @@ MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, type_specific_no_pub, pem); * For PEM, these are expected to be used by PEM_write_bio_PrivateKey(), * PEM_write_bio_PUBKEY() and PEM_write_bio_Parameters(). */ +MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, PrivateKeyInfo, der); MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, PrivateKeyInfo, pem); MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, SubjectPublicKeyInfo, der); MAKE_ENCODER(rsa, rsa, EVP_PKEY_RSA, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, PrivateKeyInfo, der); MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, PrivateKeyInfo, pem); MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, SubjectPublicKeyInfo, der); MAKE_ENCODER(rsapss, rsa, EVP_PKEY_RSA_PSS, SubjectPublicKeyInfo, pem); #ifndef OPENSSL_NO_DH +MAKE_ENCODER(dh, dh, EVP_PKEY_DH, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(dh, dh, EVP_PKEY_DH, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(dh, dh, EVP_PKEY_DH, PrivateKeyInfo, der); MAKE_ENCODER(dh, dh, EVP_PKEY_DH, PrivateKeyInfo, pem); MAKE_ENCODER(dh, dh, EVP_PKEY_DH, SubjectPublicKeyInfo, der); MAKE_ENCODER(dh, dh, EVP_PKEY_DH, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, PrivateKeyInfo, der); MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, PrivateKeyInfo, pem); MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, SubjectPublicKeyInfo, der); MAKE_ENCODER(dhx, dh, EVP_PKEY_DHX, SubjectPublicKeyInfo, pem); #endif #ifndef OPENSSL_NO_DSA +MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, PrivateKeyInfo, der); MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, PrivateKeyInfo, pem); MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, SubjectPublicKeyInfo, der); MAKE_ENCODER(dsa, dsa, EVP_PKEY_DSA, SubjectPublicKeyInfo, pem); #endif #ifndef OPENSSL_NO_EC +MAKE_ENCODER(ec, ec, EVP_PKEY_EC, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(ec, ec, EVP_PKEY_EC, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, PrivateKeyInfo, der); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, PrivateKeyInfo, pem); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der); MAKE_ENCODER(ec, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem); # ifndef OPENSSL_NO_SM2 +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, PrivateKeyInfo, der); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, PrivateKeyInfo, pem); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem); # endif +MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PrivateKeyInfo, der); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PrivateKeyInfo, pem); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, SubjectPublicKeyInfo, der); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, der); MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, pem); MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, der); MAKE_ENCODER(ed448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, PrivateKeyInfo, der); MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, PrivateKeyInfo, pem); MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, SubjectPublicKeyInfo, der); MAKE_ENCODER(x25519, ecx, EVP_PKEY_X25519, SubjectPublicKeyInfo, pem); +MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, EncryptedPrivateKeyInfo, der); +MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, der); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, pem); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, der); diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 8bdd491d0d..73e1823742 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -327,6 +327,8 @@ extern const OSSL_DISPATCH ossl_rsa_asym_kem_functions[]; /* Encoders */ extern const OSSL_DISPATCH ossl_rsa_to_PKCS1_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsa_to_PKCS1_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_rsa_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_rsa_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsa_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsa_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsa_to_RSA_der_encoder_functions[]; @@ -341,6 +343,8 @@ extern const OSSL_DISPATCH ossl_rsa_to_type_specific_keypair_pem_encoder_functio extern const OSSL_DISPATCH ossl_rsapss_to_PKCS1_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsapss_to_PKCS1_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_rsapss_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_rsapss_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsapss_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsapss_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_rsapss_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -351,6 +355,8 @@ extern const OSSL_DISPATCH ossl_dh_to_DH_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_DH_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_PKCS3_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_PKCS3_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dh_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dh_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dh_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -361,6 +367,8 @@ extern const OSSL_DISPATCH ossl_dh_to_text_encoder_functions[]; extern const OSSL_DISPATCH ossl_dhx_to_DHX_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dhx_to_DHX_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dhx_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dhx_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dhx_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dhx_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dhx_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -373,6 +381,8 @@ extern const OSSL_DISPATCH ossl_dhx_to_text_encoder_functions[]; extern const OSSL_DISPATCH ossl_dsa_to_DSA_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dsa_to_DSA_pem_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dsa_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_dsa_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dsa_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_dsa_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_dsa_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -386,6 +396,8 @@ extern const OSSL_DISPATCH ossl_dsa_to_text_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_EC_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_EC_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_blob_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ec_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ec_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ec_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -400,6 +412,8 @@ extern const OSSL_DISPATCH ossl_ec_to_text_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_SM2_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_SM2_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_blob_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_sm2_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_sm2_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -409,6 +423,8 @@ extern const OSSL_DISPATCH ossl_sm2_to_type_specific_no_pub_der_encoder_function extern const OSSL_DISPATCH ossl_sm2_to_text_encoder_functions[]; #endif +extern const OSSL_DISPATCH ossl_ed25519_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ed25519_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -416,6 +432,8 @@ extern const OSSL_DISPATCH ossl_ed25519_to_SubjectPublicKeyInfo_pem_encoder_func extern const OSSL_DISPATCH ossl_ed25519_to_OSSL_current_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed25519_to_text_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ed448_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_ed448_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed448_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed448_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed448_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -423,6 +441,8 @@ extern const OSSL_DISPATCH ossl_ed448_to_SubjectPublicKeyInfo_pem_encoder_functi extern const OSSL_DISPATCH ossl_ed448_to_OSSL_current_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_ed448_to_text_encoder_functions[]; +extern const OSSL_DISPATCH ossl_x25519_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_x25519_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_x25519_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_x25519_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_x25519_to_SubjectPublicKeyInfo_der_encoder_functions[]; @@ -430,6 +450,8 @@ extern const OSSL_DISPATCH ossl_x25519_to_SubjectPublicKeyInfo_pem_encoder_funct extern const OSSL_DISPATCH ossl_x25519_to_OSSL_current_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_x25519_to_text_encoder_functions[]; +extern const OSSL_DISPATCH ossl_x448_to_EncryptedPrivateKeyInfo_der_encoder_functions[]; +extern const OSSL_DISPATCH ossl_x448_to_EncryptedPrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_x448_to_PrivateKeyInfo_der_encoder_functions[]; extern const OSSL_DISPATCH ossl_x448_to_PrivateKeyInfo_pem_encoder_functions[]; extern const OSSL_DISPATCH ossl_x448_to_SubjectPublicKeyInfo_der_encoder_functions[]; diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 6ccda2b33f..34cb70fdf8 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -437,6 +437,31 @@ static int file_setup_decoders(struct file_ctx_st *ctx) goto err; } + /* + * Where applicable, set the outermost structure name. + * The goal is to avoid the STORE object types that are + * potentially password protected but aren't interesting + * for this load. + */ + switch (ctx->expected_type) { + case OSSL_STORE_INFO_CERT: + if (!OSSL_DECODER_CTX_set_input_structure(ctx->_.file.decoderctx, + "Certificate")) { + ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); + goto err; + } + break; + case OSSL_STORE_INFO_CRL: + if (!OSSL_DECODER_CTX_set_input_structure(ctx->_.file.decoderctx, + "CertificateList")) { + ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); + goto err; + } + break; + default: + break; + } + for (to_algo = ossl_any_to_obj_algorithm; to_algo->algorithm_names != NULL; to_algo++) { diff --git a/test/endecode_test.c b/test/endecode_test.c index d28ea3c812..1698867b40 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -703,7 +703,7 @@ static int test_protected_via_DER(const char *type, EVP_PKEY *key) return test_encode_decode(__FILE__, __LINE__, type, key, OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, - "DER", "PrivateKeyInfo", + "DER", "EncryptedPrivateKeyInfo", pass, pass_cipher, encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, test_mem, check_protected_PKCS8_DER, @@ -726,7 +726,7 @@ static int test_protected_via_PEM(const char *type, EVP_PKEY *key) return test_encode_decode(__FILE__, __LINE__, type, key, OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, - "PEM", "PrivateKeyInfo", + "PEM", "EncryptedPrivateKeyInfo", pass, pass_cipher, encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, test_text, check_protected_PKCS8_PEM, diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index acb26f0afd..f7a9f626ca 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -11,6 +11,7 @@ use strict; use warnings; use File::Spec::Functions qw/canonpath/; +use File::Copy; use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips with/; use OpenSSL::Test::Utils; @@ -28,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 157; +plan tests => 159; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -448,3 +449,33 @@ SKIP: { ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "hexdistid:31323334353637383132333435363738"), "SM2 hex ID test"); } + +# Mixed content tests +my $cert_file = srctop_file('test', 'certs', 'root-cert.pem'); +my $rsa_file = srctop_file('test', 'certs', 'key-pass-12345.pem'); + +SKIP: { + my $certplusrsa_file = 'certplusrsa.pem'; + my $certplusrsa; + + skip "Couldn't create certplusrsa.pem", 1 + unless ( open $certplusrsa, '>', $certplusrsa_file + and copy($cert_file, $certplusrsa) + and copy($rsa_file, $certplusrsa) ); + + ok(run(app([ qw(openssl verify -trusted), $certplusrsa_file, $cert_file ])), + 'Mixed cert + key file test'); +} + +SKIP: { + my $rsapluscert_file = 'rsapluscert.pem'; + my $rsapluscert; + + skip "Couldn't create rsapluscert.pem", 1 + unless ( open $rsapluscert, '>', $rsapluscert_file + and copy($rsa_file, $rsapluscert) + and copy($cert_file, $rsapluscert) ); + + ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), + 'Mixed key + cert file test'); +}