Subversion Repositories Kolibri OS

Rev

Blame | Last modification | View Log | Download | RSS feed

  1. /*
  2.  *  Public Key layer for parsing key files and structures
  3.  *
  4.  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5.  *  SPDX-License-Identifier: GPL-2.0
  6.  *
  7.  *  This program is free software; you can redistribute it and/or modify
  8.  *  it under the terms of the GNU General Public License as published by
  9.  *  the Free Software Foundation; either version 2 of the License, or
  10.  *  (at your option) any later version.
  11.  *
  12.  *  This program is distributed in the hope that it will be useful,
  13.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15.  *  GNU General Public License for more details.
  16.  *
  17.  *  You should have received a copy of the GNU General Public License along
  18.  *  with this program; if not, write to the Free Software Foundation, Inc.,
  19.  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  20.  *
  21.  *  This file is part of mbed TLS (https://tls.mbed.org)
  22.  */
  23.  
  24. #if !defined(MBEDTLS_CONFIG_FILE)
  25. #include "mbedtls/config.h"
  26. #else
  27. #include MBEDTLS_CONFIG_FILE
  28. #endif
  29.  
  30. #if defined(MBEDTLS_PK_PARSE_C)
  31.  
  32. #include "mbedtls/pk.h"
  33. #include "mbedtls/asn1.h"
  34. #include "mbedtls/oid.h"
  35. #include "mbedtls/platform_util.h"
  36.  
  37. #include <string.h>
  38.  
  39. #if defined(MBEDTLS_RSA_C)
  40. #include "mbedtls/rsa.h"
  41. #endif
  42. #if defined(MBEDTLS_ECP_C)
  43. #include "mbedtls/ecp.h"
  44. #endif
  45. #if defined(MBEDTLS_ECDSA_C)
  46. #include "mbedtls/ecdsa.h"
  47. #endif
  48. #if defined(MBEDTLS_PEM_PARSE_C)
  49. #include "mbedtls/pem.h"
  50. #endif
  51. #if defined(MBEDTLS_PKCS5_C)
  52. #include "mbedtls/pkcs5.h"
  53. #endif
  54. #if defined(MBEDTLS_PKCS12_C)
  55. #include "mbedtls/pkcs12.h"
  56. #endif
  57.  
  58. #if defined(MBEDTLS_PLATFORM_C)
  59. #include "mbedtls/platform.h"
  60. #else
  61. #include <stdlib.h>
  62. #define mbedtls_calloc    calloc
  63. #define mbedtls_free       free
  64. #endif
  65.  
  66. /* Parameter validation macros based on platform_util.h */
  67. #define PK_VALIDATE_RET( cond )    \
  68.     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
  69. #define PK_VALIDATE( cond )        \
  70.     MBEDTLS_INTERNAL_VALIDATE( cond )
  71.  
  72. #if defined(MBEDTLS_FS_IO)
  73. /*
  74.  * Load all data from a file into a given buffer.
  75.  *
  76.  * The file is expected to contain either PEM or DER encoded data.
  77.  * A terminating null byte is always appended. It is included in the announced
  78.  * length only if the data looks like it is PEM encoded.
  79.  */
  80. int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
  81. {
  82.     FILE *f;
  83.     long size;
  84.  
  85.     PK_VALIDATE_RET( path != NULL );
  86.     PK_VALIDATE_RET( buf != NULL );
  87.     PK_VALIDATE_RET( n != NULL );
  88.  
  89.     if( ( f = fopen( path, "rb" ) ) == NULL )
  90.         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
  91.  
  92.     fseek( f, 0, SEEK_END );
  93.     if( ( size = ftell( f ) ) == -1 )
  94.     {
  95.         fclose( f );
  96.         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
  97.     }
  98.     fseek( f, 0, SEEK_SET );
  99.  
  100.     *n = (size_t) size;
  101.  
  102.     if( *n + 1 == 0 ||
  103.         ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
  104.     {
  105.         fclose( f );
  106.         return( MBEDTLS_ERR_PK_ALLOC_FAILED );
  107.     }
  108.  
  109.     if( fread( *buf, 1, *n, f ) != *n )
  110.     {
  111.         fclose( f );
  112.  
  113.         mbedtls_platform_zeroize( *buf, *n );
  114.         mbedtls_free( *buf );
  115.  
  116.         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
  117.     }
  118.  
  119.     fclose( f );
  120.  
  121.     (*buf)[*n] = '\0';
  122.  
  123.     if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
  124.         ++*n;
  125.  
  126.     return( 0 );
  127. }
  128.  
  129. /*
  130.  * Load and parse a private key
  131.  */
  132. int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
  133.                       const char *path, const char *pwd )
  134. {
  135.     int ret;
  136.     size_t n;
  137.     unsigned char *buf;
  138.  
  139.     PK_VALIDATE_RET( ctx != NULL );
  140.     PK_VALIDATE_RET( path != NULL );
  141.  
  142.     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
  143.         return( ret );
  144.  
  145.     if( pwd == NULL )
  146.         ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
  147.     else
  148.         ret = mbedtls_pk_parse_key( ctx, buf, n,
  149.                 (const unsigned char *) pwd, strlen( pwd ) );
  150.  
  151.     mbedtls_platform_zeroize( buf, n );
  152.     mbedtls_free( buf );
  153.  
  154.     return( ret );
  155. }
  156.  
  157. /*
  158.  * Load and parse a public key
  159.  */
  160. int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
  161. {
  162.     int ret;
  163.     size_t n;
  164.     unsigned char *buf;
  165.  
  166.     PK_VALIDATE_RET( ctx != NULL );
  167.     PK_VALIDATE_RET( path != NULL );
  168.  
  169.     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
  170.         return( ret );
  171.  
  172.     ret = mbedtls_pk_parse_public_key( ctx, buf, n );
  173.  
  174.     mbedtls_platform_zeroize( buf, n );
  175.     mbedtls_free( buf );
  176.  
  177.     return( ret );
  178. }
  179. #endif /* MBEDTLS_FS_IO */
  180.  
  181. #if defined(MBEDTLS_ECP_C)
  182. /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
  183.  *
  184.  * ECParameters ::= CHOICE {
  185.  *   namedCurve         OBJECT IDENTIFIER
  186.  *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
  187.  *   -- implicitCurve   NULL
  188.  * }
  189.  */
  190. static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
  191.                             mbedtls_asn1_buf *params )
  192. {
  193.     int ret;
  194.  
  195.     if ( end - *p < 1 )
  196.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  197.                 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
  198.  
  199.     /* Tag may be either OID or SEQUENCE */
  200.     params->tag = **p;
  201.     if( params->tag != MBEDTLS_ASN1_OID
  202. #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
  203.             && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
  204. #endif
  205.             )
  206.     {
  207.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  208.                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
  209.     }
  210.  
  211.     if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
  212.     {
  213.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  214.     }
  215.  
  216.     params->p = *p;
  217.     *p += params->len;
  218.  
  219.     if( *p != end )
  220.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  221.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  222.  
  223.     return( 0 );
  224. }
  225.  
  226. #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
  227. /*
  228.  * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
  229.  * WARNING: the resulting group should only be used with
  230.  * pk_group_id_from_specified(), since its base point may not be set correctly
  231.  * if it was encoded compressed.
  232.  *
  233.  *  SpecifiedECDomain ::= SEQUENCE {
  234.  *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
  235.  *      fieldID FieldID {{FieldTypes}},
  236.  *      curve Curve,
  237.  *      base ECPoint,
  238.  *      order INTEGER,
  239.  *      cofactor INTEGER OPTIONAL,
  240.  *      hash HashAlgorithm OPTIONAL,
  241.  *      ...
  242.  *  }
  243.  *
  244.  * We only support prime-field as field type, and ignore hash and cofactor.
  245.  */
  246. static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
  247. {
  248.     int ret;
  249.     unsigned char *p = params->p;
  250.     const unsigned char * const end = params->p + params->len;
  251.     const unsigned char *end_field, *end_curve;
  252.     size_t len;
  253.     int ver;
  254.  
  255.     /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
  256.     if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
  257.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  258.  
  259.     if( ver < 1 || ver > 3 )
  260.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  261.  
  262.     /*
  263.      * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
  264.      *       fieldType FIELD-ID.&id({IOSet}),
  265.      *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
  266.      * }
  267.      */
  268.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  269.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  270.         return( ret );
  271.  
  272.     end_field = p + len;
  273.  
  274.     /*
  275.      * FIELD-ID ::= TYPE-IDENTIFIER
  276.      * FieldTypes FIELD-ID ::= {
  277.      *       { Prime-p IDENTIFIED BY prime-field } |
  278.      *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
  279.      * }
  280.      * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
  281.      */
  282.     if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
  283.         return( ret );
  284.  
  285.     if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
  286.         memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
  287.     {
  288.         return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
  289.     }
  290.  
  291.     p += len;
  292.  
  293.     /* Prime-p ::= INTEGER -- Field of size p. */
  294.     if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
  295.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  296.  
  297.     grp->pbits = mbedtls_mpi_bitlen( &grp->P );
  298.  
  299.     if( p != end_field )
  300.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  301.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  302.  
  303.     /*
  304.      * Curve ::= SEQUENCE {
  305.      *       a FieldElement,
  306.      *       b FieldElement,
  307.      *       seed BIT STRING OPTIONAL
  308.      *       -- Shall be present if used in SpecifiedECDomain
  309.      *       -- with version equal to ecdpVer2 or ecdpVer3
  310.      * }
  311.      */
  312.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  313.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  314.         return( ret );
  315.  
  316.     end_curve = p + len;
  317.  
  318.     /*
  319.      * FieldElement ::= OCTET STRING
  320.      * containing an integer in the case of a prime field
  321.      */
  322.     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
  323.         ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
  324.     {
  325.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  326.     }
  327.  
  328.     p += len;
  329.  
  330.     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
  331.         ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
  332.     {
  333.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  334.     }
  335.  
  336.     p += len;
  337.  
  338.     /* Ignore seed BIT STRING OPTIONAL */
  339.     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
  340.         p += len;
  341.  
  342.     if( p != end_curve )
  343.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  344.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  345.  
  346.     /*
  347.      * ECPoint ::= OCTET STRING
  348.      */
  349.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  350.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  351.  
  352.     if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
  353.                                       ( const unsigned char *) p, len ) ) != 0 )
  354.     {
  355.         /*
  356.          * If we can't read the point because it's compressed, cheat by
  357.          * reading only the X coordinate and the parity bit of Y.
  358.          */
  359.         if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
  360.             ( p[0] != 0x02 && p[0] != 0x03 ) ||
  361.             len != mbedtls_mpi_size( &grp->P ) + 1 ||
  362.             mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
  363.             mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
  364.             mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
  365.         {
  366.             return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  367.         }
  368.     }
  369.  
  370.     p += len;
  371.  
  372.     /*
  373.      * order INTEGER
  374.      */
  375.     if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
  376.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  377.  
  378.     grp->nbits = mbedtls_mpi_bitlen( &grp->N );
  379.  
  380.     /*
  381.      * Allow optional elements by purposefully not enforcing p == end here.
  382.      */
  383.  
  384.     return( 0 );
  385. }
  386.  
  387. /*
  388.  * Find the group id associated with an (almost filled) group as generated by
  389.  * pk_group_from_specified(), or return an error if unknown.
  390.  */
  391. static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
  392. {
  393.     int ret = 0;
  394.     mbedtls_ecp_group ref;
  395.     const mbedtls_ecp_group_id *id;
  396.  
  397.     mbedtls_ecp_group_init( &ref );
  398.  
  399.     for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
  400.     {
  401.         /* Load the group associated to that id */
  402.         mbedtls_ecp_group_free( &ref );
  403.         MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
  404.  
  405.         /* Compare to the group we were given, starting with easy tests */
  406.         if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
  407.             mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
  408.             mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
  409.             mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
  410.             mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
  411.             mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
  412.             mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
  413.             /* For Y we may only know the parity bit, so compare only that */
  414.             mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
  415.         {
  416.             break;
  417.         }
  418.  
  419.     }
  420.  
  421. cleanup:
  422.     mbedtls_ecp_group_free( &ref );
  423.  
  424.     *grp_id = *id;
  425.  
  426.     if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
  427.         ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
  428.  
  429.     return( ret );
  430. }
  431.  
  432. /*
  433.  * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
  434.  */
  435. static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
  436.                                        mbedtls_ecp_group_id *grp_id )
  437. {
  438.     int ret;
  439.     mbedtls_ecp_group grp;
  440.  
  441.     mbedtls_ecp_group_init( &grp );
  442.  
  443.     if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
  444.         goto cleanup;
  445.  
  446.     ret = pk_group_id_from_group( &grp, grp_id );
  447.  
  448. cleanup:
  449.     mbedtls_ecp_group_free( &grp );
  450.  
  451.     return( ret );
  452. }
  453. #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
  454.  
  455. /*
  456.  * Use EC parameters to initialise an EC group
  457.  *
  458.  * ECParameters ::= CHOICE {
  459.  *   namedCurve         OBJECT IDENTIFIER
  460.  *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
  461.  *   -- implicitCurve   NULL
  462.  */
  463. static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
  464. {
  465.     int ret;
  466.     mbedtls_ecp_group_id grp_id;
  467.  
  468.     if( params->tag == MBEDTLS_ASN1_OID )
  469.     {
  470.         if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
  471.             return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
  472.     }
  473.     else
  474.     {
  475. #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
  476.         if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
  477.             return( ret );
  478. #else
  479.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  480. #endif
  481.     }
  482.  
  483.     /*
  484.      * grp may already be initilialized; if so, make sure IDs match
  485.      */
  486.     if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
  487.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  488.  
  489.     if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
  490.         return( ret );
  491.  
  492.     return( 0 );
  493. }
  494.  
  495. /*
  496.  * EC public key is an EC point
  497.  *
  498.  * The caller is responsible for clearing the structure upon failure if
  499.  * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
  500.  * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
  501.  */
  502. static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
  503.                             mbedtls_ecp_keypair *key )
  504. {
  505.     int ret;
  506.  
  507.     if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
  508.                     (const unsigned char *) *p, end - *p ) ) == 0 )
  509.     {
  510.         ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
  511.     }
  512.  
  513.     /*
  514.      * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
  515.      */
  516.     *p = (unsigned char *) end;
  517.  
  518.     return( ret );
  519. }
  520. #endif /* MBEDTLS_ECP_C */
  521.  
  522. #if defined(MBEDTLS_RSA_C)
  523. /*
  524.  *  RSAPublicKey ::= SEQUENCE {
  525.  *      modulus           INTEGER,  -- n
  526.  *      publicExponent    INTEGER   -- e
  527.  *  }
  528.  */
  529. static int pk_get_rsapubkey( unsigned char **p,
  530.                              const unsigned char *end,
  531.                              mbedtls_rsa_context *rsa )
  532. {
  533.     int ret;
  534.     size_t len;
  535.  
  536.     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
  537.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  538.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
  539.  
  540.     if( *p + len != end )
  541.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
  542.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  543.  
  544.     /* Import N */
  545.     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
  546.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
  547.  
  548.     if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
  549.                                         NULL, 0, NULL, 0 ) ) != 0 )
  550.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
  551.  
  552.     *p += len;
  553.  
  554.     /* Import E */
  555.     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
  556.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
  557.  
  558.     if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
  559.                                         NULL, 0, *p, len ) ) != 0 )
  560.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
  561.  
  562.     *p += len;
  563.  
  564.     if( mbedtls_rsa_complete( rsa ) != 0 ||
  565.         mbedtls_rsa_check_pubkey( rsa ) != 0 )
  566.     {
  567.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
  568.     }
  569.  
  570.     if( *p != end )
  571.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
  572.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  573.  
  574.     return( 0 );
  575. }
  576. #endif /* MBEDTLS_RSA_C */
  577.  
  578. /* Get a PK algorithm identifier
  579.  *
  580.  *  AlgorithmIdentifier  ::=  SEQUENCE  {
  581.  *       algorithm               OBJECT IDENTIFIER,
  582.  *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
  583.  */
  584. static int pk_get_pk_alg( unsigned char **p,
  585.                           const unsigned char *end,
  586.                           mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
  587. {
  588.     int ret;
  589.     mbedtls_asn1_buf alg_oid;
  590.  
  591.     memset( params, 0, sizeof(mbedtls_asn1_buf) );
  592.  
  593.     if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
  594.         return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
  595.  
  596.     if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
  597.         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  598.  
  599.     /*
  600.      * No parameters with RSA (only for EC)
  601.      */
  602.     if( *pk_alg == MBEDTLS_PK_RSA &&
  603.             ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
  604.                 params->len != 0 ) )
  605.     {
  606.         return( MBEDTLS_ERR_PK_INVALID_ALG );
  607.     }
  608.  
  609.     return( 0 );
  610. }
  611.  
  612. /*
  613.  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
  614.  *       algorithm            AlgorithmIdentifier,
  615.  *       subjectPublicKey     BIT STRING }
  616.  */
  617. int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
  618.                         mbedtls_pk_context *pk )
  619. {
  620.     int ret;
  621.     size_t len;
  622.     mbedtls_asn1_buf alg_params;
  623.     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
  624.     const mbedtls_pk_info_t *pk_info;
  625.  
  626.     PK_VALIDATE_RET( p != NULL );
  627.     PK_VALIDATE_RET( *p != NULL );
  628.     PK_VALIDATE_RET( end != NULL );
  629.     PK_VALIDATE_RET( pk != NULL );
  630.  
  631.     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
  632.                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  633.     {
  634.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  635.     }
  636.  
  637.     end = *p + len;
  638.  
  639.     if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
  640.         return( ret );
  641.  
  642.     if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
  643.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
  644.  
  645.     if( *p + len != end )
  646.         return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
  647.                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  648.  
  649.     if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
  650.         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  651.  
  652.     if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
  653.         return( ret );
  654.  
  655. #if defined(MBEDTLS_RSA_C)
  656.     if( pk_alg == MBEDTLS_PK_RSA )
  657.     {
  658.         ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
  659.     } else
  660. #endif /* MBEDTLS_RSA_C */
  661. #if defined(MBEDTLS_ECP_C)
  662.     if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
  663.     {
  664.         ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
  665.         if( ret == 0 )
  666.             ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
  667.     } else
  668. #endif /* MBEDTLS_ECP_C */
  669.         ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
  670.  
  671.     if( ret == 0 && *p != end )
  672.         ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
  673.               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
  674.  
  675.     if( ret != 0 )
  676.         mbedtls_pk_free( pk );
  677.  
  678.     return( ret );
  679. }
  680.  
  681. #if defined(MBEDTLS_RSA_C)
  682. /*
  683.  * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
  684.  *
  685.  * The value zero is:
  686.  * - never a valid value for an RSA parameter
  687.  * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
  688.  *
  689.  * Since values can't be omitted in PKCS#1, passing a zero value to
  690.  * rsa_complete() would be incorrect, so reject zero values early.
  691.  */
  692. static int asn1_get_nonzero_mpi( unsigned char **p,
  693.                                  const unsigned char *end,
  694.                                  mbedtls_mpi *X )
  695. {
  696.     int ret;
  697.  
  698.     ret = mbedtls_asn1_get_mpi( p, end, X );
  699.     if( ret != 0 )
  700.         return( ret );
  701.  
  702.     if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
  703.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  704.  
  705.     return( 0 );
  706. }
  707.  
  708. /*
  709.  * Parse a PKCS#1 encoded private RSA key
  710.  */
  711. static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
  712.                                    const unsigned char *key,
  713.                                    size_t keylen )
  714. {
  715.     int ret, version;
  716.     size_t len;
  717.     unsigned char *p, *end;
  718.  
  719.     mbedtls_mpi T;
  720.     mbedtls_mpi_init( &T );
  721.  
  722.     p = (unsigned char *) key;
  723.     end = p + keylen;
  724.  
  725.     /*
  726.      * This function parses the RSAPrivateKey (PKCS#1)
  727.      *
  728.      *  RSAPrivateKey ::= SEQUENCE {
  729.      *      version           Version,
  730.      *      modulus           INTEGER,  -- n
  731.      *      publicExponent    INTEGER,  -- e
  732.      *      privateExponent   INTEGER,  -- d
  733.      *      prime1            INTEGER,  -- p
  734.      *      prime2            INTEGER,  -- q
  735.      *      exponent1         INTEGER,  -- d mod (p-1)
  736.      *      exponent2         INTEGER,  -- d mod (q-1)
  737.      *      coefficient       INTEGER,  -- (inverse of q) mod p
  738.      *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
  739.      *  }
  740.      */
  741.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  742.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  743.     {
  744.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  745.     }
  746.  
  747.     end = p + len;
  748.  
  749.     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
  750.     {
  751.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  752.     }
  753.  
  754.     if( version != 0 )
  755.     {
  756.         return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
  757.     }
  758.  
  759.     /* Import N */
  760.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  761.         ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
  762.                                         NULL, NULL ) ) != 0 )
  763.         goto cleanup;
  764.  
  765.     /* Import E */
  766.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  767.         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
  768.                                         NULL, &T ) ) != 0 )
  769.         goto cleanup;
  770.  
  771.     /* Import D */
  772.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  773.         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
  774.                                         &T, NULL ) ) != 0 )
  775.         goto cleanup;
  776.  
  777.     /* Import P */
  778.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  779.         ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
  780.                                         NULL, NULL ) ) != 0 )
  781.         goto cleanup;
  782.  
  783.     /* Import Q */
  784.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  785.         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
  786.                                         NULL, NULL ) ) != 0 )
  787.         goto cleanup;
  788.  
  789. #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
  790.     /*
  791.     * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
  792.     * that they can be easily recomputed from D, P and Q. However by
  793.     * parsing them from the PKCS1 structure it is possible to avoid
  794.     * recalculating them which both reduces the overhead of loading
  795.     * RSA private keys into memory and also avoids side channels which
  796.     * can arise when computing those values, since all of D, P, and Q
  797.     * are secret. See https://eprint.iacr.org/2020/055 for a
  798.     * description of one such attack.
  799.     */
  800.  
  801.     /* Import DP */
  802.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  803.         ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
  804.        goto cleanup;
  805.  
  806.     /* Import DQ */
  807.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  808.         ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
  809.        goto cleanup;
  810.  
  811.     /* Import QP */
  812.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  813.         ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
  814.        goto cleanup;
  815.  
  816. #else
  817.     /* Verify existance of the CRT params */
  818.     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  819.         ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
  820.         ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
  821.        goto cleanup;
  822. #endif
  823.  
  824.     /* rsa_complete() doesn't complete anything with the default
  825.      * implementation but is still called:
  826.      * - for the benefit of alternative implementation that may want to
  827.      *   pre-compute stuff beyond what's provided (eg Montgomery factors)
  828.      * - as is also sanity-checks the key
  829.      *
  830.      * Furthermore, we also check the public part for consistency with
  831.      * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
  832.      */
  833.     if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
  834.         ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
  835.     {
  836.         goto cleanup;
  837.     }
  838.  
  839.     if( p != end )
  840.     {
  841.         ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  842.               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
  843.     }
  844.  
  845. cleanup:
  846.  
  847.     mbedtls_mpi_free( &T );
  848.  
  849.     if( ret != 0 )
  850.     {
  851.         /* Wrap error code if it's coming from a lower level */
  852.         if( ( ret & 0xff80 ) == 0 )
  853.             ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
  854.         else
  855.             ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
  856.  
  857.         mbedtls_rsa_free( rsa );
  858.     }
  859.  
  860.     return( ret );
  861. }
  862. #endif /* MBEDTLS_RSA_C */
  863.  
  864. #if defined(MBEDTLS_ECP_C)
  865. /*
  866.  * Parse a SEC1 encoded private EC key
  867.  */
  868. static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
  869.                                   const unsigned char *key,
  870.                                   size_t keylen )
  871. {
  872.     int ret;
  873.     int version, pubkey_done;
  874.     size_t len;
  875.     mbedtls_asn1_buf params;
  876.     unsigned char *p = (unsigned char *) key;
  877.     unsigned char *end = p + keylen;
  878.     unsigned char *end2;
  879.  
  880.     /*
  881.      * RFC 5915, or SEC1 Appendix C.4
  882.      *
  883.      * ECPrivateKey ::= SEQUENCE {
  884.      *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  885.      *      privateKey     OCTET STRING,
  886.      *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  887.      *      publicKey  [1] BIT STRING OPTIONAL
  888.      *    }
  889.      */
  890.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  891.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  892.     {
  893.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  894.     }
  895.  
  896.     end = p + len;
  897.  
  898.     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
  899.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  900.  
  901.     if( version != 1 )
  902.         return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
  903.  
  904.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  905.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  906.  
  907.     if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
  908.     {
  909.         mbedtls_ecp_keypair_free( eck );
  910.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  911.     }
  912.  
  913.     p += len;
  914.  
  915.     pubkey_done = 0;
  916.     if( p != end )
  917.     {
  918.         /*
  919.          * Is 'parameters' present?
  920.          */
  921.         if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  922.                         MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
  923.         {
  924.             if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
  925.                 ( ret = pk_use_ecparams( &params, &eck->grp )  ) != 0 )
  926.             {
  927.                 mbedtls_ecp_keypair_free( eck );
  928.                 return( ret );
  929.             }
  930.         }
  931.         else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
  932.         {
  933.             mbedtls_ecp_keypair_free( eck );
  934.             return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  935.         }
  936.     }
  937.  
  938.     if( p != end )
  939.     {
  940.         /*
  941.          * Is 'publickey' present? If not, or if we can't read it (eg because it
  942.          * is compressed), create it from the private key.
  943.          */
  944.         if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  945.                         MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
  946.         {
  947.             end2 = p + len;
  948.  
  949.             if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
  950.                 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  951.  
  952.             if( p + len != end2 )
  953.                 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  954.                         MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  955.  
  956.             if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
  957.                 pubkey_done = 1;
  958.             else
  959.             {
  960.                 /*
  961.                  * The only acceptable failure mode of pk_get_ecpubkey() above
  962.                  * is if the point format is not recognized.
  963.                  */
  964.                 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
  965.                     return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  966.             }
  967.         }
  968.         else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
  969.         {
  970.             mbedtls_ecp_keypair_free( eck );
  971.             return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  972.         }
  973.     }
  974.  
  975.     if( ! pubkey_done &&
  976.         ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
  977.                                                       NULL, NULL ) ) != 0 )
  978.     {
  979.         mbedtls_ecp_keypair_free( eck );
  980.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  981.     }
  982.  
  983.     if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
  984.     {
  985.         mbedtls_ecp_keypair_free( eck );
  986.         return( ret );
  987.     }
  988.  
  989.     return( 0 );
  990. }
  991. #endif /* MBEDTLS_ECP_C */
  992.  
  993. /*
  994.  * Parse an unencrypted PKCS#8 encoded private key
  995.  *
  996.  * Notes:
  997.  *
  998.  * - This function does not own the key buffer. It is the
  999.  *   responsibility of the caller to take care of zeroizing
  1000.  *   and freeing it after use.
  1001.  *
  1002.  * - The function is responsible for freeing the provided
  1003.  *   PK context on failure.
  1004.  *
  1005.  */
  1006. static int pk_parse_key_pkcs8_unencrypted_der(
  1007.                                     mbedtls_pk_context *pk,
  1008.                                     const unsigned char* key,
  1009.                                     size_t keylen )
  1010. {
  1011.     int ret, version;
  1012.     size_t len;
  1013.     mbedtls_asn1_buf params;
  1014.     unsigned char *p = (unsigned char *) key;
  1015.     unsigned char *end = p + keylen;
  1016.     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
  1017.     const mbedtls_pk_info_t *pk_info;
  1018.  
  1019.     /*
  1020.      * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
  1021.      *
  1022.      *    PrivateKeyInfo ::= SEQUENCE {
  1023.      *      version                   Version,
  1024.      *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  1025.      *      privateKey                PrivateKey,
  1026.      *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
  1027.      *
  1028.      *    Version ::= INTEGER
  1029.      *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
  1030.      *    PrivateKey ::= OCTET STRING
  1031.      *
  1032.      *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
  1033.      */
  1034.  
  1035.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  1036.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1037.     {
  1038.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1039.     }
  1040.  
  1041.     end = p + len;
  1042.  
  1043.     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
  1044.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1045.  
  1046.     if( version != 0 )
  1047.         return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
  1048.  
  1049.     if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
  1050.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1051.  
  1052.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  1053.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1054.  
  1055.     if( len < 1 )
  1056.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
  1057.                 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
  1058.  
  1059.     if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
  1060.         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  1061.  
  1062.     if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
  1063.         return( ret );
  1064.  
  1065. #if defined(MBEDTLS_RSA_C)
  1066.     if( pk_alg == MBEDTLS_PK_RSA )
  1067.     {
  1068.         if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
  1069.         {
  1070.             mbedtls_pk_free( pk );
  1071.             return( ret );
  1072.         }
  1073.     } else
  1074. #endif /* MBEDTLS_RSA_C */
  1075. #if defined(MBEDTLS_ECP_C)
  1076.     if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
  1077.     {
  1078.         if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
  1079.             ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len )  ) != 0 )
  1080.         {
  1081.             mbedtls_pk_free( pk );
  1082.             return( ret );
  1083.         }
  1084.     } else
  1085. #endif /* MBEDTLS_ECP_C */
  1086.         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  1087.  
  1088.     return( 0 );
  1089. }
  1090.  
  1091. /*
  1092.  * Parse an encrypted PKCS#8 encoded private key
  1093.  *
  1094.  * To save space, the decryption happens in-place on the given key buffer.
  1095.  * Also, while this function may modify the keybuffer, it doesn't own it,
  1096.  * and instead it is the responsibility of the caller to zeroize and properly
  1097.  * free it after use.
  1098.  *
  1099.  */
  1100. #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
  1101. static int pk_parse_key_pkcs8_encrypted_der(
  1102.                                     mbedtls_pk_context *pk,
  1103.                                     unsigned char *key, size_t keylen,
  1104.                                     const unsigned char *pwd, size_t pwdlen )
  1105. {
  1106.     int ret, decrypted = 0;
  1107.     size_t len;
  1108.     unsigned char *buf;
  1109.     unsigned char *p, *end;
  1110.     mbedtls_asn1_buf pbe_alg_oid, pbe_params;
  1111. #if defined(MBEDTLS_PKCS12_C)
  1112.     mbedtls_cipher_type_t cipher_alg;
  1113.     mbedtls_md_type_t md_alg;
  1114. #endif
  1115.  
  1116.     p = key;
  1117.     end = p + keylen;
  1118.  
  1119.     if( pwdlen == 0 )
  1120.         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
  1121.  
  1122.     /*
  1123.      * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
  1124.      *
  1125.      *  EncryptedPrivateKeyInfo ::= SEQUENCE {
  1126.      *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
  1127.      *    encryptedData        EncryptedData
  1128.      *  }
  1129.      *
  1130.      *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
  1131.      *
  1132.      *  EncryptedData ::= OCTET STRING
  1133.      *
  1134.      *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
  1135.      *
  1136.      */
  1137.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  1138.             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1139.     {
  1140.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1141.     }
  1142.  
  1143.     end = p + len;
  1144.  
  1145.     if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
  1146.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1147.  
  1148.     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  1149.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
  1150.  
  1151.     buf = p;
  1152.  
  1153.     /*
  1154.      * Decrypt EncryptedData with appropriate PBE
  1155.      */
  1156. #if defined(MBEDTLS_PKCS12_C)
  1157.     if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
  1158.     {
  1159.         if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
  1160.                                 cipher_alg, md_alg,
  1161.                                 pwd, pwdlen, p, len, buf ) ) != 0 )
  1162.         {
  1163.             if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
  1164.                 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
  1165.  
  1166.             return( ret );
  1167.         }
  1168.  
  1169.         decrypted = 1;
  1170.     }
  1171.     else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
  1172.     {
  1173.         if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
  1174.                                              MBEDTLS_PKCS12_PBE_DECRYPT,
  1175.                                              pwd, pwdlen,
  1176.                                              p, len, buf ) ) != 0 )
  1177.         {
  1178.             return( ret );
  1179.         }
  1180.  
  1181.         // Best guess for password mismatch when using RC4. If first tag is
  1182.         // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
  1183.         //
  1184.         if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
  1185.             return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
  1186.  
  1187.         decrypted = 1;
  1188.     }
  1189.     else
  1190. #endif /* MBEDTLS_PKCS12_C */
  1191. #if defined(MBEDTLS_PKCS5_C)
  1192.     if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
  1193.     {
  1194.         if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
  1195.                                   p, len, buf ) ) != 0 )
  1196.         {
  1197.             if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
  1198.                 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
  1199.  
  1200.             return( ret );
  1201.         }
  1202.  
  1203.         decrypted = 1;
  1204.     }
  1205.     else
  1206. #endif /* MBEDTLS_PKCS5_C */
  1207.     {
  1208.         ((void) pwd);
  1209.     }
  1210.  
  1211.     if( decrypted == 0 )
  1212.         return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
  1213.  
  1214.     return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
  1215. }
  1216. #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
  1217.  
  1218. /*
  1219.  * Parse a private key
  1220.  */
  1221. int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
  1222.                   const unsigned char *key, size_t keylen,
  1223.                   const unsigned char *pwd, size_t pwdlen )
  1224. {
  1225.     int ret;
  1226.     const mbedtls_pk_info_t *pk_info;
  1227. #if defined(MBEDTLS_PEM_PARSE_C)
  1228.     size_t len;
  1229.     mbedtls_pem_context pem;
  1230. #endif
  1231.  
  1232.     PK_VALIDATE_RET( pk != NULL );
  1233.     if( keylen == 0 )
  1234.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  1235.     PK_VALIDATE_RET( key != NULL );
  1236.  
  1237. #if defined(MBEDTLS_PEM_PARSE_C)
  1238.    mbedtls_pem_init( &pem );
  1239.  
  1240. #if defined(MBEDTLS_RSA_C)
  1241.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1242.     if( key[keylen - 1] != '\0' )
  1243.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1244.     else
  1245.         ret = mbedtls_pem_read_buffer( &pem,
  1246.                                "-----BEGIN RSA PRIVATE KEY-----",
  1247.                                "-----END RSA PRIVATE KEY-----",
  1248.                                key, pwd, pwdlen, &len );
  1249.  
  1250.     if( ret == 0 )
  1251.     {
  1252.         pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
  1253.         if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
  1254.             ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
  1255.                                             pem.buf, pem.buflen ) ) != 0 )
  1256.         {
  1257.             mbedtls_pk_free( pk );
  1258.         }
  1259.  
  1260.         mbedtls_pem_free( &pem );
  1261.         return( ret );
  1262.     }
  1263.     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
  1264.         return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
  1265.     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
  1266.         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
  1267.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1268.         return( ret );
  1269. #endif /* MBEDTLS_RSA_C */
  1270.  
  1271. #if defined(MBEDTLS_ECP_C)
  1272.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1273.     if( key[keylen - 1] != '\0' )
  1274.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1275.     else
  1276.         ret = mbedtls_pem_read_buffer( &pem,
  1277.                                "-----BEGIN EC PRIVATE KEY-----",
  1278.                                "-----END EC PRIVATE KEY-----",
  1279.                                key, pwd, pwdlen, &len );
  1280.     if( ret == 0 )
  1281.     {
  1282.         pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
  1283.  
  1284.         if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
  1285.             ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
  1286.                                            pem.buf, pem.buflen ) ) != 0 )
  1287.         {
  1288.             mbedtls_pk_free( pk );
  1289.         }
  1290.  
  1291.         mbedtls_pem_free( &pem );
  1292.         return( ret );
  1293.     }
  1294.     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
  1295.         return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
  1296.     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
  1297.         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
  1298.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1299.         return( ret );
  1300. #endif /* MBEDTLS_ECP_C */
  1301.  
  1302.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1303.     if( key[keylen - 1] != '\0' )
  1304.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1305.     else
  1306.         ret = mbedtls_pem_read_buffer( &pem,
  1307.                                "-----BEGIN PRIVATE KEY-----",
  1308.                                "-----END PRIVATE KEY-----",
  1309.                                key, NULL, 0, &len );
  1310.     if( ret == 0 )
  1311.     {
  1312.         if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
  1313.                                                 pem.buf, pem.buflen ) ) != 0 )
  1314.         {
  1315.             mbedtls_pk_free( pk );
  1316.         }
  1317.  
  1318.         mbedtls_pem_free( &pem );
  1319.         return( ret );
  1320.     }
  1321.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1322.         return( ret );
  1323.  
  1324. #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
  1325.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1326.     if( key[keylen - 1] != '\0' )
  1327.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1328.     else
  1329.         ret = mbedtls_pem_read_buffer( &pem,
  1330.                                "-----BEGIN ENCRYPTED PRIVATE KEY-----",
  1331.                                "-----END ENCRYPTED PRIVATE KEY-----",
  1332.                                key, NULL, 0, &len );
  1333.     if( ret == 0 )
  1334.     {
  1335.         if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
  1336.                                                       pem.buf, pem.buflen,
  1337.                                                       pwd, pwdlen ) ) != 0 )
  1338.         {
  1339.             mbedtls_pk_free( pk );
  1340.         }
  1341.  
  1342.         mbedtls_pem_free( &pem );
  1343.         return( ret );
  1344.     }
  1345.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1346.         return( ret );
  1347. #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
  1348. #else
  1349.     ((void) pwd);
  1350.     ((void) pwdlen);
  1351. #endif /* MBEDTLS_PEM_PARSE_C */
  1352.  
  1353.     /*
  1354.      * At this point we only know it's not a PEM formatted key. Could be any
  1355.      * of the known DER encoded private key formats
  1356.      *
  1357.      * We try the different DER format parsers to see if one passes without
  1358.      * error
  1359.      */
  1360. #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
  1361.     {
  1362.         unsigned char *key_copy;
  1363.  
  1364.         if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
  1365.             return( MBEDTLS_ERR_PK_ALLOC_FAILED );
  1366.  
  1367.         memcpy( key_copy, key, keylen );
  1368.  
  1369.         ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
  1370.                                                 pwd, pwdlen );
  1371.  
  1372.         mbedtls_platform_zeroize( key_copy, keylen );
  1373.         mbedtls_free( key_copy );
  1374.     }
  1375.  
  1376.     if( ret == 0 )
  1377.         return( 0 );
  1378.  
  1379.     mbedtls_pk_free( pk );
  1380.     mbedtls_pk_init( pk );
  1381.  
  1382.     if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
  1383.     {
  1384.         return( ret );
  1385.     }
  1386. #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
  1387.  
  1388.     if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
  1389.         return( 0 );
  1390.  
  1391.     mbedtls_pk_free( pk );
  1392.     mbedtls_pk_init( pk );
  1393.  
  1394. #if defined(MBEDTLS_RSA_C)
  1395.  
  1396.     pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
  1397.     if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
  1398.         pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
  1399.     {
  1400.         return( 0 );
  1401.     }
  1402.  
  1403.     mbedtls_pk_free( pk );
  1404.     mbedtls_pk_init( pk );
  1405. #endif /* MBEDTLS_RSA_C */
  1406.  
  1407. #if defined(MBEDTLS_ECP_C)
  1408.     pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
  1409.     if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
  1410.         pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
  1411.                                key, keylen ) == 0 )
  1412.     {
  1413.         return( 0 );
  1414.     }
  1415.     mbedtls_pk_free( pk );
  1416. #endif /* MBEDTLS_ECP_C */
  1417.  
  1418.     /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
  1419.      * it is ok to leave the PK context initialized but not
  1420.      * freed: It is the caller's responsibility to call pk_init()
  1421.      * before calling this function, and to call pk_free()
  1422.      * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
  1423.      * isn't, this leads to mbedtls_pk_free() being called
  1424.      * twice, once here and once by the caller, but this is
  1425.      * also ok and in line with the mbedtls_pk_free() calls
  1426.      * on failed PEM parsing attempts. */
  1427.  
  1428.     return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  1429. }
  1430.  
  1431. /*
  1432.  * Parse a public key
  1433.  */
  1434. int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
  1435.                          const unsigned char *key, size_t keylen )
  1436. {
  1437.     int ret;
  1438.     unsigned char *p;
  1439. #if defined(MBEDTLS_RSA_C)
  1440.     const mbedtls_pk_info_t *pk_info;
  1441. #endif
  1442. #if defined(MBEDTLS_PEM_PARSE_C)
  1443.     size_t len;
  1444.     mbedtls_pem_context pem;
  1445. #endif
  1446.  
  1447.     PK_VALIDATE_RET( ctx != NULL );
  1448.     if( keylen == 0 )
  1449.         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
  1450.     PK_VALIDATE_RET( key != NULL || keylen == 0 );
  1451.  
  1452. #if defined(MBEDTLS_PEM_PARSE_C)
  1453.     mbedtls_pem_init( &pem );
  1454. #if defined(MBEDTLS_RSA_C)
  1455.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1456.     if( key[keylen - 1] != '\0' )
  1457.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1458.     else
  1459.         ret = mbedtls_pem_read_buffer( &pem,
  1460.                                "-----BEGIN RSA PUBLIC KEY-----",
  1461.                                "-----END RSA PUBLIC KEY-----",
  1462.                                key, NULL, 0, &len );
  1463.  
  1464.     if( ret == 0 )
  1465.     {
  1466.         p = pem.buf;
  1467.         if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
  1468.             return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  1469.  
  1470.         if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
  1471.             return( ret );
  1472.  
  1473.         if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
  1474.             mbedtls_pk_free( ctx );
  1475.  
  1476.         mbedtls_pem_free( &pem );
  1477.         return( ret );
  1478.     }
  1479.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1480.     {
  1481.         mbedtls_pem_free( &pem );
  1482.         return( ret );
  1483.     }
  1484. #endif /* MBEDTLS_RSA_C */
  1485.  
  1486.     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
  1487.     if( key[keylen - 1] != '\0' )
  1488.         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  1489.     else
  1490.         ret = mbedtls_pem_read_buffer( &pem,
  1491.                 "-----BEGIN PUBLIC KEY-----",
  1492.                 "-----END PUBLIC KEY-----",
  1493.                 key, NULL, 0, &len );
  1494.  
  1495.     if( ret == 0 )
  1496.     {
  1497.         /*
  1498.          * Was PEM encoded
  1499.          */
  1500.         p = pem.buf;
  1501.  
  1502.         ret = mbedtls_pk_parse_subpubkey( &p,  p + pem.buflen, ctx );
  1503.         mbedtls_pem_free( &pem );
  1504.         return( ret );
  1505.     }
  1506.     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
  1507.     {
  1508.         mbedtls_pem_free( &pem );
  1509.         return( ret );
  1510.     }
  1511.     mbedtls_pem_free( &pem );
  1512. #endif /* MBEDTLS_PEM_PARSE_C */
  1513.  
  1514. #if defined(MBEDTLS_RSA_C)
  1515.     if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
  1516.         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
  1517.  
  1518.     if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
  1519.         return( ret );
  1520.  
  1521.     p = (unsigned char *)key;
  1522.     ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
  1523.     if( ret == 0 )
  1524.     {
  1525.         return( ret );
  1526.     }
  1527.     mbedtls_pk_free( ctx );
  1528.     if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
  1529.     {
  1530.         return( ret );
  1531.     }
  1532. #endif /* MBEDTLS_RSA_C */
  1533.     p = (unsigned char *) key;
  1534.  
  1535.     ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
  1536.  
  1537.     return( ret );
  1538. }
  1539.  
  1540. #endif /* MBEDTLS_PK_PARSE_C */
  1541.