TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 7901324d9530594155991c8b283023d567741cc7 / . / lib / libmbedtls / mbedtls / library / pkparse.c
blob: 3222ca20fb068d0daae3fbf636e839f3651ce707 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Public Key layer for parsing key files and structures
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]18 */
19
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]20#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]21
22#if defined(MBEDTLS_PK_PARSE_C)
23
24#include "mbedtls/pk.h"
25#include "mbedtls/asn1.h"
26#include "mbedtls/oid.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]27#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]28#include "mbedtls/error.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]29
30#include <string.h>
31
32#if defined(MBEDTLS_RSA_C)
33#include "mbedtls/rsa.h"
34#endif
35#if defined(MBEDTLS_ECP_C)
36#include "mbedtls/ecp.h"
37#endif
38#if defined(MBEDTLS_ECDSA_C)
39#include "mbedtls/ecdsa.h"
40#endif
41#if defined(MBEDTLS_PEM_PARSE_C)
42#include "mbedtls/pem.h"
43#endif
44#if defined(MBEDTLS_PKCS5_C)
45#include "mbedtls/pkcs5.h"
46#endif
47#if defined(MBEDTLS_PKCS12_C)
48#include "mbedtls/pkcs12.h"
49#endif
50
51#if defined(MBEDTLS_PLATFORM_C)
52#include "mbedtls/platform.h"
53#else
54#include <stdlib.h>
55#define mbedtls_calloc calloc
56#define mbedtls_free free
57#endif
58
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define PK_VALIDATE_RET( cond ) \
61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
62#define PK_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]64
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]65#if defined(MBEDTLS_FS_IO)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]66/*
67 * Load all data from a file into a given buffer.
68 *
69 * The file is expected to contain either PEM or DER encoded data.
70 * A terminating null byte is always appended. It is included in the announced
71 * length only if the data looks like it is PEM encoded.
72 */
73int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
74{
75 FILE *f;
76 long size;
77
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]78 PK_VALIDATE_RET( path != NULL );
79 PK_VALIDATE_RET( buf != NULL );
80 PK_VALIDATE_RET( n != NULL );
81
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]82 if( ( f = fopen( path, "rb" ) ) == NULL )
83 return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
84
85 fseek( f, 0, SEEK_END );
86 if( ( size = ftell( f ) ) == -1 )
87 {
88 fclose( f );
89 return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
90 }
91 fseek( f, 0, SEEK_SET );
92
93 *n = (size_t) size;
94
95 if( *n + 1 == 0 ||
96 ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
97 {
98 fclose( f );
99 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
100 }
101
102 if( fread( *buf, 1, *n, f ) != *n )
103 {
104 fclose( f );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]105
106 mbedtls_platform_zeroize( *buf, *n );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]107 mbedtls_free( *buf );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]108
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]109 return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
110 }
111
112 fclose( f );
113
114 (*buf)[*n] = '\0';
115
116 if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
117 ++*n;
118
119 return( 0 );
120}
121
122/*
123 * Load and parse a private key
124 */
125int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
126 const char *path, const char *pwd )
127{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]128 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]129 size_t n;
130 unsigned char *buf;
131
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]132 PK_VALIDATE_RET( ctx != NULL );
133 PK_VALIDATE_RET( path != NULL );
134
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]135 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
136 return( ret );
137
138 if( pwd == NULL )
139 ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
140 else
141 ret = mbedtls_pk_parse_key( ctx, buf, n,
142 (const unsigned char *) pwd, strlen( pwd ) );
143
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]144 mbedtls_platform_zeroize( buf, n );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]145 mbedtls_free( buf );
146
147 return( ret );
148}
149
150/*
151 * Load and parse a public key
152 */
153int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
154{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]156 size_t n;
157 unsigned char *buf;
158
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]159 PK_VALIDATE_RET( ctx != NULL );
160 PK_VALIDATE_RET( path != NULL );
161
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]162 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
163 return( ret );
164
165 ret = mbedtls_pk_parse_public_key( ctx, buf, n );
166
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]167 mbedtls_platform_zeroize( buf, n );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]168 mbedtls_free( buf );
169
170 return( ret );
171}
172#endif /* MBEDTLS_FS_IO */
173
174#if defined(MBEDTLS_ECP_C)
175/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
176 *
177 * ECParameters ::= CHOICE {
178 * namedCurve OBJECT IDENTIFIER
179 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
180 * -- implicitCurve NULL
181 * }
182 */
183static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
184 mbedtls_asn1_buf *params )
185{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]187
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]188 if ( end - *p < 1 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]189 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
190 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]191
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]192 /* Tag may be either OID or SEQUENCE */
193 params->tag = **p;
194 if( params->tag != MBEDTLS_ASN1_OID
195#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
196 && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
197#endif
198 )
199 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]200 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
201 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]202 }
203
204 if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
205 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]206 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]207 }
208
209 params->p = *p;
210 *p += params->len;
211
212 if( *p != end )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]213 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
214 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]215
216 return( 0 );
217}
218
219#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
220/*
221 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
222 * WARNING: the resulting group should only be used with
223 * pk_group_id_from_specified(), since its base point may not be set correctly
224 * if it was encoded compressed.
225 *
226 * SpecifiedECDomain ::= SEQUENCE {
227 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
228 * fieldID FieldID {{FieldTypes}},
229 * curve Curve,
230 * base ECPoint,
231 * order INTEGER,
232 * cofactor INTEGER OPTIONAL,
233 * hash HashAlgorithm OPTIONAL,
234 * ...
235 * }
236 *
237 * We only support prime-field as field type, and ignore hash and cofactor.
238 */
239static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
240{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]242 unsigned char *p = params->p;
243 const unsigned char * const end = params->p + params->len;
244 const unsigned char *end_field, *end_curve;
245 size_t len;
246 int ver;
247
248 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
249 if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]250 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]251
252 if( ver < 1 || ver > 3 )
253 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
254
255 /*
256 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
257 * fieldType FIELD-ID.&id({IOSet}),
258 * parameters FIELD-ID.&Type({IOSet}{@fieldType})
259 * }
260 */
261 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
262 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
263 return( ret );
264
265 end_field = p + len;
266
267 /*
268 * FIELD-ID ::= TYPE-IDENTIFIER
269 * FieldTypes FIELD-ID ::= {
270 * { Prime-p IDENTIFIED BY prime-field } |
271 * { Characteristic-two IDENTIFIED BY characteristic-two-field }
272 * }
273 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
274 */
275 if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
276 return( ret );
277
278 if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
279 memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
280 {
281 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
282 }
283
284 p += len;
285
286 /* Prime-p ::= INTEGER -- Field of size p. */
287 if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]288 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]289
290 grp->pbits = mbedtls_mpi_bitlen( &grp->P );
291
292 if( p != end_field )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]293 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
294 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]295
296 /*
297 * Curve ::= SEQUENCE {
298 * a FieldElement,
299 * b FieldElement,
300 * seed BIT STRING OPTIONAL
301 * -- Shall be present if used in SpecifiedECDomain
302 * -- with version equal to ecdpVer2 or ecdpVer3
303 * }
304 */
305 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
306 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
307 return( ret );
308
309 end_curve = p + len;
310
311 /*
312 * FieldElement ::= OCTET STRING
313 * containing an integer in the case of a prime field
314 */
315 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
316 ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
317 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]318 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]319 }
320
321 p += len;
322
323 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
324 ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
325 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]326 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]327 }
328
329 p += len;
330
331 /* Ignore seed BIT STRING OPTIONAL */
332 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
333 p += len;
334
335 if( p != end_curve )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]336 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
337 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]338
339 /*
340 * ECPoint ::= OCTET STRING
341 */
342 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]343 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]344
345 if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
346 ( const unsigned char *) p, len ) ) != 0 )
347 {
348 /*
349 * If we can't read the point because it's compressed, cheat by
350 * reading only the X coordinate and the parity bit of Y.
351 */
352 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
353 ( p[0] != 0x02 && p[0] != 0x03 ) ||
354 len != mbedtls_mpi_size( &grp->P ) + 1 ||
355 mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
356 mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
357 mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
358 {
359 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
360 }
361 }
362
363 p += len;
364
365 /*
366 * order INTEGER
367 */
368 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]369 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]370
371 grp->nbits = mbedtls_mpi_bitlen( &grp->N );
372
373 /*
374 * Allow optional elements by purposefully not enforcing p == end here.
375 */
376
377 return( 0 );
378}
379
380/*
381 * Find the group id associated with an (almost filled) group as generated by
382 * pk_group_from_specified(), or return an error if unknown.
383 */
384static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
385{
386 int ret = 0;
387 mbedtls_ecp_group ref;
388 const mbedtls_ecp_group_id *id;
389
390 mbedtls_ecp_group_init( &ref );
391
392 for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
393 {
394 /* Load the group associated to that id */
395 mbedtls_ecp_group_free( &ref );
396 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
397
398 /* Compare to the group we were given, starting with easy tests */
399 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
400 mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
401 mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
402 mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
403 mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
404 mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
405 mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
406 /* For Y we may only know the parity bit, so compare only that */
407 mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
408 {
409 break;
410 }
411
412 }
413
414cleanup:
415 mbedtls_ecp_group_free( &ref );
416
417 *grp_id = *id;
418
419 if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
420 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
421
422 return( ret );
423}
424
425/*
426 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
427 */
428static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
429 mbedtls_ecp_group_id *grp_id )
430{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]432 mbedtls_ecp_group grp;
433
434 mbedtls_ecp_group_init( &grp );
435
436 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
437 goto cleanup;
438
439 ret = pk_group_id_from_group( &grp, grp_id );
440
441cleanup:
442 mbedtls_ecp_group_free( &grp );
443
444 return( ret );
445}
446#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
447
448/*
449 * Use EC parameters to initialise an EC group
450 *
451 * ECParameters ::= CHOICE {
452 * namedCurve OBJECT IDENTIFIER
453 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
454 * -- implicitCurve NULL
455 */
456static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
457{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]458 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]459 mbedtls_ecp_group_id grp_id;
460
461 if( params->tag == MBEDTLS_ASN1_OID )
462 {
463 if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
464 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
465 }
466 else
467 {
468#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
469 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
470 return( ret );
471#else
472 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
473#endif
474 }
475
476 /*
477 * grp may already be initilialized; if so, make sure IDs match
478 */
479 if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
480 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
481
482 if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
483 return( ret );
484
485 return( 0 );
486}
487
488/*
489 * EC public key is an EC point
490 *
491 * The caller is responsible for clearing the structure upon failure if
492 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
493 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
494 */
495static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
496 mbedtls_ecp_keypair *key )
497{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]499
500 if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
501 (const unsigned char *) *p, end - *p ) ) == 0 )
502 {
503 ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
504 }
505
506 /*
507 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
508 */
509 *p = (unsigned char *) end;
510
511 return( ret );
512}
513#endif /* MBEDTLS_ECP_C */
514
515#if defined(MBEDTLS_RSA_C)
516/*
517 * RSAPublicKey ::= SEQUENCE {
518 * modulus INTEGER, -- n
519 * publicExponent INTEGER -- e
520 * }
521 */
522static int pk_get_rsapubkey( unsigned char **p,
523 const unsigned char *end,
524 mbedtls_rsa_context *rsa )
525{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]527 size_t len;
528
529 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
530 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]531 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]532
533 if( *p + len != end )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]534 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
535 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]536
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]537 /* Import N */
538 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]539 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]540
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]541 if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
542 NULL, 0, NULL, 0 ) ) != 0 )
543 return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
544
545 *p += len;
546
547 /* Import E */
548 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]549 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]550
551 if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
552 NULL, 0, *p, len ) ) != 0 )
553 return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
554
555 *p += len;
556
557 if( mbedtls_rsa_complete( rsa ) != 0 ||
558 mbedtls_rsa_check_pubkey( rsa ) != 0 )
559 {
560 return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
561 }
562
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]563 if( *p != end )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]564 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
565 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]566
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]567 return( 0 );
568}
569#endif /* MBEDTLS_RSA_C */
570
571/* Get a PK algorithm identifier
572 *
573 * AlgorithmIdentifier ::= SEQUENCE {
574 * algorithm OBJECT IDENTIFIER,
575 * parameters ANY DEFINED BY algorithm OPTIONAL }
576 */
577static int pk_get_pk_alg( unsigned char **p,
578 const unsigned char *end,
579 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
580{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]581 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]582 mbedtls_asn1_buf alg_oid;
583
584 memset( params, 0, sizeof(mbedtls_asn1_buf) );
585
586 if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]587 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_ALG, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]588
589 if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
590 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
591
592 /*
593 * No parameters with RSA (only for EC)
594 */
595 if( *pk_alg == MBEDTLS_PK_RSA &&
596 ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
597 params->len != 0 ) )
598 {
599 return( MBEDTLS_ERR_PK_INVALID_ALG );
600 }
601
602 return( 0 );
603}
604
605/*
606 * SubjectPublicKeyInfo ::= SEQUENCE {
607 * algorithm AlgorithmIdentifier,
608 * subjectPublicKey BIT STRING }
609 */
610int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
611 mbedtls_pk_context *pk )
612{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]613 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]614 size_t len;
615 mbedtls_asn1_buf alg_params;
616 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
617 const mbedtls_pk_info_t *pk_info;
618
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]619 PK_VALIDATE_RET( p != NULL );
620 PK_VALIDATE_RET( *p != NULL );
621 PK_VALIDATE_RET( end != NULL );
622 PK_VALIDATE_RET( pk != NULL );
623
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]624 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
625 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
626 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]627 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]628 }
629
630 end = *p + len;
631
632 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
633 return( ret );
634
635 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]636 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]637
638 if( *p + len != end )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]639 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
640 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]641
642 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
643 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
644
645 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
646 return( ret );
647
648#if defined(MBEDTLS_RSA_C)
649 if( pk_alg == MBEDTLS_PK_RSA )
650 {
651 ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
652 } else
653#endif /* MBEDTLS_RSA_C */
654#if defined(MBEDTLS_ECP_C)
655 if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
656 {
657 ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
658 if( ret == 0 )
659 ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
660 } else
661#endif /* MBEDTLS_ECP_C */
662 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
663
664 if( ret == 0 && *p != end )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]665 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
666 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]667
668 if( ret != 0 )
669 mbedtls_pk_free( pk );
670
671 return( ret );
672}
673
674#if defined(MBEDTLS_RSA_C)
675/*
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]676 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
677 *
678 * The value zero is:
679 * - never a valid value for an RSA parameter
680 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
681 *
682 * Since values can't be omitted in PKCS#1, passing a zero value to
683 * rsa_complete() would be incorrect, so reject zero values early.
684 */
685static int asn1_get_nonzero_mpi( unsigned char **p,
686 const unsigned char *end,
687 mbedtls_mpi *X )
688{
689 int ret;
690
691 ret = mbedtls_asn1_get_mpi( p, end, X );
692 if( ret != 0 )
693 return( ret );
694
695 if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
696 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
697
698 return( 0 );
699}
700
701/*
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]702 * Parse a PKCS#1 encoded private RSA key
703 */
704static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
705 const unsigned char *key,
706 size_t keylen )
707{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]708 int ret, version;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]709 size_t len;
710 unsigned char *p, *end;
711
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]712 mbedtls_mpi T;
713 mbedtls_mpi_init( &T );
714
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]715 p = (unsigned char *) key;
716 end = p + keylen;
717
718 /*
719 * This function parses the RSAPrivateKey (PKCS#1)
720 *
721 * RSAPrivateKey ::= SEQUENCE {
722 * version Version,
723 * modulus INTEGER, -- n
724 * publicExponent INTEGER, -- e
725 * privateExponent INTEGER, -- d
726 * prime1 INTEGER, -- p
727 * prime2 INTEGER, -- q
728 * exponent1 INTEGER, -- d mod (p-1)
729 * exponent2 INTEGER, -- d mod (q-1)
730 * coefficient INTEGER, -- (inverse of q) mod p
731 * otherPrimeInfos OtherPrimeInfos OPTIONAL
732 * }
733 */
734 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
735 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
736 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]737 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]738 }
739
740 end = p + len;
741
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]742 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]743 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]744 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]745 }
746
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]747 if( version != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]748 {
749 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
750 }
751
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]752 /* Import N */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]753 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
754 ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
755 NULL, NULL ) ) != 0 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]756 goto cleanup;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]757
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]758 /* Import E */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]759 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
760 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
761 NULL, &T ) ) != 0 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]762 goto cleanup;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]763
764 /* Import D */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]765 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
766 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
767 &T, NULL ) ) != 0 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]768 goto cleanup;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]769
770 /* Import P */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]771 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
772 ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
773 NULL, NULL ) ) != 0 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]774 goto cleanup;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]775
776 /* Import Q */
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]777 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
778 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
779 NULL, NULL ) ) != 0 )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]780 goto cleanup;
781
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]782#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
783 /*
784 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
785 * that they can be easily recomputed from D, P and Q. However by
786 * parsing them from the PKCS1 structure it is possible to avoid
787 * recalculating them which both reduces the overhead of loading
788 * RSA private keys into memory and also avoids side channels which
789 * can arise when computing those values, since all of D, P, and Q
790 * are secret. See https://eprint.iacr.org/2020/055 for a
791 * description of one such attack.
792 */
793
794 /* Import DP */
795 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
796 ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
797 goto cleanup;
798
799 /* Import DQ */
800 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
801 ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
802 goto cleanup;
803
804 /* Import QP */
805 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
806 ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
807 goto cleanup;
808
809#else
810 /* Verify existance of the CRT params */
811 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
812 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
813 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
814 goto cleanup;
815#endif
816
817 /* rsa_complete() doesn't complete anything with the default
818 * implementation but is still called:
819 * - for the benefit of alternative implementation that may want to
820 * pre-compute stuff beyond what's provided (eg Montgomery factors)
821 * - as is also sanity-checks the key
822 *
823 * Furthermore, we also check the public part for consistency with
824 * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
825 */
826 if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
827 ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
828 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]829 goto cleanup;
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]830 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]831
832 if( p != end )
833 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]834 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
835 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]836 }
837
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]838cleanup:
839
840 mbedtls_mpi_free( &T );
841
842 if( ret != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]843 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]844 /* Wrap error code if it's coming from a lower level */
845 if( ( ret & 0xff80 ) == 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]846 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]847 else
848 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
849
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]850 mbedtls_rsa_free( rsa );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]851 }
852
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]853 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]854}
855#endif /* MBEDTLS_RSA_C */
856
857#if defined(MBEDTLS_ECP_C)
858/*
859 * Parse a SEC1 encoded private EC key
860 */
861static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
862 const unsigned char *key,
863 size_t keylen )
864{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]865 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]866 int version, pubkey_done;
867 size_t len;
868 mbedtls_asn1_buf params;
869 unsigned char *p = (unsigned char *) key;
870 unsigned char *end = p + keylen;
871 unsigned char *end2;
872
873 /*
874 * RFC 5915, or SEC1 Appendix C.4
875 *
876 * ECPrivateKey ::= SEQUENCE {
877 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
878 * privateKey OCTET STRING,
879 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
880 * publicKey [1] BIT STRING OPTIONAL
881 * }
882 */
883 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
884 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
885 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]886 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]887 }
888
889 end = p + len;
890
891 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]892 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]893
894 if( version != 1 )
895 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
896
897 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]898 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]899
900 if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
901 {
902 mbedtls_ecp_keypair_free( eck );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]903 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]904 }
905
906 p += len;
907
908 pubkey_done = 0;
909 if( p != end )
910 {
911 /*
912 * Is 'parameters' present?
913 */
914 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
915 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
916 {
917 if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
918 ( ret = pk_use_ecparams( &params, &eck->grp ) ) != 0 )
919 {
920 mbedtls_ecp_keypair_free( eck );
921 return( ret );
922 }
923 }
924 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
925 {
926 mbedtls_ecp_keypair_free( eck );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]927 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]928 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]929 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]930
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]931 if( p != end )
932 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]933 /*
934 * Is 'publickey' present? If not, or if we can't read it (eg because it
935 * is compressed), create it from the private key.
936 */
937 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
938 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
939 {
940 end2 = p + len;
941
942 if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]943 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]944
945 if( p + len != end2 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]946 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
947 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]948
949 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
950 pubkey_done = 1;
951 else
952 {
953 /*
954 * The only acceptable failure mode of pk_get_ecpubkey() above
955 * is if the point format is not recognized.
956 */
957 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
958 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
959 }
960 }
961 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
962 {
963 mbedtls_ecp_keypair_free( eck );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]964 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]965 }
966 }
967
968 if( ! pubkey_done &&
969 ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
970 NULL, NULL ) ) != 0 )
971 {
972 mbedtls_ecp_keypair_free( eck );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]973 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]974 }
975
976 if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
977 {
978 mbedtls_ecp_keypair_free( eck );
979 return( ret );
980 }
981
982 return( 0 );
983}
984#endif /* MBEDTLS_ECP_C */
985
986/*
987 * Parse an unencrypted PKCS#8 encoded private key
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]988 *
989 * Notes:
990 *
991 * - This function does not own the key buffer. It is the
992 * responsibility of the caller to take care of zeroizing
993 * and freeing it after use.
994 *
995 * - The function is responsible for freeing the provided
996 * PK context on failure.
997 *
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]998 */
999static int pk_parse_key_pkcs8_unencrypted_der(
1000 mbedtls_pk_context *pk,
1001 const unsigned char* key,
1002 size_t keylen )
1003{
1004 int ret, version;
1005 size_t len;
1006 mbedtls_asn1_buf params;
1007 unsigned char *p = (unsigned char *) key;
1008 unsigned char *end = p + keylen;
1009 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
1010 const mbedtls_pk_info_t *pk_info;
1011
1012 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1013 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1014 *
1015 * PrivateKeyInfo ::= SEQUENCE {
1016 * version Version,
1017 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
1018 * privateKey PrivateKey,
1019 * attributes [0] IMPLICIT Attributes OPTIONAL }
1020 *
1021 * Version ::= INTEGER
1022 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
1023 * PrivateKey ::= OCTET STRING
1024 *
1025 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
1026 */
1027
1028 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1029 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1030 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1031 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1032 }
1033
1034 end = p + len;
1035
1036 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1037 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1038
1039 if( version != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1040 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1041
1042 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1043 {
1044 return( ret );
1045 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1046
1047 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1048 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1049
1050 if( len < 1 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1051 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
1052 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1053
1054 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
1055 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1056
1057 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
1058 return( ret );
1059
1060#if defined(MBEDTLS_RSA_C)
1061 if( pk_alg == MBEDTLS_PK_RSA )
1062 {
1063 if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
1064 {
1065 mbedtls_pk_free( pk );
1066 return( ret );
1067 }
1068 } else
1069#endif /* MBEDTLS_RSA_C */
1070#if defined(MBEDTLS_ECP_C)
1071 if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
1072 {
1073 if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
1074 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 )
1075 {
1076 mbedtls_pk_free( pk );
1077 return( ret );
1078 }
1079 } else
1080#endif /* MBEDTLS_ECP_C */
1081 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1082
1083 return( 0 );
1084}
1085
1086/*
1087 * Parse an encrypted PKCS#8 encoded private key
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1088 *
1089 * To save space, the decryption happens in-place on the given key buffer.
1090 * Also, while this function may modify the keybuffer, it doesn't own it,
1091 * and instead it is the responsibility of the caller to zeroize and properly
1092 * free it after use.
1093 *
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1094 */
1095#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1096static int pk_parse_key_pkcs8_encrypted_der(
1097 mbedtls_pk_context *pk,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1098 unsigned char *key, size_t keylen,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1099 const unsigned char *pwd, size_t pwdlen )
1100{
1101 int ret, decrypted = 0;
1102 size_t len;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1103 unsigned char *buf;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1104 unsigned char *p, *end;
1105 mbedtls_asn1_buf pbe_alg_oid, pbe_params;
1106#if defined(MBEDTLS_PKCS12_C)
1107 mbedtls_cipher_type_t cipher_alg;
1108 mbedtls_md_type_t md_alg;
1109#endif
1110
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1111 p = key;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1112 end = p + keylen;
1113
1114 if( pwdlen == 0 )
1115 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1116
1117 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1118 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1119 *
1120 * EncryptedPrivateKeyInfo ::= SEQUENCE {
1121 * encryptionAlgorithm EncryptionAlgorithmIdentifier,
1122 * encryptedData EncryptedData
1123 * }
1124 *
1125 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1126 *
1127 * EncryptedData ::= OCTET STRING
1128 *
1129 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1130 *
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1131 */
1132 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1133 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1134 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1135 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1136 }
1137
1138 end = p + len;
1139
1140 if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1141 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1142
1143 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1144 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1145
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1146 buf = p;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1147
1148 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1149 * Decrypt EncryptedData with appropriate PBE
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1150 */
1151#if defined(MBEDTLS_PKCS12_C)
1152 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
1153 {
1154 if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
1155 cipher_alg, md_alg,
1156 pwd, pwdlen, p, len, buf ) ) != 0 )
1157 {
1158 if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
1159 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1160
1161 return( ret );
1162 }
1163
1164 decrypted = 1;
1165 }
1166 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
1167 {
1168 if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
1169 MBEDTLS_PKCS12_PBE_DECRYPT,
1170 pwd, pwdlen,
1171 p, len, buf ) ) != 0 )
1172 {
1173 return( ret );
1174 }
1175
1176 // Best guess for password mismatch when using RC4. If first tag is
1177 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
1178 //
1179 if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
1180 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1181
1182 decrypted = 1;
1183 }
1184 else
1185#endif /* MBEDTLS_PKCS12_C */
1186#if defined(MBEDTLS_PKCS5_C)
1187 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
1188 {
1189 if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
1190 p, len, buf ) ) != 0 )
1191 {
1192 if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
1193 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1194
1195 return( ret );
1196 }
1197
1198 decrypted = 1;
1199 }
1200 else
1201#endif /* MBEDTLS_PKCS5_C */
1202 {
1203 ((void) pwd);
1204 }
1205
1206 if( decrypted == 0 )
1207 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1208
1209 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
1210}
1211#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1212
1213/*
1214 * Parse a private key
1215 */
1216int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
1217 const unsigned char *key, size_t keylen,
1218 const unsigned char *pwd, size_t pwdlen )
1219{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1220 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1221 const mbedtls_pk_info_t *pk_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1222#if defined(MBEDTLS_PEM_PARSE_C)
1223 size_t len;
1224 mbedtls_pem_context pem;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1225#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1226
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1227 PK_VALIDATE_RET( pk != NULL );
1228 if( keylen == 0 )
1229 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1230 PK_VALIDATE_RET( key != NULL );
1231
1232#if defined(MBEDTLS_PEM_PARSE_C)
1233 mbedtls_pem_init( &pem );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1234
1235#if defined(MBEDTLS_RSA_C)
1236 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1237 if( key[keylen - 1] != '\0' )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1238 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1239 else
1240 ret = mbedtls_pem_read_buffer( &pem,
1241 "-----BEGIN RSA PRIVATE KEY-----",
1242 "-----END RSA PRIVATE KEY-----",
1243 key, pwd, pwdlen, &len );
1244
1245 if( ret == 0 )
1246 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1247 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1248 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1249 ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
1250 pem.buf, pem.buflen ) ) != 0 )
1251 {
1252 mbedtls_pk_free( pk );
1253 }
1254
1255 mbedtls_pem_free( &pem );
1256 return( ret );
1257 }
1258 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1259 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1260 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1261 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1262 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1263 return( ret );
1264#endif /* MBEDTLS_RSA_C */
1265
1266#if defined(MBEDTLS_ECP_C)
1267 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1268 if( key[keylen - 1] != '\0' )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1269 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1270 else
1271 ret = mbedtls_pem_read_buffer( &pem,
1272 "-----BEGIN EC PRIVATE KEY-----",
1273 "-----END EC PRIVATE KEY-----",
1274 key, pwd, pwdlen, &len );
1275 if( ret == 0 )
1276 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1277 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1278
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1279 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1280 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1281 pem.buf, pem.buflen ) ) != 0 )
1282 {
1283 mbedtls_pk_free( pk );
1284 }
1285
1286 mbedtls_pem_free( &pem );
1287 return( ret );
1288 }
1289 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1290 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1291 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1292 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1293 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1294 return( ret );
1295#endif /* MBEDTLS_ECP_C */
1296
1297 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1298 if( key[keylen - 1] != '\0' )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1299 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1300 else
1301 ret = mbedtls_pem_read_buffer( &pem,
1302 "-----BEGIN PRIVATE KEY-----",
1303 "-----END PRIVATE KEY-----",
1304 key, NULL, 0, &len );
1305 if( ret == 0 )
1306 {
1307 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
1308 pem.buf, pem.buflen ) ) != 0 )
1309 {
1310 mbedtls_pk_free( pk );
1311 }
1312
1313 mbedtls_pem_free( &pem );
1314 return( ret );
1315 }
1316 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1317 return( ret );
1318
1319#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1320 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1321 if( key[keylen - 1] != '\0' )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1322 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1323 else
1324 ret = mbedtls_pem_read_buffer( &pem,
1325 "-----BEGIN ENCRYPTED PRIVATE KEY-----",
1326 "-----END ENCRYPTED PRIVATE KEY-----",
1327 key, NULL, 0, &len );
1328 if( ret == 0 )
1329 {
1330 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
1331 pem.buf, pem.buflen,
1332 pwd, pwdlen ) ) != 0 )
1333 {
1334 mbedtls_pk_free( pk );
1335 }
1336
1337 mbedtls_pem_free( &pem );
1338 return( ret );
1339 }
1340 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1341 return( ret );
1342#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1343#else
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1344 ((void) pwd);
1345 ((void) pwdlen);
1346#endif /* MBEDTLS_PEM_PARSE_C */
1347
1348 /*
1349 * At this point we only know it's not a PEM formatted key. Could be any
1350 * of the known DER encoded private key formats
1351 *
1352 * We try the different DER format parsers to see if one passes without
1353 * error
1354 */
1355#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1356 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1357 unsigned char *key_copy;
1358
1359 if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
1360 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
1361
1362 memcpy( key_copy, key, keylen );
1363
1364 ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
1365 pwd, pwdlen );
1366
1367 mbedtls_platform_zeroize( key_copy, keylen );
1368 mbedtls_free( key_copy );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1369 }
1370
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1371 if( ret == 0 )
1372 return( 0 );
1373
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1374 mbedtls_pk_free( pk );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1375 mbedtls_pk_init( pk );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1376
1377 if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
1378 {
1379 return( ret );
1380 }
1381#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1382
1383 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
1384 return( 0 );
1385
1386 mbedtls_pk_free( pk );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1387 mbedtls_pk_init( pk );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1388
1389#if defined(MBEDTLS_RSA_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1390
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1391 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1392 if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1393 pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1394 {
1395 return( 0 );
1396 }
1397
1398 mbedtls_pk_free( pk );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1399 mbedtls_pk_init( pk );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1400#endif /* MBEDTLS_RSA_C */
1401
1402#if defined(MBEDTLS_ECP_C)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1403 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
1404 if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1405 pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1406 key, keylen ) == 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1407 {
1408 return( 0 );
1409 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1410 mbedtls_pk_free( pk );
1411#endif /* MBEDTLS_ECP_C */
1412
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1413 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
1414 * it is ok to leave the PK context initialized but not
1415 * freed: It is the caller's responsibility to call pk_init()
1416 * before calling this function, and to call pk_free()
1417 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
1418 * isn't, this leads to mbedtls_pk_free() being called
1419 * twice, once here and once by the caller, but this is
1420 * also ok and in line with the mbedtls_pk_free() calls
1421 * on failed PEM parsing attempts. */
1422
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1423 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1424}
1425
1426/*
1427 * Parse a public key
1428 */
1429int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
1430 const unsigned char *key, size_t keylen )
1431{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1432 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1433 unsigned char *p;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1434#if defined(MBEDTLS_RSA_C)
1435 const mbedtls_pk_info_t *pk_info;
1436#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1437#if defined(MBEDTLS_PEM_PARSE_C)
1438 size_t len;
1439 mbedtls_pem_context pem;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1440#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1441
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1442 PK_VALIDATE_RET( ctx != NULL );
1443 if( keylen == 0 )
1444 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1445 PK_VALIDATE_RET( key != NULL || keylen == 0 );
1446
1447#if defined(MBEDTLS_PEM_PARSE_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1448 mbedtls_pem_init( &pem );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1449#if defined(MBEDTLS_RSA_C)
1450 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1451 if( key[keylen - 1] != '\0' )
1452 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1453 else
1454 ret = mbedtls_pem_read_buffer( &pem,
1455 "-----BEGIN RSA PUBLIC KEY-----",
1456 "-----END RSA PUBLIC KEY-----",
1457 key, NULL, 0, &len );
1458
1459 if( ret == 0 )
1460 {
1461 p = pem.buf;
1462 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1463 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1464
1465 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1466 return( ret );
1467
1468 if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
1469 mbedtls_pk_free( ctx );
1470
1471 mbedtls_pem_free( &pem );
1472 return( ret );
1473 }
1474 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1475 {
1476 mbedtls_pem_free( &pem );
1477 return( ret );
1478 }
1479#endif /* MBEDTLS_RSA_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1480
1481 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1482 if( key[keylen - 1] != '\0' )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1483 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1484 else
1485 ret = mbedtls_pem_read_buffer( &pem,
1486 "-----BEGIN PUBLIC KEY-----",
1487 "-----END PUBLIC KEY-----",
1488 key, NULL, 0, &len );
1489
1490 if( ret == 0 )
1491 {
1492 /*
1493 * Was PEM encoded
1494 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1495 p = pem.buf;
1496
1497 ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx );
1498 mbedtls_pem_free( &pem );
1499 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1500 }
1501 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1502 {
1503 mbedtls_pem_free( &pem );
1504 return( ret );
1505 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1506 mbedtls_pem_free( &pem );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1507#endif /* MBEDTLS_PEM_PARSE_C */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1508
1509#if defined(MBEDTLS_RSA_C)
1510 if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1511 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1512
1513 if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1514 return( ret );
1515
1516 p = (unsigned char *)key;
1517 ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
1518 if( ret == 0 )
1519 {
1520 return( ret );
1521 }
1522 mbedtls_pk_free( ctx );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame^]1523 if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
1524 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1525 {
1526 return( ret );
1527 }
1528#endif /* MBEDTLS_RSA_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1529 p = (unsigned char *) key;
1530
1531 ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
1532
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1533 return( ret );
1534}
1535
1536#endif /* MBEDTLS_PK_PARSE_C */