WebSVN – Kolibri OS – Blame – /programs/develop/libraries/kos_mbedtls/library/pkparse.c

Rev	Author	Line No.	Line
8774	rgimad	1	/*
		2	* Public Key layer for parsing key files and structures
		3	*
		4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
		5	* SPDX-License-Identifier: GPL-2.0
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License as published by
		9	* the Free Software Foundation; either version 2 of the License, or
		10	* (at your option) any later version.
		11	*
		12	* This program is distributed in the hope that it will be useful,
		13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		15	* GNU General Public License for more details.
		16	*
		17	* You should have received a copy of the GNU General Public License along
		18	* with this program; if not, write to the Free Software Foundation, Inc.,
		19	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		20	*
		21	* This file is part of mbed TLS (https://tls.mbed.org)
		22	*/
		23
		24	#if !defined(MBEDTLS_CONFIG_FILE)
		25	#include "mbedtls/config.h"
		26	#else
		27	#include MBEDTLS_CONFIG_FILE
		28	#endif
		29
		30	#if defined(MBEDTLS_PK_PARSE_C)
		31
		32	#include "mbedtls/pk.h"
		33	#include "mbedtls/asn1.h"
		34	#include "mbedtls/oid.h"
		35	#include "mbedtls/platform_util.h"
		36
		37	#include
		38
		39	#if defined(MBEDTLS_RSA_C)
		40	#include "mbedtls/rsa.h"
		41	#endif
		42	#if defined(MBEDTLS_ECP_C)
		43	#include "mbedtls/ecp.h"
		44	#endif
		45	#if defined(MBEDTLS_ECDSA_C)
		46	#include "mbedtls/ecdsa.h"
		47	#endif
		48	#if defined(MBEDTLS_PEM_PARSE_C)
		49	#include "mbedtls/pem.h"
		50	#endif
		51	#if defined(MBEDTLS_PKCS5_C)
		52	#include "mbedtls/pkcs5.h"
		53	#endif
		54	#if defined(MBEDTLS_PKCS12_C)
		55	#include "mbedtls/pkcs12.h"
		56	#endif
		57
		58	#if defined(MBEDTLS_PLATFORM_C)
		59	#include "mbedtls/platform.h"
		60	#else
		61	#include
		62	#define mbedtls_calloc calloc
		63	#define mbedtls_free free
		64	#endif
		65
		66	/* Parameter validation macros based on platform_util.h */
		67	#define PK_VALIDATE_RET( cond ) \
		68	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
		69	#define PK_VALIDATE( cond ) \
		70	MBEDTLS_INTERNAL_VALIDATE( cond )
		71
		72	#if defined(MBEDTLS_FS_IO)
		73	/*
		74	* Load all data from a file into a given buffer.
		75	*
		76	* The file is expected to contain either PEM or DER encoded data.
		77	* A terminating null byte is always appended. It is included in the announced
		78	* length only if the data looks like it is PEM encoded.
		79	*/
		80	int mbedtls_pk_load_file( const char path, unsigned char buf, size_t n )
		81	{
		82	FILE *f;
		83	long size;
		84
		85	PK_VALIDATE_RET( path != NULL );
		86	PK_VALIDATE_RET( buf != NULL );
		87	PK_VALIDATE_RET( n != NULL );
		88
		89	if( ( f = fopen( path, "rb" ) ) == NULL )
		90	return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
		91
		92	fseek( f, 0, SEEK_END );
		93	if( ( size = ftell( f ) ) == -1 )
		94	{
		95	fclose( f );
		96	return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
		97	}
		98	fseek( f, 0, SEEK_SET );
		99
		100	*n = (size_t) size;
		101
		102	if( *n + 1 == 0 \|\|
		103	( buf = mbedtls_calloc( 1, n + 1 ) ) == NULL )
		104	{
		105	fclose( f );
		106	return( MBEDTLS_ERR_PK_ALLOC_FAILED );
		107	}
		108
		109	if( fread( buf, 1, n, f ) != *n )
		110	{
		111	fclose( f );
		112
		113	mbedtls_platform_zeroize( buf, n );
		114	mbedtls_free( *buf );
		115
		116	return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
		117	}
		118
		119	fclose( f );
		120
		121	(buf)[n] = '\0';
		122
		123	if( strstr( (const char ) buf, "-----BEGIN " ) != NULL )
		124	++*n;
		125
		126	return( 0 );
		127	}
		128
		129	/*
		130	* Load and parse a private key
		131	*/
		132	int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
		133	const char path, const char pwd )
		134	{
		135	int ret;
		136	size_t n;
		137	unsigned char *buf;
		138
		139	PK_VALIDATE_RET( ctx != NULL );
		140	PK_VALIDATE_RET( path != NULL );
		141
		142	if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
		143	return( ret );
		144
		145	if( pwd == NULL )
		146	ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
		147	else
		148	ret = mbedtls_pk_parse_key( ctx, buf, n,
		149	(const unsigned char *) pwd, strlen( pwd ) );
		150
		151	mbedtls_platform_zeroize( buf, n );
		152	mbedtls_free( buf );
		153
		154	return( ret );
		155	}
		156
		157	/*
		158	* Load and parse a public key
		159	*/
		160	int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context ctx, const char path )
		161	{
		162	int ret;
		163	size_t n;
		164	unsigned char *buf;
		165
		166	PK_VALIDATE_RET( ctx != NULL );
		167	PK_VALIDATE_RET( path != NULL );
		168
		169	if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
		170	return( ret );
		171
		172	ret = mbedtls_pk_parse_public_key( ctx, buf, n );
		173
		174	mbedtls_platform_zeroize( buf, n );
		175	mbedtls_free( buf );
		176
		177	return( ret );
		178	}
		179	#endif /* MBEDTLS_FS_IO */
		180
		181	#if defined(MBEDTLS_ECP_C)
		182	/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
		183	*
		184	* ECParameters ::= CHOICE {
		185	* namedCurve OBJECT IDENTIFIER
		186	* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
		187	* -- implicitCurve NULL
		188	* }
		189	*/
		190	static int pk_get_ecparams( unsigned char *p, const unsigned char end,
		191	mbedtls_asn1_buf *params )
		192	{
		193	int ret;
		194
		195	if ( end - *p < 1 )
		196	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		197	MBEDTLS_ERR_ASN1_OUT_OF_DATA );
		198
		199	/* Tag may be either OID or SEQUENCE */
		200	params->tag = **p;
		201	if( params->tag != MBEDTLS_ASN1_OID
		202	#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
		203	&& params->tag != ( MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE )
		204	#endif
		205	)
		206	{
		207	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		208	MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
		209	}
		210
		211	if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 )
		212	{
		213	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		214	}
		215
		216	params->p = *p;
		217	*p += params->len;
		218
		219	if( *p != end )
		220	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		221	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		222
		223	return( 0 );
		224	}
		225
		226	#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
		227	/*
		228	* Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
		229	* WARNING: the resulting group should only be used with
		230	* pk_group_id_from_specified(), since its base point may not be set correctly
		231	* if it was encoded compressed.
		232	*
		233	* SpecifiedECDomain ::= SEQUENCE {
		234	* version SpecifiedECDomainVersion(ecdpVer1 \| ecdpVer2 \| ecdpVer3, ...),
		235	* fieldID FieldID {{FieldTypes}},
		236	* curve Curve,
		237	* base ECPoint,
		238	* order INTEGER,
		239	* cofactor INTEGER OPTIONAL,
		240	* hash HashAlgorithm OPTIONAL,
		241	* ...
		242	* }
		243	*
		244	* We only support prime-field as field type, and ignore hash and cofactor.
		245	*/
		246	static int pk_group_from_specified( const mbedtls_asn1_buf params, mbedtls_ecp_group grp )
		247	{
		248	int ret;
		249	unsigned char *p = params->p;
		250	const unsigned char * const end = params->p + params->len;
		251	const unsigned char end_field, end_curve;
		252	size_t len;
		253	int ver;
		254
		255	/* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
		256	if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
		257	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		258
		259	if( ver < 1 \|\| ver > 3 )
		260	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		261
		262	/*
		263	* FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
		264	* fieldType FIELD-ID.&id({IOSet}),
		265	* parameters FIELD-ID.&Type({IOSet}{@fieldType})
		266	* }
		267	*/
		268	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		269	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		270	return( ret );
		271
		272	end_field = p + len;
		273
		274	/*
		275	* FIELD-ID ::= TYPE-IDENTIFIER
		276	* FieldTypes FIELD-ID ::= {
		277	* { Prime-p IDENTIFIED BY prime-field } \|
		278	* { Characteristic-two IDENTIFIED BY characteristic-two-field }
		279	* }
		280	* prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
		281	*/
		282	if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
		283	return( ret );
		284
		285	if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) \|\|
		286	memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
		287	{
		288	return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
		289	}
		290
		291	p += len;
		292
		293	/* Prime-p ::= INTEGER -- Field of size p. */
		294	if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
		295	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		296
		297	grp->pbits = mbedtls_mpi_bitlen( &grp->P );
		298
		299	if( p != end_field )
		300	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		301	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		302
		303	/*
		304	* Curve ::= SEQUENCE {
		305	* a FieldElement,
		306	* b FieldElement,
		307	* seed BIT STRING OPTIONAL
		308	* -- Shall be present if used in SpecifiedECDomain
		309	* -- with version equal to ecdpVer2 or ecdpVer3
		310	* }
		311	*/
		312	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		313	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		314	return( ret );
		315
		316	end_curve = p + len;
		317
		318	/*
		319	* FieldElement ::= OCTET STRING
		320	* containing an integer in the case of a prime field
		321	*/
		322	if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 \|\|
		323	( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
		324	{
		325	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		326	}
		327
		328	p += len;
		329
		330	if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 \|\|
		331	( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
		332	{
		333	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		334	}
		335
		336	p += len;
		337
		338	/* Ignore seed BIT STRING OPTIONAL */
		339	if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
		340	p += len;
		341
		342	if( p != end_curve )
		343	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		344	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		345
		346	/*
		347	* ECPoint ::= OCTET STRING
		348	*/
		349	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
		350	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		351
		352	if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
		353	( const unsigned char *) p, len ) ) != 0 )
		354	{
		355	/*
		356	* If we can't read the point because it's compressed, cheat by
		357	* reading only the X coordinate and the parity bit of Y.
		358	*/
		359	if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE \|\|
		360	( p[0] != 0x02 && p[0] != 0x03 ) \|\|
		361	len != mbedtls_mpi_size( &grp->P ) + 1 \|\|
		362	mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 \|\|
		363	mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 \|\|
		364	mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
		365	{
		366	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		367	}
		368	}
		369
		370	p += len;
		371
		372	/*
		373	* order INTEGER
		374	*/
		375	if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
		376	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		377
		378	grp->nbits = mbedtls_mpi_bitlen( &grp->N );
		379
		380	/*
		381	* Allow optional elements by purposefully not enforcing p == end here.
		382	*/
		383
		384	return( 0 );
		385	}
		386
		387	/*
		388	* Find the group id associated with an (almost filled) group as generated by
		389	* pk_group_from_specified(), or return an error if unknown.
		390	*/
		391	static int pk_group_id_from_group( const mbedtls_ecp_group grp, mbedtls_ecp_group_id grp_id )
		392	{
		393	int ret = 0;
		394	mbedtls_ecp_group ref;
		395	const mbedtls_ecp_group_id *id;
		396
		397	mbedtls_ecp_group_init( &ref );
		398
		399	for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
		400	{
		401	/* Load the group associated to that id */
		402	mbedtls_ecp_group_free( &ref );
		403	MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
		404
		405	/* Compare to the group we were given, starting with easy tests */
		406	if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
		407	mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
		408	mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
		409	mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
		410	mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
		411	mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
		412	mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
		413	/* For Y we may only know the parity bit, so compare only that */
		414	mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
		415	{
		416	break;
		417	}
		418
		419	}
		420
		421	cleanup:
		422	mbedtls_ecp_group_free( &ref );
		423
		424	grp_id = id;
		425
		426	if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
		427	ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
		428
		429	return( ret );
		430	}
		431
		432	/*
		433	* Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
		434	*/
		435	static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
		436	mbedtls_ecp_group_id *grp_id )
		437	{
		438	int ret;
		439	mbedtls_ecp_group grp;
		440
		441	mbedtls_ecp_group_init( &grp );
		442
		443	if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
		444	goto cleanup;
		445
		446	ret = pk_group_id_from_group( &grp, grp_id );
		447
		448	cleanup:
		449	mbedtls_ecp_group_free( &grp );
		450
		451	return( ret );
		452	}
		453	#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
		454
		455	/*
		456	* Use EC parameters to initialise an EC group
		457	*
		458	* ECParameters ::= CHOICE {
		459	* namedCurve OBJECT IDENTIFIER
		460	* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
		461	* -- implicitCurve NULL
		462	*/
		463	static int pk_use_ecparams( const mbedtls_asn1_buf params, mbedtls_ecp_group grp )
		464	{
		465	int ret;
		466	mbedtls_ecp_group_id grp_id;
		467
		468	if( params->tag == MBEDTLS_ASN1_OID )
		469	{
		470	if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
		471	return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
		472	}
		473	else
		474	{
		475	#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
		476	if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
		477	return( ret );
		478	#else
		479	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		480	#endif
		481	}
		482
		483	/*
		484	* grp may already be initilialized; if so, make sure IDs match
		485	*/
		486	if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
		487	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		488
		489	if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
		490	return( ret );
		491
		492	return( 0 );
		493	}
		494
		495	/*
		496	* EC public key is an EC point
		497	*
		498	* The caller is responsible for clearing the structure upon failure if
		499	* desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
		500	* return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
		501	*/
		502	static int pk_get_ecpubkey( unsigned char *p, const unsigned char end,
		503	mbedtls_ecp_keypair *key )
		504	{
		505	int ret;
		506
		507	if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
		508	(const unsigned char ) p, end - *p ) ) == 0 )
		509	{
		510	ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
		511	}
		512
		513	/*
		514	* We know mbedtls_ecp_point_read_binary consumed all bytes or failed
		515	*/
		516	p = (unsigned char ) end;
		517
		518	return( ret );
		519	}
		520	#endif /* MBEDTLS_ECP_C */
		521
		522	#if defined(MBEDTLS_RSA_C)
		523	/*
		524	* RSAPublicKey ::= SEQUENCE {
		525	* modulus INTEGER, -- n
		526	* publicExponent INTEGER -- e
		527	* }
		528	*/
		529	static int pk_get_rsapubkey( unsigned char **p,
		530	const unsigned char *end,
		531	mbedtls_rsa_context *rsa )
		532	{
		533	int ret;
		534	size_t len;
		535
		536	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
		537	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		538	return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
		539
		540	if( *p + len != end )
		541	return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
		542	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		543
		544	/* Import N */
		545	if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
		546	return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
		547
		548	if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
		549	NULL, 0, NULL, 0 ) ) != 0 )
		550	return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
		551
		552	*p += len;
		553
		554	/* Import E */
		555	if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
		556	return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
		557
		558	if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
		559	NULL, 0, *p, len ) ) != 0 )
		560	return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
		561
		562	*p += len;
		563
		564	if( mbedtls_rsa_complete( rsa ) != 0 \|\|
		565	mbedtls_rsa_check_pubkey( rsa ) != 0 )
		566	{
		567	return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
		568	}
		569
		570	if( *p != end )
		571	return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
		572	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		573
		574	return( 0 );
		575	}
		576	#endif /* MBEDTLS_RSA_C */
		577
		578	/* Get a PK algorithm identifier
		579	*
		580	* AlgorithmIdentifier ::= SEQUENCE {
		581	* algorithm OBJECT IDENTIFIER,
		582	* parameters ANY DEFINED BY algorithm OPTIONAL }
		583	*/
		584	static int pk_get_pk_alg( unsigned char **p,
		585	const unsigned char *end,
		586	mbedtls_pk_type_t pk_alg, mbedtls_asn1_buf params )
		587	{
		588	int ret;
		589	mbedtls_asn1_buf alg_oid;
		590
		591	memset( params, 0, sizeof(mbedtls_asn1_buf) );
		592
		593	if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
		594	return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
		595
		596	if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
		597	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		598
		599	/*
		600	* No parameters with RSA (only for EC)
		601	*/
		602	if( *pk_alg == MBEDTLS_PK_RSA &&
		603	( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) \|\|
		604	params->len != 0 ) )
		605	{
		606	return( MBEDTLS_ERR_PK_INVALID_ALG );
		607	}
		608
		609	return( 0 );
		610	}
		611
		612	/*
		613	* SubjectPublicKeyInfo ::= SEQUENCE {
		614	* algorithm AlgorithmIdentifier,
		615	* subjectPublicKey BIT STRING }
		616	*/
		617	int mbedtls_pk_parse_subpubkey( unsigned char *p, const unsigned char end,
		618	mbedtls_pk_context *pk )
		619	{
		620	int ret;
		621	size_t len;
		622	mbedtls_asn1_buf alg_params;
		623	mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
		624	const mbedtls_pk_info_t *pk_info;
		625
		626	PK_VALIDATE_RET( p != NULL );
		627	PK_VALIDATE_RET( *p != NULL );
		628	PK_VALIDATE_RET( end != NULL );
		629	PK_VALIDATE_RET( pk != NULL );
		630
		631	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
		632	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		633	{
		634	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		635	}
		636
		637	end = *p + len;
		638
		639	if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
		640	return( ret );
		641
		642	if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
		643	return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
		644
		645	if( *p + len != end )
		646	return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
		647	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		648
		649	if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
		650	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		651
		652	if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
		653	return( ret );
		654
		655	#if defined(MBEDTLS_RSA_C)
		656	if( pk_alg == MBEDTLS_PK_RSA )
		657	{
		658	ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
		659	} else
		660	#endif /* MBEDTLS_RSA_C */
		661	#if defined(MBEDTLS_ECP_C)
		662	if( pk_alg == MBEDTLS_PK_ECKEY_DH \|\| pk_alg == MBEDTLS_PK_ECKEY )
		663	{
		664	ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
		665	if( ret == 0 )
		666	ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
		667	} else
		668	#endif /* MBEDTLS_ECP_C */
		669	ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
		670
		671	if( ret == 0 && *p != end )
		672	ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
		673	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
		674
		675	if( ret != 0 )
		676	mbedtls_pk_free( pk );
		677
		678	return( ret );
		679	}
		680
		681	#if defined(MBEDTLS_RSA_C)
		682	/*
		683	* Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
		684	*
		685	* The value zero is:
		686	* - never a valid value for an RSA parameter
		687	* - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
		688	*
		689	* Since values can't be omitted in PKCS#1, passing a zero value to
		690	* rsa_complete() would be incorrect, so reject zero values early.
		691	*/
		692	static int asn1_get_nonzero_mpi( unsigned char **p,
		693	const unsigned char *end,
		694	mbedtls_mpi *X )
		695	{
		696	int ret;
		697
		698	ret = mbedtls_asn1_get_mpi( p, end, X );
		699	if( ret != 0 )
		700	return( ret );
		701
		702	if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
		703	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		704
		705	return( 0 );
		706	}
		707
		708	/*
		709	* Parse a PKCS#1 encoded private RSA key
		710	*/
		711	static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
		712	const unsigned char *key,
		713	size_t keylen )
		714	{
		715	int ret, version;
		716	size_t len;
		717	unsigned char p, end;
		718
		719	mbedtls_mpi T;
		720	mbedtls_mpi_init( &T );
		721
		722	p = (unsigned char *) key;
		723	end = p + keylen;
		724
		725	/*
		726	* This function parses the RSAPrivateKey (PKCS#1)
		727	*
		728	* RSAPrivateKey ::= SEQUENCE {
		729	* version Version,
		730	* modulus INTEGER, -- n
		731	* publicExponent INTEGER, -- e
		732	* privateExponent INTEGER, -- d
		733	* prime1 INTEGER, -- p
		734	* prime2 INTEGER, -- q
		735	* exponent1 INTEGER, -- d mod (p-1)
		736	* exponent2 INTEGER, -- d mod (q-1)
		737	* coefficient INTEGER, -- (inverse of q) mod p
		738	* otherPrimeInfos OtherPrimeInfos OPTIONAL
		739	* }
		740	*/
		741	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		742	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		743	{
		744	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		745	}
		746
		747	end = p + len;
		748
		749	if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
		750	{
		751	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		752	}
		753
		754	if( version != 0 )
		755	{
		756	return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
		757	}
		758
		759	/* Import N */
		760	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		761	( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
		762	NULL, NULL ) ) != 0 )
		763	goto cleanup;
		764
		765	/* Import E */
		766	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		767	( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
		768	NULL, &T ) ) != 0 )
		769	goto cleanup;
		770
		771	/* Import D */
		772	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		773	( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
		774	&T, NULL ) ) != 0 )
		775	goto cleanup;
		776
		777	/* Import P */
		778	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		779	( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
		780	NULL, NULL ) ) != 0 )
		781	goto cleanup;
		782
		783	/* Import Q */
		784	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		785	( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
		786	NULL, NULL ) ) != 0 )
		787	goto cleanup;
		788
		789	#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
		790	/*
		791	* The RSA CRT parameters DP, DQ and QP are nominally redundant, in
		792	* that they can be easily recomputed from D, P and Q. However by
		793	* parsing them from the PKCS1 structure it is possible to avoid
		794	* recalculating them which both reduces the overhead of loading
		795	* RSA private keys into memory and also avoids side channels which
		796	* can arise when computing those values, since all of D, P, and Q
		797	* are secret. See https://eprint.iacr.org/2020/055 for a
		798	* description of one such attack.
		799	*/
		800
		801	/* Import DP */
		802	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		803	( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
		804	goto cleanup;
		805
		806	/* Import DQ */
		807	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		808	( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
		809	goto cleanup;
		810
		811	/* Import QP */
		812	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		813	( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
		814	goto cleanup;
		815
		816	#else
		817	/* Verify existance of the CRT params */
		818	if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		819	( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 \|\|
		820	( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
		821	goto cleanup;
		822	#endif
		823
		824	/* rsa_complete() doesn't complete anything with the default
		825	* implementation but is still called:
		826	* - for the benefit of alternative implementation that may want to
		827	* pre-compute stuff beyond what's provided (eg Montgomery factors)
		828	* - as is also sanity-checks the key
		829	*
		830	* Furthermore, we also check the public part for consistency with
		831	* mbedtls_pk_parse_pubkey(), as it includes size minima for example.
		832	*/
		833	if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 \|\|
		834	( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
		835	{
		836	goto cleanup;
		837	}
		838
		839	if( p != end )
		840	{
		841	ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		842	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
		843	}
		844
		845	cleanup:
		846
		847	mbedtls_mpi_free( &T );
		848
		849	if( ret != 0 )
		850	{
		851	/* Wrap error code if it's coming from a lower level */
		852	if( ( ret & 0xff80 ) == 0 )
		853	ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
		854	else
		855	ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
		856
		857	mbedtls_rsa_free( rsa );
		858	}
		859
		860	return( ret );
		861	}
		862	#endif /* MBEDTLS_RSA_C */
		863
		864	#if defined(MBEDTLS_ECP_C)
		865	/*
		866	* Parse a SEC1 encoded private EC key
		867	*/
		868	static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
		869	const unsigned char *key,
		870	size_t keylen )
		871	{
		872	int ret;
		873	int version, pubkey_done;
		874	size_t len;
		875	mbedtls_asn1_buf params;
		876	unsigned char p = (unsigned char ) key;
		877	unsigned char *end = p + keylen;
		878	unsigned char *end2;
		879
		880	/*
		881	* RFC 5915, or SEC1 Appendix C.4
		882	*
		883	* ECPrivateKey ::= SEQUENCE {
		884	* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
		885	* privateKey OCTET STRING,
		886	* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
		887	* publicKey [1] BIT STRING OPTIONAL
		888	* }
		889	*/
		890	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		891	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		892	{
		893	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		894	}
		895
		896	end = p + len;
		897
		898	if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
		899	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		900
		901	if( version != 1 )
		902	return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
		903
		904	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
		905	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		906
		907	if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
		908	{
		909	mbedtls_ecp_keypair_free( eck );
		910	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		911	}
		912
		913	p += len;
		914
		915	pubkey_done = 0;
		916	if( p != end )
		917	{
		918	/*
		919	* Is 'parameters' present?
		920	*/
		921	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		922	MBEDTLS_ASN1_CONTEXT_SPECIFIC \| MBEDTLS_ASN1_CONSTRUCTED \| 0 ) ) == 0 )
		923	{
		924	if( ( ret = pk_get_ecparams( &p, p + len, ¶ms) ) != 0 \|\|
		925	( ret = pk_use_ecparams( ¶ms, &eck->grp ) ) != 0 )
		926	{
		927	mbedtls_ecp_keypair_free( eck );
		928	return( ret );
		929	}
		930	}
		931	else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
		932	{
		933	mbedtls_ecp_keypair_free( eck );
		934	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		935	}
		936	}
		937
		938	if( p != end )
		939	{
		940	/*
		941	* Is 'publickey' present? If not, or if we can't read it (eg because it
		942	* is compressed), create it from the private key.
		943	*/
		944	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		945	MBEDTLS_ASN1_CONTEXT_SPECIFIC \| MBEDTLS_ASN1_CONSTRUCTED \| 1 ) ) == 0 )
		946	{
		947	end2 = p + len;
		948
		949	if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
		950	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		951
		952	if( p + len != end2 )
		953	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		954	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
		955
		956	if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
		957	pubkey_done = 1;
		958	else
		959	{
		960	/*
		961	* The only acceptable failure mode of pk_get_ecpubkey() above
		962	* is if the point format is not recognized.
		963	*/
		964	if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
		965	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		966	}
		967	}
		968	else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
		969	{
		970	mbedtls_ecp_keypair_free( eck );
		971	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		972	}
		973	}
		974
		975	if( ! pubkey_done &&
		976	( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
		977	NULL, NULL ) ) != 0 )
		978	{
		979	mbedtls_ecp_keypair_free( eck );
		980	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		981	}
		982
		983	if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
		984	{
		985	mbedtls_ecp_keypair_free( eck );
		986	return( ret );
		987	}
		988
		989	return( 0 );
		990	}
		991	#endif /* MBEDTLS_ECP_C */
		992
		993	/*
		994	* Parse an unencrypted PKCS#8 encoded private key
		995	*
		996	* Notes:
		997	*
		998	* - This function does not own the key buffer. It is the
		999	* responsibility of the caller to take care of zeroizing
		1000	* and freeing it after use.
		1001	*
		1002	* - The function is responsible for freeing the provided
		1003	* PK context on failure.
		1004	*
		1005	*/
		1006	static int pk_parse_key_pkcs8_unencrypted_der(
		1007	mbedtls_pk_context *pk,
		1008	const unsigned char* key,
		1009	size_t keylen )
		1010	{
		1011	int ret, version;
		1012	size_t len;
		1013	mbedtls_asn1_buf params;
		1014	unsigned char p = (unsigned char ) key;
		1015	unsigned char *end = p + keylen;
		1016	mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
		1017	const mbedtls_pk_info_t *pk_info;
		1018
		1019	/*
		1020	* This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
		1021	*
		1022	* PrivateKeyInfo ::= SEQUENCE {
		1023	* version Version,
		1024	* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
		1025	* privateKey PrivateKey,
		1026	* attributes [0] IMPLICIT Attributes OPTIONAL }
		1027	*
		1028	* Version ::= INTEGER
		1029	* PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
		1030	* PrivateKey ::= OCTET STRING
		1031	*
		1032	* The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
		1033	*/
		1034
		1035	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		1036	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		1037	{
		1038	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1039	}
		1040
		1041	end = p + len;
		1042
		1043	if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
		1044	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1045
		1046	if( version != 0 )
		1047	return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
		1048
		1049	if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 )
		1050	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1051
		1052	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
		1053	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1054
		1055	if( len < 1 )
		1056	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
		1057	MBEDTLS_ERR_ASN1_OUT_OF_DATA );
		1058
		1059	if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
		1060	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		1061
		1062	if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
		1063	return( ret );
		1064
		1065	#if defined(MBEDTLS_RSA_C)
		1066	if( pk_alg == MBEDTLS_PK_RSA )
		1067	{
		1068	if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
		1069	{
		1070	mbedtls_pk_free( pk );
		1071	return( ret );
		1072	}
		1073	} else
		1074	#endif /* MBEDTLS_RSA_C */
		1075	#if defined(MBEDTLS_ECP_C)
		1076	if( pk_alg == MBEDTLS_PK_ECKEY \|\| pk_alg == MBEDTLS_PK_ECKEY_DH )
		1077	{
		1078	if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 \|\|
		1079	( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 )
		1080	{
		1081	mbedtls_pk_free( pk );
		1082	return( ret );
		1083	}
		1084	} else
		1085	#endif /* MBEDTLS_ECP_C */
		1086	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		1087
		1088	return( 0 );
		1089	}
		1090
		1091	/*
		1092	* Parse an encrypted PKCS#8 encoded private key
		1093	*
		1094	* To save space, the decryption happens in-place on the given key buffer.
		1095	* Also, while this function may modify the keybuffer, it doesn't own it,
		1096	* and instead it is the responsibility of the caller to zeroize and properly
		1097	* free it after use.
		1098	*
		1099	*/
		1100	#if defined(MBEDTLS_PKCS12_C) \|\| defined(MBEDTLS_PKCS5_C)
		1101	static int pk_parse_key_pkcs8_encrypted_der(
		1102	mbedtls_pk_context *pk,
		1103	unsigned char *key, size_t keylen,
		1104	const unsigned char *pwd, size_t pwdlen )
		1105	{
		1106	int ret, decrypted = 0;
		1107	size_t len;
		1108	unsigned char *buf;
		1109	unsigned char p, end;
		1110	mbedtls_asn1_buf pbe_alg_oid, pbe_params;
		1111	#if defined(MBEDTLS_PKCS12_C)
		1112	mbedtls_cipher_type_t cipher_alg;
		1113	mbedtls_md_type_t md_alg;
		1114	#endif
		1115
		1116	p = key;
		1117	end = p + keylen;
		1118
		1119	if( pwdlen == 0 )
		1120	return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
		1121
		1122	/*
		1123	* This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
		1124	*
		1125	* EncryptedPrivateKeyInfo ::= SEQUENCE {
		1126	* encryptionAlgorithm EncryptionAlgorithmIdentifier,
		1127	* encryptedData EncryptedData
		1128	* }
		1129	*
		1130	* EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
		1131	*
		1132	* EncryptedData ::= OCTET STRING
		1133	*
		1134	* The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
		1135	*
		1136	*/
		1137	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
		1138	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
		1139	{
		1140	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1141	}
		1142
		1143	end = p + len;
		1144
		1145	if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
		1146	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1147
		1148	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
		1149	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
		1150
		1151	buf = p;
		1152
		1153	/*
		1154	* Decrypt EncryptedData with appropriate PBE
		1155	*/
		1156	#if defined(MBEDTLS_PKCS12_C)
		1157	if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
		1158	{
		1159	if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
		1160	cipher_alg, md_alg,
		1161	pwd, pwdlen, p, len, buf ) ) != 0 )
		1162	{
		1163	if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
		1164	return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
		1165
		1166	return( ret );
		1167	}
		1168
		1169	decrypted = 1;
		1170	}
		1171	else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
		1172	{
		1173	if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
		1174	MBEDTLS_PKCS12_PBE_DECRYPT,
		1175	pwd, pwdlen,
		1176	p, len, buf ) ) != 0 )
		1177	{
		1178	return( ret );
		1179	}
		1180
		1181	// Best guess for password mismatch when using RC4. If first tag is
		1182	// not MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE
		1183	//
		1184	if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) )
		1185	return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
		1186
		1187	decrypted = 1;
		1188	}
		1189	else
		1190	#endif /* MBEDTLS_PKCS12_C */
		1191	#if defined(MBEDTLS_PKCS5_C)
		1192	if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
		1193	{
		1194	if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
		1195	p, len, buf ) ) != 0 )
		1196	{
		1197	if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
		1198	return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
		1199
		1200	return( ret );
		1201	}
		1202
		1203	decrypted = 1;
		1204	}
		1205	else
		1206	#endif /* MBEDTLS_PKCS5_C */
		1207	{
		1208	((void) pwd);
		1209	}
		1210
		1211	if( decrypted == 0 )
		1212	return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
		1213
		1214	return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
		1215	}
		1216	#endif /* MBEDTLS_PKCS12_C \|\| MBEDTLS_PKCS5_C */
		1217
		1218	/*
		1219	* Parse a private key
		1220	*/
		1221	int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
		1222	const unsigned char *key, size_t keylen,
		1223	const unsigned char *pwd, size_t pwdlen )
		1224	{
		1225	int ret;
		1226	const mbedtls_pk_info_t *pk_info;
		1227	#if defined(MBEDTLS_PEM_PARSE_C)
		1228	size_t len;
		1229	mbedtls_pem_context pem;
		1230	#endif
		1231
		1232	PK_VALIDATE_RET( pk != NULL );
		1233	if( keylen == 0 )
		1234	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		1235	PK_VALIDATE_RET( key != NULL );
		1236
		1237	#if defined(MBEDTLS_PEM_PARSE_C)
		1238	mbedtls_pem_init( &pem );
		1239
		1240	#if defined(MBEDTLS_RSA_C)
		1241	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1242	if( key[keylen - 1] != '\0' )
		1243	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1244	else
		1245	ret = mbedtls_pem_read_buffer( &pem,
		1246	"-----BEGIN RSA PRIVATE KEY-----",
		1247	"-----END RSA PRIVATE KEY-----",
		1248	key, pwd, pwdlen, &len );
		1249
		1250	if( ret == 0 )
		1251	{
		1252	pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
		1253	if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 \|\|
		1254	( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
		1255	pem.buf, pem.buflen ) ) != 0 )
		1256	{
		1257	mbedtls_pk_free( pk );
		1258	}
		1259
		1260	mbedtls_pem_free( &pem );
		1261	return( ret );
		1262	}
		1263	else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
		1264	return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
		1265	else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
		1266	return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
		1267	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1268	return( ret );
		1269	#endif /* MBEDTLS_RSA_C */
		1270
		1271	#if defined(MBEDTLS_ECP_C)
		1272	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1273	if( key[keylen - 1] != '\0' )
		1274	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1275	else
		1276	ret = mbedtls_pem_read_buffer( &pem,
		1277	"-----BEGIN EC PRIVATE KEY-----",
		1278	"-----END EC PRIVATE KEY-----",
		1279	key, pwd, pwdlen, &len );
		1280	if( ret == 0 )
		1281	{
		1282	pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
		1283
		1284	if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 \|\|
		1285	( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
		1286	pem.buf, pem.buflen ) ) != 0 )
		1287	{
		1288	mbedtls_pk_free( pk );
		1289	}
		1290
		1291	mbedtls_pem_free( &pem );
		1292	return( ret );
		1293	}
		1294	else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
		1295	return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
		1296	else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
		1297	return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
		1298	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1299	return( ret );
		1300	#endif /* MBEDTLS_ECP_C */
		1301
		1302	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1303	if( key[keylen - 1] != '\0' )
		1304	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1305	else
		1306	ret = mbedtls_pem_read_buffer( &pem,
		1307	"-----BEGIN PRIVATE KEY-----",
		1308	"-----END PRIVATE KEY-----",
		1309	key, NULL, 0, &len );
		1310	if( ret == 0 )
		1311	{
		1312	if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
		1313	pem.buf, pem.buflen ) ) != 0 )
		1314	{
		1315	mbedtls_pk_free( pk );
		1316	}
		1317
		1318	mbedtls_pem_free( &pem );
		1319	return( ret );
		1320	}
		1321	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1322	return( ret );
		1323
		1324	#if defined(MBEDTLS_PKCS12_C) \|\| defined(MBEDTLS_PKCS5_C)
		1325	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1326	if( key[keylen - 1] != '\0' )
		1327	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1328	else
		1329	ret = mbedtls_pem_read_buffer( &pem,
		1330	"-----BEGIN ENCRYPTED PRIVATE KEY-----",
		1331	"-----END ENCRYPTED PRIVATE KEY-----",
		1332	key, NULL, 0, &len );
		1333	if( ret == 0 )
		1334	{
		1335	if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
		1336	pem.buf, pem.buflen,
		1337	pwd, pwdlen ) ) != 0 )
		1338	{
		1339	mbedtls_pk_free( pk );
		1340	}
		1341
		1342	mbedtls_pem_free( &pem );
		1343	return( ret );
		1344	}
		1345	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1346	return( ret );
		1347	#endif /* MBEDTLS_PKCS12_C \|\| MBEDTLS_PKCS5_C */
		1348	#else
		1349	((void) pwd);
		1350	((void) pwdlen);
		1351	#endif /* MBEDTLS_PEM_PARSE_C */
		1352
		1353	/*
		1354	* At this point we only know it's not a PEM formatted key. Could be any
		1355	* of the known DER encoded private key formats
		1356	*
		1357	* We try the different DER format parsers to see if one passes without
		1358	* error
		1359	*/
		1360	#if defined(MBEDTLS_PKCS12_C) \|\| defined(MBEDTLS_PKCS5_C)
		1361	{
		1362	unsigned char *key_copy;
		1363
		1364	if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
		1365	return( MBEDTLS_ERR_PK_ALLOC_FAILED );
		1366
		1367	memcpy( key_copy, key, keylen );
		1368
		1369	ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
		1370	pwd, pwdlen );
		1371
		1372	mbedtls_platform_zeroize( key_copy, keylen );
		1373	mbedtls_free( key_copy );
		1374	}
		1375
		1376	if( ret == 0 )
		1377	return( 0 );
		1378
		1379	mbedtls_pk_free( pk );
		1380	mbedtls_pk_init( pk );
		1381
		1382	if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
		1383	{
		1384	return( ret );
		1385	}
		1386	#endif /* MBEDTLS_PKCS12_C \|\| MBEDTLS_PKCS5_C */
		1387
		1388	if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
		1389	return( 0 );
		1390
		1391	mbedtls_pk_free( pk );
		1392	mbedtls_pk_init( pk );
		1393
		1394	#if defined(MBEDTLS_RSA_C)
		1395
		1396	pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
		1397	if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
		1398	pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
		1399	{
		1400	return( 0 );
		1401	}
		1402
		1403	mbedtls_pk_free( pk );
		1404	mbedtls_pk_init( pk );
		1405	#endif /* MBEDTLS_RSA_C */
		1406
		1407	#if defined(MBEDTLS_ECP_C)
		1408	pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
		1409	if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
		1410	pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
		1411	key, keylen ) == 0 )
		1412	{
		1413	return( 0 );
		1414	}
		1415	mbedtls_pk_free( pk );
		1416	#endif /* MBEDTLS_ECP_C */
		1417
		1418	/* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
		1419	* it is ok to leave the PK context initialized but not
		1420	* freed: It is the caller's responsibility to call pk_init()
		1421	* before calling this function, and to call pk_free()
		1422	* when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
		1423	* isn't, this leads to mbedtls_pk_free() being called
		1424	* twice, once here and once by the caller, but this is
		1425	* also ok and in line with the mbedtls_pk_free() calls
		1426	* on failed PEM parsing attempts. */
		1427
		1428	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		1429	}
		1430
		1431	/*
		1432	* Parse a public key
		1433	*/
		1434	int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
		1435	const unsigned char *key, size_t keylen )
		1436	{
		1437	int ret;
		1438	unsigned char *p;
		1439	#if defined(MBEDTLS_RSA_C)
		1440	const mbedtls_pk_info_t *pk_info;
		1441	#endif
		1442	#if defined(MBEDTLS_PEM_PARSE_C)
		1443	size_t len;
		1444	mbedtls_pem_context pem;
		1445	#endif
		1446
		1447	PK_VALIDATE_RET( ctx != NULL );
		1448	if( keylen == 0 )
		1449	return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
		1450	PK_VALIDATE_RET( key != NULL \|\| keylen == 0 );
		1451
		1452	#if defined(MBEDTLS_PEM_PARSE_C)
		1453	mbedtls_pem_init( &pem );
		1454	#if defined(MBEDTLS_RSA_C)
		1455	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1456	if( key[keylen - 1] != '\0' )
		1457	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1458	else
		1459	ret = mbedtls_pem_read_buffer( &pem,
		1460	"-----BEGIN RSA PUBLIC KEY-----",
		1461	"-----END RSA PUBLIC KEY-----",
		1462	key, NULL, 0, &len );
		1463
		1464	if( ret == 0 )
		1465	{
		1466	p = pem.buf;
		1467	if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
		1468	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		1469
		1470	if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
		1471	return( ret );
		1472
		1473	if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
		1474	mbedtls_pk_free( ctx );
		1475
		1476	mbedtls_pem_free( &pem );
		1477	return( ret );
		1478	}
		1479	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1480	{
		1481	mbedtls_pem_free( &pem );
		1482	return( ret );
		1483	}
		1484	#endif /* MBEDTLS_RSA_C */
		1485
		1486	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
		1487	if( key[keylen - 1] != '\0' )
		1488	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
		1489	else
		1490	ret = mbedtls_pem_read_buffer( &pem,
		1491	"-----BEGIN PUBLIC KEY-----",
		1492	"-----END PUBLIC KEY-----",
		1493	key, NULL, 0, &len );
		1494
		1495	if( ret == 0 )
		1496	{
		1497	/*
		1498	* Was PEM encoded
		1499	*/
		1500	p = pem.buf;
		1501
		1502	ret = mbedtls_pk_parse_subpubkey( &p, p + pem.buflen, ctx );
		1503	mbedtls_pem_free( &pem );
		1504	return( ret );
		1505	}
		1506	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
		1507	{
		1508	mbedtls_pem_free( &pem );
		1509	return( ret );
		1510	}
		1511	mbedtls_pem_free( &pem );
		1512	#endif /* MBEDTLS_PEM_PARSE_C */
		1513
		1514	#if defined(MBEDTLS_RSA_C)
		1515	if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
		1516	return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
		1517
		1518	if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
		1519	return( ret );
		1520
		1521	p = (unsigned char *)key;
		1522	ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
		1523	if( ret == 0 )
		1524	{
		1525	return( ret );
		1526	}
		1527	mbedtls_pk_free( ctx );
		1528	if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
		1529	{
		1530	return( ret );
		1531	}
		1532	#endif /* MBEDTLS_RSA_C */
		1533	p = (unsigned char *) key;
		1534
		1535	ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
		1536
		1537	return( ret );
		1538	}
		1539
		1540	#endif /* MBEDTLS_PK_PARSE_C */

Subversion Repositories Kolibri OS

(root)/programs/develop/libraries/kos_mbedtls/library/pkparse.c @ 9086 – Rev 8774