1 /* 2 * Public Key layer for parsing key files and structures 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 * 46 * This file is part of mbed TLS (https://tls.mbed.org) 47 */ 48 49 #if !defined(MBEDTLS_CONFIG_FILE) 50 #include "mbedtls/config.h" 51 #else 52 #include MBEDTLS_CONFIG_FILE 53 #endif 54 55 #if defined(MBEDTLS_PK_PARSE_C) 56 57 #include "mbedtls/pk.h" 58 #include "mbedtls/asn1.h" 59 #include "mbedtls/oid.h" 60 61 #include <string.h> 62 63 #if defined(MBEDTLS_RSA_C) 64 #include "mbedtls/rsa.h" 65 #endif 66 #if defined(MBEDTLS_ECP_C) 67 #include "mbedtls/ecp.h" 68 #endif 69 #if defined(MBEDTLS_ECDSA_C) 70 #include "mbedtls/ecdsa.h" 71 #endif 72 #if defined(MBEDTLS_PEM_PARSE_C) 73 #include "mbedtls/pem.h" 74 #endif 75 #if defined(MBEDTLS_PKCS5_C) 76 #include "mbedtls/pkcs5.h" 77 #endif 78 #if defined(MBEDTLS_PKCS12_C) 79 #include "mbedtls/pkcs12.h" 80 #endif 81 82 #if defined(MBEDTLS_PLATFORM_C) 83 #include "mbedtls/platform.h" 84 #else 85 #include <stdlib.h> 86 #define mbedtls_calloc calloc 87 #define mbedtls_free free 88 #endif 89 90 #if defined(MBEDTLS_FS_IO) || \ 91 defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 92 /* Implementation that should never be optimized out by the compiler */ 93 static void mbedtls_zeroize( void *v, size_t n ) { 94 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 95 } 96 #endif 97 98 #if defined(MBEDTLS_FS_IO) 99 /* 100 * Load all data from a file into a given buffer. 101 * 102 * The file is expected to contain either PEM or DER encoded data. 103 * A terminating null byte is always appended. It is included in the announced 104 * length only if the data looks like it is PEM encoded. 105 */ 106 int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) 107 { 108 FILE *f; 109 long size; 110 111 if( ( f = fopen( path, "rb" ) ) == NULL ) 112 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 113 114 fseek( f, 0, SEEK_END ); 115 if( ( size = ftell( f ) ) == -1 ) 116 { 117 fclose( f ); 118 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 119 } 120 fseek( f, 0, SEEK_SET ); 121 122 *n = (size_t) size; 123 124 if( *n + 1 == 0 || 125 ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) 126 { 127 fclose( f ); 128 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 129 } 130 131 if( fread( *buf, 1, *n, f ) != *n ) 132 { 133 fclose( f ); 134 135 mbedtls_zeroize( *buf, *n ); 136 mbedtls_free( *buf ); 137 138 return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); 139 } 140 141 fclose( f ); 142 143 (*buf)[*n] = '\0'; 144 145 if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL ) 146 ++*n; 147 148 return( 0 ); 149 } 150 151 /* 152 * Load and parse a private key 153 */ 154 int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, 155 const char *path, const char *pwd ) 156 { 157 int ret; 158 size_t n; 159 unsigned char *buf; 160 161 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 162 return( ret ); 163 164 if( pwd == NULL ) 165 ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 ); 166 else 167 ret = mbedtls_pk_parse_key( ctx, buf, n, 168 (const unsigned char *) pwd, strlen( pwd ) ); 169 170 mbedtls_zeroize( buf, n ); 171 mbedtls_free( buf ); 172 173 return( ret ); 174 } 175 176 /* 177 * Load and parse a public key 178 */ 179 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path ) 180 { 181 int ret; 182 size_t n; 183 unsigned char *buf; 184 185 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 186 return( ret ); 187 188 ret = mbedtls_pk_parse_public_key( ctx, buf, n ); 189 190 mbedtls_zeroize( buf, n ); 191 mbedtls_free( buf ); 192 193 return( ret ); 194 } 195 #endif /* MBEDTLS_FS_IO */ 196 197 #if defined(MBEDTLS_ECP_C) 198 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf 199 * 200 * ECParameters ::= CHOICE { 201 * namedCurve OBJECT IDENTIFIER 202 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 203 * -- implicitCurve NULL 204 * } 205 */ 206 static int pk_get_ecparams( unsigned char **p, const unsigned char *end, 207 mbedtls_asn1_buf *params ) 208 { 209 int ret; 210 211 if ( end - *p < 1 ) 212 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 213 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 214 215 /* Tag may be either OID or SEQUENCE */ 216 params->tag = **p; 217 if( params->tag != MBEDTLS_ASN1_OID 218 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 219 && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) 220 #endif 221 ) 222 { 223 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 224 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 225 } 226 227 if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 ) 228 { 229 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 230 } 231 232 params->p = *p; 233 *p += params->len; 234 235 if( *p != end ) 236 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 237 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 238 239 return( 0 ); 240 } 241 242 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 243 /* 244 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. 245 * WARNING: the resulting group should only be used with 246 * pk_group_id_from_specified(), since its base point may not be set correctly 247 * if it was encoded compressed. 248 * 249 * SpecifiedECDomain ::= SEQUENCE { 250 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...), 251 * fieldID FieldID {{FieldTypes}}, 252 * curve Curve, 253 * base ECPoint, 254 * order INTEGER, 255 * cofactor INTEGER OPTIONAL, 256 * hash HashAlgorithm OPTIONAL, 257 * ... 258 * } 259 * 260 * We only support prime-field as field type, and ignore hash and cofactor. 261 */ 262 static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 263 { 264 int ret; 265 unsigned char *p = params->p; 266 const unsigned char * const end = params->p + params->len; 267 const unsigned char *end_field, *end_curve; 268 size_t len; 269 int ver; 270 271 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */ 272 if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 ) 273 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 274 275 if( ver < 1 || ver > 3 ) 276 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 277 278 /* 279 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field 280 * fieldType FIELD-ID.&id({IOSet}), 281 * parameters FIELD-ID.&Type({IOSet}{@fieldType}) 282 * } 283 */ 284 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 285 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 286 return( ret ); 287 288 end_field = p + len; 289 290 /* 291 * FIELD-ID ::= TYPE-IDENTIFIER 292 * FieldTypes FIELD-ID ::= { 293 * { Prime-p IDENTIFIED BY prime-field } | 294 * { Characteristic-two IDENTIFIED BY characteristic-two-field } 295 * } 296 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 297 */ 298 if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 ) 299 return( ret ); 300 301 if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) || 302 memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 ) 303 { 304 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 305 } 306 307 p += len; 308 309 /* Prime-p ::= INTEGER -- Field of size p. */ 310 if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 ) 311 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 312 313 grp->pbits = mbedtls_mpi_bitlen( &grp->P ); 314 315 if( p != end_field ) 316 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 317 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 318 319 /* 320 * Curve ::= SEQUENCE { 321 * a FieldElement, 322 * b FieldElement, 323 * seed BIT STRING OPTIONAL 324 * -- Shall be present if used in SpecifiedECDomain 325 * -- with version equal to ecdpVer2 or ecdpVer3 326 * } 327 */ 328 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 329 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 330 return( ret ); 331 332 end_curve = p + len; 333 334 /* 335 * FieldElement ::= OCTET STRING 336 * containing an integer in the case of a prime field 337 */ 338 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 339 ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 ) 340 { 341 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 342 } 343 344 p += len; 345 346 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 || 347 ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 ) 348 { 349 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 350 } 351 352 p += len; 353 354 /* Ignore seed BIT STRING OPTIONAL */ 355 if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 ) 356 p += len; 357 358 if( p != end_curve ) 359 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 360 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 361 362 /* 363 * ECPoint ::= OCTET STRING 364 */ 365 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 366 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 367 368 if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G, 369 ( const unsigned char *) p, len ) ) != 0 ) 370 { 371 /* 372 * If we can't read the point because it's compressed, cheat by 373 * reading only the X coordinate and the parity bit of Y. 374 */ 375 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE || 376 ( p[0] != 0x02 && p[0] != 0x03 ) || 377 len != mbedtls_mpi_size( &grp->P ) + 1 || 378 mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 || 379 mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 || 380 mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 ) 381 { 382 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 383 } 384 } 385 386 p += len; 387 388 /* 389 * order INTEGER 390 */ 391 if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 ) 392 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 393 394 grp->nbits = mbedtls_mpi_bitlen( &grp->N ); 395 396 /* 397 * Allow optional elements by purposefully not enforcing p == end here. 398 */ 399 400 return( 0 ); 401 } 402 403 /* 404 * Find the group id associated with an (almost filled) group as generated by 405 * pk_group_from_specified(), or return an error if unknown. 406 */ 407 static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id ) 408 { 409 int ret = 0; 410 mbedtls_ecp_group ref; 411 const mbedtls_ecp_group_id *id; 412 413 mbedtls_ecp_group_init( &ref ); 414 415 for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ ) 416 { 417 /* Load the group associated to that id */ 418 mbedtls_ecp_group_free( &ref ); 419 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) ); 420 421 /* Compare to the group we were given, starting with easy tests */ 422 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits && 423 mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 && 424 mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 && 425 mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 && 426 mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 && 427 mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 && 428 mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 && 429 /* For Y we may only know the parity bit, so compare only that */ 430 mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) ) 431 { 432 break; 433 } 434 435 } 436 437 cleanup: 438 mbedtls_ecp_group_free( &ref ); 439 440 *grp_id = *id; 441 442 if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE ) 443 ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 444 445 return( ret ); 446 } 447 448 /* 449 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID 450 */ 451 static int pk_group_id_from_specified( const mbedtls_asn1_buf *params, 452 mbedtls_ecp_group_id *grp_id ) 453 { 454 int ret; 455 mbedtls_ecp_group grp; 456 457 mbedtls_ecp_group_init( &grp ); 458 459 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 ) 460 goto cleanup; 461 462 ret = pk_group_id_from_group( &grp, grp_id ); 463 464 cleanup: 465 mbedtls_ecp_group_free( &grp ); 466 467 return( ret ); 468 } 469 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ 470 471 /* 472 * Use EC parameters to initialise an EC group 473 * 474 * ECParameters ::= CHOICE { 475 * namedCurve OBJECT IDENTIFIER 476 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } 477 * -- implicitCurve NULL 478 */ 479 static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp ) 480 { 481 int ret; 482 mbedtls_ecp_group_id grp_id; 483 484 if( params->tag == MBEDTLS_ASN1_OID ) 485 { 486 if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 ) 487 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE ); 488 } 489 else 490 { 491 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) 492 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 ) 493 return( ret ); 494 #else 495 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 496 #endif 497 } 498 499 /* 500 * grp may already be initilialized; if so, make sure IDs match 501 */ 502 if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id ) 503 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 504 505 if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 ) 506 return( ret ); 507 508 return( 0 ); 509 } 510 511 /* 512 * EC public key is an EC point 513 * 514 * The caller is responsible for clearing the structure upon failure if 515 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE 516 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. 517 */ 518 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end, 519 mbedtls_ecp_keypair *key ) 520 { 521 int ret; 522 523 if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q, 524 (const unsigned char *) *p, end - *p ) ) == 0 ) 525 { 526 ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q ); 527 } 528 529 /* 530 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed 531 */ 532 *p = (unsigned char *) end; 533 534 return( ret ); 535 } 536 #endif /* MBEDTLS_ECP_C */ 537 538 #if defined(MBEDTLS_RSA_C) 539 /* 540 * RSAPublicKey ::= SEQUENCE { 541 * modulus INTEGER, -- n 542 * publicExponent INTEGER -- e 543 * } 544 */ 545 static int pk_get_rsapubkey( unsigned char **p, 546 const unsigned char *end, 547 mbedtls_rsa_context *rsa ) 548 { 549 int ret; 550 size_t len; 551 552 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 553 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 554 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 555 556 if( *p + len != end ) 557 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 558 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 559 560 /* Import N */ 561 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 562 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 563 564 if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0, 565 NULL, 0, NULL, 0 ) ) != 0 ) 566 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 567 568 *p += len; 569 570 /* Import E */ 571 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) 572 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 573 574 if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0, 575 NULL, 0, *p, len ) ) != 0 ) 576 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 577 578 *p += len; 579 580 if( mbedtls_rsa_complete( rsa ) != 0 || 581 mbedtls_rsa_check_pubkey( rsa ) != 0 ) 582 { 583 return( MBEDTLS_ERR_PK_INVALID_PUBKEY ); 584 } 585 586 if( *p != end ) 587 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 588 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 589 590 return( 0 ); 591 } 592 #endif /* MBEDTLS_RSA_C */ 593 594 /* Get a PK algorithm identifier 595 * 596 * AlgorithmIdentifier ::= SEQUENCE { 597 * algorithm OBJECT IDENTIFIER, 598 * parameters ANY DEFINED BY algorithm OPTIONAL } 599 */ 600 static int pk_get_pk_alg( unsigned char **p, 601 const unsigned char *end, 602 mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params ) 603 { 604 int ret; 605 mbedtls_asn1_buf alg_oid; 606 607 memset( params, 0, sizeof(mbedtls_asn1_buf) ); 608 609 if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 ) 610 return( MBEDTLS_ERR_PK_INVALID_ALG + ret ); 611 612 if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 ) 613 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 614 615 /* 616 * No parameters with RSA (only for EC) 617 */ 618 if( *pk_alg == MBEDTLS_PK_RSA && 619 ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) || 620 params->len != 0 ) ) 621 { 622 return( MBEDTLS_ERR_PK_INVALID_ALG ); 623 } 624 625 return( 0 ); 626 } 627 628 /* 629 * SubjectPublicKeyInfo ::= SEQUENCE { 630 * algorithm AlgorithmIdentifier, 631 * subjectPublicKey BIT STRING } 632 */ 633 int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end, 634 mbedtls_pk_context *pk ) 635 { 636 int ret; 637 size_t len; 638 mbedtls_asn1_buf alg_params; 639 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 640 const mbedtls_pk_info_t *pk_info; 641 642 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 643 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 644 { 645 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 646 } 647 648 end = *p + len; 649 650 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 ) 651 return( ret ); 652 653 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 ) 654 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret ); 655 656 if( *p + len != end ) 657 return( MBEDTLS_ERR_PK_INVALID_PUBKEY + 658 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 659 660 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 661 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 662 663 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 664 return( ret ); 665 666 #if defined(MBEDTLS_RSA_C) 667 if( pk_alg == MBEDTLS_PK_RSA ) 668 { 669 ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) ); 670 } else 671 #endif /* MBEDTLS_RSA_C */ 672 #if defined(MBEDTLS_ECP_C) 673 if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY ) 674 { 675 ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp ); 676 if( ret == 0 ) 677 ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) ); 678 } else 679 #endif /* MBEDTLS_ECP_C */ 680 ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; 681 682 if( ret == 0 && *p != end ) 683 ret = MBEDTLS_ERR_PK_INVALID_PUBKEY 684 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 685 686 if( ret != 0 ) 687 mbedtls_pk_free( pk ); 688 689 return( ret ); 690 } 691 692 #if defined(MBEDTLS_RSA_C) 693 /* 694 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. 695 * 696 * The value zero is: 697 * - never a valid value for an RSA parameter 698 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). 699 * 700 * Since values can't be omitted in PKCS#1, passing a zero value to 701 * rsa_complete() would be incorrect, so reject zero values early. 702 */ 703 static int asn1_get_nonzero_mpi( unsigned char **p, 704 const unsigned char *end, 705 mbedtls_mpi *X ) 706 { 707 int ret; 708 709 ret = mbedtls_asn1_get_mpi( p, end, X ); 710 if( ret != 0 ) 711 return( ret ); 712 713 if( mbedtls_mpi_cmp_int( X, 0 ) == 0 ) 714 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 715 716 return( 0 ); 717 } 718 719 /* 720 * Parse a PKCS#1 encoded private RSA key 721 */ 722 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, 723 const unsigned char *key, 724 size_t keylen ) 725 { 726 int ret, version; 727 size_t len; 728 unsigned char *p, *end; 729 730 mbedtls_mpi T; 731 mbedtls_mpi_init( &T ); 732 733 p = (unsigned char *) key; 734 end = p + keylen; 735 736 /* 737 * This function parses the RSAPrivateKey (PKCS#1) 738 * 739 * RSAPrivateKey ::= SEQUENCE { 740 * version Version, 741 * modulus INTEGER, -- n 742 * publicExponent INTEGER, -- e 743 * privateExponent INTEGER, -- d 744 * prime1 INTEGER, -- p 745 * prime2 INTEGER, -- q 746 * exponent1 INTEGER, -- d mod (p-1) 747 * exponent2 INTEGER, -- d mod (q-1) 748 * coefficient INTEGER, -- (inverse of q) mod p 749 * otherPrimeInfos OtherPrimeInfos OPTIONAL 750 * } 751 */ 752 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 753 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 754 { 755 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 756 } 757 758 end = p + len; 759 760 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 761 { 762 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 763 } 764 765 if( version != 0 ) 766 { 767 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 768 } 769 770 /* Import N */ 771 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 772 ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL, 773 NULL, NULL ) ) != 0 ) 774 goto cleanup; 775 776 /* Import E */ 777 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 778 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 779 NULL, &T ) ) != 0 ) 780 goto cleanup; 781 782 /* Import D */ 783 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 784 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL, 785 &T, NULL ) ) != 0 ) 786 goto cleanup; 787 788 /* Import P */ 789 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 790 ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL, 791 NULL, NULL ) ) != 0 ) 792 goto cleanup; 793 794 /* Import Q */ 795 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 796 ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T, 797 NULL, NULL ) ) != 0 ) 798 goto cleanup; 799 800 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) 801 /* 802 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in 803 * that they can be easily recomputed from D, P and Q. However by 804 * parsing them from the PKCS1 structure it is possible to avoid 805 * recalculating them which both reduces the overhead of loading 806 * RSA private keys into memory and also avoids side channels which 807 * can arise when computing those values, since all of D, P, and Q 808 * are secret. See https://eprint.iacr.org/2020/055 for a 809 * description of one such attack. 810 */ 811 812 /* Import DP */ 813 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 814 ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 ) 815 goto cleanup; 816 817 /* Import DQ */ 818 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 819 ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 ) 820 goto cleanup; 821 822 /* Import QP */ 823 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 824 ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 ) 825 goto cleanup; 826 827 #else 828 /* Verify existance of the CRT params */ 829 if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 830 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 || 831 ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ) 832 goto cleanup; 833 #endif 834 835 /* rsa_complete() doesn't complete anything with the default 836 * implementation but is still called: 837 * - for the benefit of alternative implementation that may want to 838 * pre-compute stuff beyond what's provided (eg Montgomery factors) 839 * - as is also sanity-checks the key 840 * 841 * Furthermore, we also check the public part for consistency with 842 * mbedtls_pk_parse_pubkey(), as it includes size minima for example. 843 */ 844 if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 || 845 ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 ) 846 { 847 goto cleanup; 848 } 849 850 if( p != end ) 851 { 852 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 853 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ; 854 } 855 856 cleanup: 857 858 mbedtls_mpi_free( &T ); 859 860 if( ret != 0 ) 861 { 862 /* Wrap error code if it's coming from a lower level */ 863 if( ( ret & 0xff80 ) == 0 ) 864 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret; 865 else 866 ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 867 868 mbedtls_rsa_free( rsa ); 869 } 870 871 return( ret ); 872 } 873 #endif /* MBEDTLS_RSA_C */ 874 875 #if defined(MBEDTLS_ECP_C) 876 /* 877 * Parse a SEC1 encoded private EC key 878 */ 879 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, 880 const unsigned char *key, 881 size_t keylen ) 882 { 883 int ret; 884 int version, pubkey_done; 885 size_t len; 886 mbedtls_asn1_buf params; 887 unsigned char *p = (unsigned char *) key; 888 unsigned char *end = p + keylen; 889 unsigned char *end2; 890 891 /* 892 * RFC 5915, or SEC1 Appendix C.4 893 * 894 * ECPrivateKey ::= SEQUENCE { 895 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 896 * privateKey OCTET STRING, 897 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 898 * publicKey [1] BIT STRING OPTIONAL 899 * } 900 */ 901 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 902 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 903 { 904 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 905 } 906 907 end = p + len; 908 909 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 910 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 911 912 if( version != 1 ) 913 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION ); 914 915 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 916 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 917 918 if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 ) 919 { 920 mbedtls_ecp_keypair_free( eck ); 921 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 922 } 923 924 p += len; 925 926 pubkey_done = 0; 927 if( p != end ) 928 { 929 /* 930 * Is 'parameters' present? 931 */ 932 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 933 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 ) 934 { 935 if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 || 936 ( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 ) 937 { 938 mbedtls_ecp_keypair_free( eck ); 939 return( ret ); 940 } 941 } 942 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 943 { 944 mbedtls_ecp_keypair_free( eck ); 945 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 946 } 947 } 948 949 if( p != end ) 950 { 951 /* 952 * Is 'publickey' present? If not, or if we can't read it (eg because it 953 * is compressed), create it from the private key. 954 */ 955 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 956 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 ) 957 { 958 end2 = p + len; 959 960 if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 ) 961 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 962 963 if( p + len != end2 ) 964 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 965 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 966 967 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 ) 968 pubkey_done = 1; 969 else 970 { 971 /* 972 * The only acceptable failure mode of pk_get_ecpubkey() above 973 * is if the point format is not recognized. 974 */ 975 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ) 976 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 977 } 978 } 979 else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 980 { 981 mbedtls_ecp_keypair_free( eck ); 982 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 983 } 984 } 985 986 if( ! pubkey_done && 987 ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G, 988 NULL, NULL ) ) != 0 ) 989 { 990 mbedtls_ecp_keypair_free( eck ); 991 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 992 } 993 994 if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 ) 995 { 996 mbedtls_ecp_keypair_free( eck ); 997 return( ret ); 998 } 999 1000 return( 0 ); 1001 } 1002 #endif /* MBEDTLS_ECP_C */ 1003 1004 /* 1005 * Parse an unencrypted PKCS#8 encoded private key 1006 * 1007 * Notes: 1008 * 1009 * - This function does not own the key buffer. It is the 1010 * responsibility of the caller to take care of zeroizing 1011 * and freeing it after use. 1012 * 1013 * - The function is responsible for freeing the provided 1014 * PK context on failure. 1015 * 1016 */ 1017 static int pk_parse_key_pkcs8_unencrypted_der( 1018 mbedtls_pk_context *pk, 1019 const unsigned char* key, 1020 size_t keylen ) 1021 { 1022 int ret, version; 1023 size_t len; 1024 mbedtls_asn1_buf params; 1025 unsigned char *p = (unsigned char *) key; 1026 unsigned char *end = p + keylen; 1027 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 1028 const mbedtls_pk_info_t *pk_info; 1029 1030 /* 1031 * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208) 1032 * 1033 * PrivateKeyInfo ::= SEQUENCE { 1034 * version Version, 1035 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, 1036 * privateKey PrivateKey, 1037 * attributes [0] IMPLICIT Attributes OPTIONAL } 1038 * 1039 * Version ::= INTEGER 1040 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier 1041 * PrivateKey ::= OCTET STRING 1042 * 1043 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey 1044 */ 1045 1046 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1047 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1048 { 1049 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1050 } 1051 1052 end = p + len; 1053 1054 if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 ) 1055 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1056 1057 if( version != 0 ) 1058 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret ); 1059 1060 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 ) 1061 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1062 1063 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1064 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1065 1066 if( len < 1 ) 1067 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + 1068 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 1069 1070 if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL ) 1071 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1072 1073 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ) 1074 return( ret ); 1075 1076 #if defined(MBEDTLS_RSA_C) 1077 if( pk_alg == MBEDTLS_PK_RSA ) 1078 { 1079 if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 ) 1080 { 1081 mbedtls_pk_free( pk ); 1082 return( ret ); 1083 } 1084 } else 1085 #endif /* MBEDTLS_RSA_C */ 1086 #if defined(MBEDTLS_ECP_C) 1087 if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH ) 1088 { 1089 if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 || 1090 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 ) 1091 { 1092 mbedtls_pk_free( pk ); 1093 return( ret ); 1094 } 1095 } else 1096 #endif /* MBEDTLS_ECP_C */ 1097 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); 1098 1099 return( 0 ); 1100 } 1101 1102 /* 1103 * Parse an encrypted PKCS#8 encoded private key 1104 * 1105 * To save space, the decryption happens in-place on the given key buffer. 1106 * Also, while this function may modify the keybuffer, it doesn't own it, 1107 * and instead it is the responsibility of the caller to zeroize and properly 1108 * free it after use. 1109 * 1110 */ 1111 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1112 static int pk_parse_key_pkcs8_encrypted_der( 1113 mbedtls_pk_context *pk, 1114 unsigned char *key, size_t keylen, 1115 const unsigned char *pwd, size_t pwdlen ) 1116 { 1117 int ret, decrypted = 0; 1118 size_t len; 1119 unsigned char *buf; 1120 unsigned char *p, *end; 1121 mbedtls_asn1_buf pbe_alg_oid, pbe_params; 1122 #if defined(MBEDTLS_PKCS12_C) 1123 mbedtls_cipher_type_t cipher_alg; 1124 mbedtls_md_type_t md_alg; 1125 #endif 1126 1127 p = key; 1128 end = p + keylen; 1129 1130 if( pwdlen == 0 ) 1131 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1132 1133 /* 1134 * This function parses the EncryptedPrivateKeyInfo object (PKCS#8) 1135 * 1136 * EncryptedPrivateKeyInfo ::= SEQUENCE { 1137 * encryptionAlgorithm EncryptionAlgorithmIdentifier, 1138 * encryptedData EncryptedData 1139 * } 1140 * 1141 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1142 * 1143 * EncryptedData ::= OCTET STRING 1144 * 1145 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo 1146 * 1147 */ 1148 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1149 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1150 { 1151 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1152 } 1153 1154 end = p + len; 1155 1156 if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 ) 1157 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1158 1159 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1160 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); 1161 1162 buf = p; 1163 1164 /* 1165 * Decrypt EncryptedData with appropriate PBE 1166 */ 1167 #if defined(MBEDTLS_PKCS12_C) 1168 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) 1169 { 1170 if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, 1171 cipher_alg, md_alg, 1172 pwd, pwdlen, p, len, buf ) ) != 0 ) 1173 { 1174 if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH ) 1175 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1176 1177 return( ret ); 1178 } 1179 1180 decrypted = 1; 1181 } 1182 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 ) 1183 { 1184 if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params, 1185 MBEDTLS_PKCS12_PBE_DECRYPT, 1186 pwd, pwdlen, 1187 p, len, buf ) ) != 0 ) 1188 { 1189 return( ret ); 1190 } 1191 1192 // Best guess for password mismatch when using RC4. If first tag is 1193 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE 1194 // 1195 if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 1196 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1197 1198 decrypted = 1; 1199 } 1200 else 1201 #endif /* MBEDTLS_PKCS12_C */ 1202 #if defined(MBEDTLS_PKCS5_C) 1203 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 ) 1204 { 1205 if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, 1206 p, len, buf ) ) != 0 ) 1207 { 1208 if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH ) 1209 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1210 1211 return( ret ); 1212 } 1213 1214 decrypted = 1; 1215 } 1216 else 1217 #endif /* MBEDTLS_PKCS5_C */ 1218 { 1219 ((void) pwd); 1220 } 1221 1222 if( decrypted == 0 ) 1223 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 1224 1225 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) ); 1226 } 1227 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1228 1229 /* 1230 * Parse a private key 1231 */ 1232 int mbedtls_pk_parse_key( mbedtls_pk_context *pk, 1233 const unsigned char *key, size_t keylen, 1234 const unsigned char *pwd, size_t pwdlen ) 1235 { 1236 int ret; 1237 const mbedtls_pk_info_t *pk_info; 1238 1239 #if defined(MBEDTLS_PEM_PARSE_C) 1240 size_t len; 1241 mbedtls_pem_context pem; 1242 1243 mbedtls_pem_init( &pem ); 1244 1245 #if defined(MBEDTLS_RSA_C) 1246 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1247 if( keylen == 0 || key[keylen - 1] != '\0' ) 1248 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1249 else 1250 ret = mbedtls_pem_read_buffer( &pem, 1251 "-----BEGIN RSA PRIVATE KEY-----", 1252 "-----END RSA PRIVATE KEY-----", 1253 key, pwd, pwdlen, &len ); 1254 1255 if( ret == 0 ) 1256 { 1257 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1258 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1259 ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), 1260 pem.buf, pem.buflen ) ) != 0 ) 1261 { 1262 mbedtls_pk_free( pk ); 1263 } 1264 1265 mbedtls_pem_free( &pem ); 1266 return( ret ); 1267 } 1268 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1269 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1270 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1271 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1272 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1273 return( ret ); 1274 #endif /* MBEDTLS_RSA_C */ 1275 1276 #if defined(MBEDTLS_ECP_C) 1277 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1278 if( keylen == 0 || key[keylen - 1] != '\0' ) 1279 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1280 else 1281 ret = mbedtls_pem_read_buffer( &pem, 1282 "-----BEGIN EC PRIVATE KEY-----", 1283 "-----END EC PRIVATE KEY-----", 1284 key, pwd, pwdlen, &len ); 1285 if( ret == 0 ) 1286 { 1287 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1288 1289 if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || 1290 ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1291 pem.buf, pem.buflen ) ) != 0 ) 1292 { 1293 mbedtls_pk_free( pk ); 1294 } 1295 1296 mbedtls_pem_free( &pem ); 1297 return( ret ); 1298 } 1299 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ) 1300 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH ); 1301 else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ) 1302 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED ); 1303 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1304 return( ret ); 1305 #endif /* MBEDTLS_ECP_C */ 1306 1307 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1308 if( keylen == 0 || key[keylen - 1] != '\0' ) 1309 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1310 else 1311 ret = mbedtls_pem_read_buffer( &pem, 1312 "-----BEGIN PRIVATE KEY-----", 1313 "-----END PRIVATE KEY-----", 1314 key, NULL, 0, &len ); 1315 if( ret == 0 ) 1316 { 1317 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, 1318 pem.buf, pem.buflen ) ) != 0 ) 1319 { 1320 mbedtls_pk_free( pk ); 1321 } 1322 1323 mbedtls_pem_free( &pem ); 1324 return( ret ); 1325 } 1326 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1327 return( ret ); 1328 1329 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1330 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1331 if( keylen == 0 || key[keylen - 1] != '\0' ) 1332 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1333 else 1334 ret = mbedtls_pem_read_buffer( &pem, 1335 "-----BEGIN ENCRYPTED PRIVATE KEY-----", 1336 "-----END ENCRYPTED PRIVATE KEY-----", 1337 key, NULL, 0, &len ); 1338 if( ret == 0 ) 1339 { 1340 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, 1341 pem.buf, pem.buflen, 1342 pwd, pwdlen ) ) != 0 ) 1343 { 1344 mbedtls_pk_free( pk ); 1345 } 1346 1347 mbedtls_pem_free( &pem ); 1348 return( ret ); 1349 } 1350 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1351 return( ret ); 1352 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1353 #else 1354 ((void) pwd); 1355 ((void) pwdlen); 1356 #endif /* MBEDTLS_PEM_PARSE_C */ 1357 1358 /* 1359 * At this point we only know it's not a PEM formatted key. Could be any 1360 * of the known DER encoded private key formats 1361 * 1362 * We try the different DER format parsers to see if one passes without 1363 * error 1364 */ 1365 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) 1366 { 1367 unsigned char *key_copy; 1368 1369 if( keylen == 0 ) 1370 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1371 1372 if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL ) 1373 return( MBEDTLS_ERR_PK_ALLOC_FAILED ); 1374 1375 memcpy( key_copy, key, keylen ); 1376 1377 ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, 1378 pwd, pwdlen ); 1379 1380 mbedtls_zeroize( key_copy, keylen ); 1381 mbedtls_free( key_copy ); 1382 } 1383 1384 if( ret == 0 ) 1385 return( 0 ); 1386 1387 mbedtls_pk_free( pk ); 1388 mbedtls_pk_init( pk ); 1389 1390 if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH ) 1391 { 1392 return( ret ); 1393 } 1394 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ 1395 1396 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 ) 1397 return( 0 ); 1398 1399 mbedtls_pk_free( pk ); 1400 mbedtls_pk_init( pk ); 1401 1402 #if defined(MBEDTLS_RSA_C) 1403 1404 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ); 1405 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1406 pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 ) 1407 { 1408 return( 0 ); 1409 } 1410 1411 mbedtls_pk_free( pk ); 1412 mbedtls_pk_init( pk ); 1413 #endif /* MBEDTLS_RSA_C */ 1414 1415 #if defined(MBEDTLS_ECP_C) 1416 pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); 1417 if( mbedtls_pk_setup( pk, pk_info ) == 0 && 1418 pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), 1419 key, keylen ) == 0 ) 1420 { 1421 return( 0 ); 1422 } 1423 mbedtls_pk_free( pk ); 1424 #endif /* MBEDTLS_ECP_C */ 1425 1426 /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't, 1427 * it is ok to leave the PK context initialized but not 1428 * freed: It is the caller's responsibility to call pk_init() 1429 * before calling this function, and to call pk_free() 1430 * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C 1431 * isn't, this leads to mbedtls_pk_free() being called 1432 * twice, once here and once by the caller, but this is 1433 * also ok and in line with the mbedtls_pk_free() calls 1434 * on failed PEM parsing attempts. */ 1435 1436 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); 1437 } 1438 1439 /* 1440 * Parse a public key 1441 */ 1442 int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, 1443 const unsigned char *key, size_t keylen ) 1444 { 1445 int ret; 1446 unsigned char *p; 1447 #if defined(MBEDTLS_PEM_PARSE_C) 1448 size_t len; 1449 mbedtls_pem_context pem; 1450 1451 mbedtls_pem_init( &pem ); 1452 1453 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ 1454 if( keylen == 0 || key[keylen - 1] != '\0' ) 1455 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 1456 else 1457 ret = mbedtls_pem_read_buffer( &pem, 1458 "-----BEGIN PUBLIC KEY-----", 1459 "-----END PUBLIC KEY-----", 1460 key, NULL, 0, &len ); 1461 1462 if( ret == 0 ) 1463 { 1464 /* 1465 * Was PEM encoded 1466 */ 1467 key = pem.buf; 1468 keylen = pem.buflen; 1469 } 1470 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1471 { 1472 mbedtls_pem_free( &pem ); 1473 return( ret ); 1474 } 1475 #endif /* MBEDTLS_PEM_PARSE_C */ 1476 p = (unsigned char *) key; 1477 1478 ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx ); 1479 1480 #if defined(MBEDTLS_PEM_PARSE_C) 1481 mbedtls_pem_free( &pem ); 1482 #endif 1483 1484 return( ret ); 1485 } 1486 1487 #endif /* MBEDTLS_PK_PARSE_C */ 1488