search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
new polarssl
[syren.git] / src / libpolarssl / pkparse.c
blobefc0de1bd53068065f118748c458b90efac9a28b
1 /*
2 * Public Key layer for parsing key files and structures
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31
32 #if defined(POLARSSL_PK_PARSE_C)
33
34 #include "pk.h"
35 #include "asn1.h"
36 #include "oid.h"
37
38 #if defined(POLARSSL_RSA_C)
39 #include "rsa.h"
40 #endif
41 #if defined(POLARSSL_ECP_C)
42 #include "ecp.h"
43 #endif
44 #if defined(POLARSSL_ECDSA_C)
45 #include "ecdsa.h"
46 #endif
47 #if defined(POLARSSL_PEM_PARSE_C)
48 #include "pem.h"
49 #endif
50 #if defined(POLARSSL_PKCS5_C)
51 #include "pkcs5.h"
52 #endif
53 #if defined(POLARSSL_PKCS12_C)
54 #include "pkcs12.h"
55 #endif
56
57 #if defined(POLARSSL_PLATFORM_C)
58 #include "platform.h"
59 #else
60 #include <stdlib.h>
61 #define polarssl_malloc malloc
62 #define polarssl_free free
63 #endif
64
65 #if defined(POLARSSL_FS_IO)
66 /*
67 * Load all data from a file into a given buffer.
68 */
69 static int load_file( const char *path, unsigned char **buf, size_t *n )
70 {
71 FILE *f;
72 long size;
73
74 if( ( f = fopen( path, "rb" ) ) == NULL )
75 return( POLARSSL_ERR_PK_FILE_IO_ERROR );
76
77 fseek( f, 0, SEEK_END );
78 if( ( size = ftell( f ) ) == -1 )
79 {
80 fclose( f );
81 return( POLARSSL_ERR_PK_FILE_IO_ERROR );
82 }
83 fseek( f, 0, SEEK_SET );
84
85 *n = (size_t) size;
86
87 if( *n + 1 == 0 ||
88 ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
89 {
90 fclose( f );
91 return( POLARSSL_ERR_PK_MALLOC_FAILED );
92 }
93
94 if( fread( *buf, 1, *n, f ) != *n )
95 {
96 fclose( f );
97 polarssl_free( *buf );
98 return( POLARSSL_ERR_PK_FILE_IO_ERROR );
99 }
100
101 fclose( f );
102
103 (*buf)[*n] = '\0';
104
105 return( 0 );
106 }
107
108 /*
109 * Load and parse a private key
110 */
111 int pk_parse_keyfile( pk_context *ctx,
112 const char *path, const char *pwd )
113 {
114 int ret;
115 size_t n;
116 unsigned char *buf;
117
118 if ( (ret = load_file( path, &buf, &n ) ) != 0 )
119 return( ret );
120
121 if( pwd == NULL )
122 ret = pk_parse_key( ctx, buf, n, NULL, 0 );
123 else
124 ret = pk_parse_key( ctx, buf, n,
125 (const unsigned char *) pwd, strlen( pwd ) );
126
127 memset( buf, 0, n + 1 );
128 polarssl_free( buf );
129
130 return( ret );
131 }
132
133 /*
134 * Load and parse a public key
135 */
136 int pk_parse_public_keyfile( pk_context *ctx, const char *path )
137 {
138 int ret;
139 size_t n;
140 unsigned char *buf;
141
142 if ( (ret = load_file( path, &buf, &n ) ) != 0 )
143 return( ret );
144
145 ret = pk_parse_public_key( ctx, buf, n );
146
147 memset( buf, 0, n + 1 );
148 polarssl_free( buf );
149
150 return( ret );
151 }
152 #endif /* POLARSSL_FS_IO */
153
154 #if defined(POLARSSL_ECP_C)
155 /* Minimally parse an ECParameters buffer to and asn1_buf
156 *
157 * ECParameters ::= CHOICE {
158 * namedCurve OBJECT IDENTIFIER
159 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
160 * -- implicitCurve NULL
161 * }
162 */
163 static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
164 asn1_buf *params )
165 {
166 int ret;
167
168 /* Tag may be either OID or SEQUENCE */
169 params->tag = **p;
170 if( params->tag != ASN1_OID
171 #if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
172 && params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE )
173 #endif
174 )
175 {
176 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
177 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
178 }
179
180 if( ( ret = asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
181 {
182 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
183 }
184
185 params->p = *p;
186 *p += params->len;
187
188 if( *p != end )
189 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
190 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
191
192 return( 0 );
193 }
194
195 #if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
196 /*
197 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
198 * WARNING: the resulting group should only be used with
199 * pk_group_id_from_specified(), since its base point may not be set correctly
200 * if it was encoded compressed.
201 *
202 * SpecifiedECDomain ::= SEQUENCE {
203 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
204 * fieldID FieldID {{FieldTypes}},
205 * curve Curve,
206 * base ECPoint,
207 * order INTEGER,
208 * cofactor INTEGER OPTIONAL,
209 * hash HashAlgorithm OPTIONAL,
210 * ...
211 * }
212 *
213 * We only support prime-field as field type, and ignore hash and cofactor.
214 */
215 static int pk_group_from_specified( const asn1_buf *params, ecp_group *grp )
216 {
217 int ret;
218 unsigned char *p = params->p;
219 const unsigned char * const end = params->p + params->len;
220 const unsigned char *end_field, *end_curve;
221 size_t len;
222 int ver;
223
224 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
225 if( ( ret = asn1_get_int( &p, end, &ver ) ) != 0 )
226 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
227
228 if( ver < 1 || ver > 3 )
229 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
230
231 /*
232 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
233 * fieldType FIELD-ID.&id({IOSet}),
234 * parameters FIELD-ID.&Type({IOSet}{@fieldType})
235 * }
236 */
237 if( ( ret = asn1_get_tag( &p, end, &len,
238 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
239 return( ret );
240
241 end_field = p + len;
242
243 /*
244 * FIELD-ID ::= TYPE-IDENTIFIER
245 * FieldTypes FIELD-ID ::= {
246 * { Prime-p IDENTIFIED BY prime-field } |
247 * { Characteristic-two IDENTIFIED BY characteristic-two-field }
248 * }
249 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
250 */
251 if( ( ret = asn1_get_tag( &p, end_field, &len, ASN1_OID ) ) != 0 )
252 return( ret );
253
254 if( len != OID_SIZE( OID_ANSI_X9_62_PRIME_FIELD ) ||
255 memcmp( p, OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
256 {
257 return( POLARSSL_ERR_PK_FEATURE_UNAVAILABLE );
258 }
259
260 p += len;
261
262 /* Prime-p ::= INTEGER -- Field of size p. */
263 if( ( ret = asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
264 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
265
266 grp->pbits = mpi_msb( &grp->P );
267
268 if( p != end_field )
269 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
270 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
271
272 /*
273 * Curve ::= SEQUENCE {
274 * a FieldElement,
275 * b FieldElement,
276 * seed BIT STRING OPTIONAL
277 * -- Shall be present if used in SpecifiedECDomain
278 * -- with version equal to ecdpVer2 or ecdpVer3
279 * }
280 */
281 if( ( ret = asn1_get_tag( &p, end, &len,
282 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
283 return( ret );
284
285 end_curve = p + len;
286
287 /*
288 * FieldElement ::= OCTET STRING
289 * containing an integer in the case of a prime field
290 */
291 if( ( ret = asn1_get_tag( &p, end_curve, &len, ASN1_OCTET_STRING ) ) != 0 ||
292 ( ret = mpi_read_binary( &grp->A, p, len ) ) != 0 )
293 {
294 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
295 }
296
297 p += len;
298
299 if( ( ret = asn1_get_tag( &p, end_curve, &len, ASN1_OCTET_STRING ) ) != 0 ||
300 ( ret = mpi_read_binary( &grp->B, p, len ) ) != 0 )
301 {
302 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
303 }
304
305 p += len;
306
307 /* Ignore seed BIT STRING OPTIONAL */
308 if( ( ret = asn1_get_tag( &p, end_curve, &len, ASN1_BIT_STRING ) ) == 0 )
309 p += len;
310
311 if( p != end_curve )
312 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
313 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
314
315 /*
316 * ECPoint ::= OCTET STRING
317 */
318 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
319 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
320
321 if( ( ret = ecp_point_read_binary( grp, &grp->G,
322 ( const unsigned char *) p, len ) ) != 0 )
323 {
324 /*
325 * If we can't read the point because it's compressed, cheat by
326 * reading only the X coordinate and the parity bit of Y.
327 */
328 if( ret != POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ||
329 ( p[0] != 0x02 && p[0] != 0x03 ) ||
330 len != mpi_size( &grp->P ) + 1 ||
331 mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
332 mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
333 mpi_lset( &grp->G.Z, 1 ) != 0 )
334 {
335 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
336 }
337 }
338
339 p += len;
340
341 /*
342 * order INTEGER
343 */
344 if( ( ret = asn1_get_mpi( &p, end, &grp->N ) ) )
345 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
346
347 grp->nbits = mpi_msb( &grp->N );
348
349 /*
350 * Allow optional elements by purposefully not enforcing p == end here.
351 */
352
353 return( 0 );
354 }
355
356 /*
357 * Find the group id associated with an (almost filled) group as generated by
358 * pk_group_from_specified(), or return an error if unknown.
359 */
360 static int pk_group_id_from_group( const ecp_group *grp, ecp_group_id *grp_id )
361 {
362 int ret = 0;
363 ecp_group ref;
364 const ecp_group_id *id;
365
366 ecp_group_init( &ref );
367
368 for( id = ecp_grp_id_list(); *id != POLARSSL_ECP_DP_NONE; id++ )
369 {
370 /* Load the group associated to that id */
371 ecp_group_free( &ref );
372 MPI_CHK( ecp_use_known_dp( &ref, *id ) );
373
374 /* Compare to the group we were given, starting with easy tests */
375 if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
376 mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
377 mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
378 mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
379 mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
380 mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
381 mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
382 /* For Y we may only know the parity bit, so compare only that */
383 mpi_get_bit( &grp->G.Y, 0 ) == mpi_get_bit( &ref.G.Y, 0 ) )
384 {
385 break;
386 }
387
388 }
389
390 cleanup:
391 ecp_group_free( &ref );
392
393 *grp_id = *id;
394
395 if( ret == 0 && *id == POLARSSL_ECP_DP_NONE )
396 ret = POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE;
397
398 return( ret );
399 }
400
401 /*
402 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
403 */
404 static int pk_group_id_from_specified( const asn1_buf *params,
405 ecp_group_id *grp_id )
406 {
407 int ret;
408 ecp_group grp;
409
410 ecp_group_init( &grp );
411
412 if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
413 goto cleanup;
414
415 ret = pk_group_id_from_group( &grp, grp_id );
416
417 cleanup:
418 ecp_group_free( &grp );
419
420 return( ret );
421 }
422 #endif /* POLARSSL_PK_PARSE_EC_EXTENDED */
423
424 /*
425 * Use EC parameters to initialise an EC group
426 *
427 * ECParameters ::= CHOICE {
428 * namedCurve OBJECT IDENTIFIER
429 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
430 * -- implicitCurve NULL
431 */
432 static int pk_use_ecparams( const asn1_buf *params, ecp_group *grp )
433 {
434 int ret;
435 ecp_group_id grp_id;
436
437 if( params->tag == ASN1_OID )
438 {
439 if( oid_get_ec_grp( params, &grp_id ) != 0 )
440 return( POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE );
441 }
442 else
443 {
444 #if defined(POLARSSL_PK_PARSE_EC_EXTENDED)
445 if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
446 return( ret );
447 #else
448 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
449 #endif
450 }
451
452 /*
453 * grp may already be initilialized; if so, make sure IDs match
454 */
455 if( grp->id != POLARSSL_ECP_DP_NONE && grp->id != grp_id )
456 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
457
458 if( ( ret = ecp_use_known_dp( grp, grp_id ) ) != 0 )
459 return( ret );
460
461 return( 0 );
462 }
463
464 /*
465 * EC public key is an EC point
466 *
467 * The caller is responsible for clearing the structure upon failure if
468 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
469 * return code of ecp_point_read_binary() and leave p in a usable state.
470 */
471 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
472 ecp_keypair *key )
473 {
474 int ret;
475
476 if( ( ret = ecp_point_read_binary( &key->grp, &key->Q,
477 (const unsigned char *) *p, end - *p ) ) == 0 )
478 {
479 ret = ecp_check_pubkey( &key->grp, &key->Q );
480 }
481
482 /*
483 * We know ecp_point_read_binary consumed all bytes or failed
484 */
485 *p = (unsigned char *) end;
486
487 return( ret );
488 }
489 #endif /* POLARSSL_ECP_C */
490
491 #if defined(POLARSSL_RSA_C)
492 /*
493 * RSAPublicKey ::= SEQUENCE {
494 * modulus INTEGER, -- n
495 * publicExponent INTEGER -- e
496 * }
497 */
498 static int pk_get_rsapubkey( unsigned char **p,
499 const unsigned char *end,
500 rsa_context *rsa )
501 {
502 int ret;
503 size_t len;
504
505 if( ( ret = asn1_get_tag( p, end, &len,
506 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
507 return( POLARSSL_ERR_PK_INVALID_PUBKEY + ret );
508
509 if( *p + len != end )
510 return( POLARSSL_ERR_PK_INVALID_PUBKEY +
511 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
512
513 if( ( ret = asn1_get_mpi( p, end, &rsa->N ) ) != 0 ||
514 ( ret = asn1_get_mpi( p, end, &rsa->E ) ) != 0 )
515 return( POLARSSL_ERR_PK_INVALID_PUBKEY + ret );
516
517 if( *p != end )
518 return( POLARSSL_ERR_PK_INVALID_PUBKEY +
519 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
520
521 if( ( ret = rsa_check_pubkey( rsa ) ) != 0 )
522 return( POLARSSL_ERR_PK_INVALID_PUBKEY );
523
524 rsa->len = mpi_size( &rsa->N );
525
526 return( 0 );
527 }
528 #endif /* POLARSSL_RSA_C */
529
530 /* Get a PK algorithm identifier
531 *
532 * AlgorithmIdentifier ::= SEQUENCE {
533 * algorithm OBJECT IDENTIFIER,
534 * parameters ANY DEFINED BY algorithm OPTIONAL }
535 */
536 static int pk_get_pk_alg( unsigned char **p,
537 const unsigned char *end,
538 pk_type_t *pk_alg, asn1_buf *params )
539 {
540 int ret;
541 asn1_buf alg_oid;
542
543 memset( params, 0, sizeof(asn1_buf) );
544
545 if( ( ret = asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
546 return( POLARSSL_ERR_PK_INVALID_ALG + ret );
547
548 if( oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
549 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
550
551 /*
552 * No parameters with RSA (only for EC)
553 */
554 if( *pk_alg == POLARSSL_PK_RSA &&
555 ( ( params->tag != ASN1_NULL && params->tag != 0 ) ||
556 params->len != 0 ) )
557 {
558 return( POLARSSL_ERR_PK_INVALID_ALG );
559 }
560
561 return( 0 );
562 }
563
564 /*
565 * SubjectPublicKeyInfo ::= SEQUENCE {
566 * algorithm AlgorithmIdentifier,
567 * subjectPublicKey BIT STRING }
568 */
569 int pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
570 pk_context *pk )
571 {
572 int ret;
573 size_t len;
574 asn1_buf alg_params;
575 pk_type_t pk_alg = POLARSSL_PK_NONE;
576 const pk_info_t *pk_info;
577
578 if( ( ret = asn1_get_tag( p, end, &len,
579 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
580 {
581 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
582 }
583
584 end = *p + len;
585
586 if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
587 return( ret );
588
589 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
590 return( POLARSSL_ERR_PK_INVALID_PUBKEY + ret );
591
592 if( *p + len != end )
593 return( POLARSSL_ERR_PK_INVALID_PUBKEY +
594 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
595
596 if( ( pk_info = pk_info_from_type( pk_alg ) ) == NULL )
597 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
598
599 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 )
600 return( ret );
601
602 #if defined(POLARSSL_RSA_C)
603 if( pk_alg == POLARSSL_PK_RSA )
604 {
605 ret = pk_get_rsapubkey( p, end, pk_rsa( *pk ) );
606 } else
607 #endif /* POLARSSL_RSA_C */
608 #if defined(POLARSSL_ECP_C)
609 if( pk_alg == POLARSSL_PK_ECKEY_DH || pk_alg == POLARSSL_PK_ECKEY )
610 {
611 ret = pk_use_ecparams( &alg_params, &pk_ec( *pk )->grp );
612 if( ret == 0 )
613 ret = pk_get_ecpubkey( p, end, pk_ec( *pk ) );
614 } else
615 #endif /* POLARSSL_ECP_C */
616 ret = POLARSSL_ERR_PK_UNKNOWN_PK_ALG;
617
618 if( ret == 0 && *p != end )
619 ret = POLARSSL_ERR_PK_INVALID_PUBKEY
620 POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
621
622 if( ret != 0 )
623 pk_free( pk );
624
625 return( ret );
626 }
627
628 #if defined(POLARSSL_RSA_C)
629 /*
630 * Parse a PKCS#1 encoded private RSA key
631 */
632 static int pk_parse_key_pkcs1_der( rsa_context *rsa,
633 const unsigned char *key,
634 size_t keylen )
635 {
636 int ret;
637 size_t len;
638 unsigned char *p, *end;
639
640 p = (unsigned char *) key;
641 end = p + keylen;
642
643 /*
644 * This function parses the RSAPrivateKey (PKCS#1)
645 *
646 * RSAPrivateKey ::= SEQUENCE {
647 * version Version,
648 * modulus INTEGER, -- n
649 * publicExponent INTEGER, -- e
650 * privateExponent INTEGER, -- d
651 * prime1 INTEGER, -- p
652 * prime2 INTEGER, -- q
653 * exponent1 INTEGER, -- d mod (p-1)
654 * exponent2 INTEGER, -- d mod (q-1)
655 * coefficient INTEGER, -- (inverse of q) mod p
656 * otherPrimeInfos OtherPrimeInfos OPTIONAL
657 * }
658 */
659 if( ( ret = asn1_get_tag( &p, end, &len,
660 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
661 {
662 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
663 }
664
665 end = p + len;
666
667 if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 )
668 {
669 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
670 }
671
672 if( rsa->ver != 0 )
673 {
674 return( POLARSSL_ERR_PK_KEY_INVALID_VERSION );
675 }
676
677 if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 ||
678 ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 ||
679 ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 ||
680 ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 ||
681 ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 ||
682 ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 ||
683 ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 ||
684 ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 )
685 {
686 rsa_free( rsa );
687 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
688 }
689
690 rsa->len = mpi_size( &rsa->N );
691
692 if( p != end )
693 {
694 rsa_free( rsa );
695 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
696 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
697 }
698
699 if( ( ret = rsa_check_privkey( rsa ) ) != 0 )
700 {
701 rsa_free( rsa );
702 return( ret );
703 }
704
705 return( 0 );
706 }
707 #endif /* POLARSSL_RSA_C */
708
709 #if defined(POLARSSL_ECP_C)
710 /*
711 * Parse a SEC1 encoded private EC key
712 */
713 static int pk_parse_key_sec1_der( ecp_keypair *eck,
714 const unsigned char *key,
715 size_t keylen )
716 {
717 int ret;
718 int version, pubkey_done;
719 size_t len;
720 asn1_buf params;
721 unsigned char *p = (unsigned char *) key;
722 unsigned char *end = p + keylen;
723 unsigned char *end2;
724
725 /*
726 * RFC 5915, or SEC1 Appendix C.4
727 *
728 * ECPrivateKey ::= SEQUENCE {
729 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
730 * privateKey OCTET STRING,
731 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
732 * publicKey [1] BIT STRING OPTIONAL
733 * }
734 */
735 if( ( ret = asn1_get_tag( &p, end, &len,
736 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
737 {
738 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
739 }
740
741 end = p + len;
742
743 if( ( ret = asn1_get_int( &p, end, &version ) ) != 0 )
744 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
745
746 if( version != 1 )
747 return( POLARSSL_ERR_PK_KEY_INVALID_VERSION );
748
749 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
750 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
751
752 if( ( ret = mpi_read_binary( &eck->d, p, len ) ) != 0 )
753 {
754 ecp_keypair_free( eck );
755 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
756 }
757
758 p += len;
759
760 /*
761 * Is 'parameters' present?
762 */
763 if( ( ret = asn1_get_tag( &p, end, &len,
764 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
765 {
766 if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
767 ( ret = pk_use_ecparams( &params, &eck->grp ) ) != 0 )
768 {
769 ecp_keypair_free( eck );
770 return( ret );
771 }
772 }
773 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
774 {
775 ecp_keypair_free( eck );
776 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
777 }
778
779 /*
780 * Is 'publickey' present? If not, or if we can't read it (eg because it
781 * is compressed), create it from the private key.
782 */
783 pubkey_done = 0;
784 if( ( ret = asn1_get_tag( &p, end, &len,
785 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
786 {
787 end2 = p + len;
788
789 if( ( ret = asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
790 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
791
792 if( p + len != end2 )
793 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
794 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
795
796 if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
797 pubkey_done = 1;
798 else
799 {
800 /*
801 * The only acceptable failure mode of pk_get_ecpubkey() above
802 * is if the point format is not recognized.
803 */
804 if( ret != POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE )
805 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
806 }
807 }
808 else if ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
809 {
810 ecp_keypair_free( eck );
811 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
812 }
813
814 if( ! pubkey_done &&
815 ( ret = ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
816 NULL, NULL ) ) != 0 )
817 {
818 ecp_keypair_free( eck );
819 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
820 }
821
822 if( ( ret = ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
823 {
824 ecp_keypair_free( eck );
825 return( ret );
826 }
827
828 return 0;
829 }
830 #endif /* POLARSSL_ECP_C */
831
832 /*
833 * Parse an unencrypted PKCS#8 encoded private key
834 */
835 static int pk_parse_key_pkcs8_unencrypted_der(
836 pk_context *pk,
837 const unsigned char* key,
838 size_t keylen )
839 {
840 int ret, version;
841 size_t len;
842 asn1_buf params;
843 unsigned char *p = (unsigned char *) key;
844 unsigned char *end = p + keylen;
845 pk_type_t pk_alg = POLARSSL_PK_NONE;
846 const pk_info_t *pk_info;
847
848 /*
849 * This function parses the PrivatKeyInfo object (PKCS#8 v1.2 = RFC 5208)
850 *
851 * PrivateKeyInfo ::= SEQUENCE {
852 * version Version,
853 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
854 * privateKey PrivateKey,
855 * attributes [0] IMPLICIT Attributes OPTIONAL }
856 *
857 * Version ::= INTEGER
858 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
859 * PrivateKey ::= OCTET STRING
860 *
861 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
862 */
863
864 if( ( ret = asn1_get_tag( &p, end, &len,
865 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
866 {
867 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
868 }
869
870 end = p + len;
871
872 if( ( ret = asn1_get_int( &p, end, &version ) ) != 0 )
873 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
874
875 if( version != 0 )
876 return( POLARSSL_ERR_PK_KEY_INVALID_VERSION + ret );
877
878 if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
879 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
880
881 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
882 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
883
884 if( len < 1 )
885 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT +
886 POLARSSL_ERR_ASN1_OUT_OF_DATA );
887
888 if( ( pk_info = pk_info_from_type( pk_alg ) ) == NULL )
889 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
890
891 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 )
892 return( ret );
893
894 #if defined(POLARSSL_RSA_C)
895 if( pk_alg == POLARSSL_PK_RSA )
896 {
897 if( ( ret = pk_parse_key_pkcs1_der( pk_rsa( *pk ), p, len ) ) != 0 )
898 {
899 pk_free( pk );
900 return( ret );
901 }
902 } else
903 #endif /* POLARSSL_RSA_C */
904 #if defined(POLARSSL_ECP_C)
905 if( pk_alg == POLARSSL_PK_ECKEY || pk_alg == POLARSSL_PK_ECKEY_DH )
906 {
907 if( ( ret = pk_use_ecparams( &params, &pk_ec( *pk )->grp ) ) != 0 ||
908 ( ret = pk_parse_key_sec1_der( pk_ec( *pk ), p, len ) ) != 0 )
909 {
910 pk_free( pk );
911 return( ret );
912 }
913 } else
914 #endif /* POLARSSL_ECP_C */
915 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
916
917 return 0;
918 }
919
920 /*
921 * Parse an encrypted PKCS#8 encoded private key
922 */
923 static int pk_parse_key_pkcs8_encrypted_der(
924 pk_context *pk,
925 const unsigned char *key, size_t keylen,
926 const unsigned char *pwd, size_t pwdlen )
927 {
928 int ret, decrypted = 0;
929 size_t len;
930 unsigned char buf[2048];
931 unsigned char *p, *end;
932 asn1_buf pbe_alg_oid, pbe_params;
933 #if defined(POLARSSL_PKCS12_C)
934 cipher_type_t cipher_alg;
935 md_type_t md_alg;
936 #endif
937
938 memset( buf, 0, sizeof( buf ) );
939
940 p = (unsigned char *) key;
941 end = p + keylen;
942
943 if( pwdlen == 0 )
944 return( POLARSSL_ERR_PK_PASSWORD_REQUIRED );
945
946 /*
947 * This function parses the EncryptedPrivatKeyInfo object (PKCS#8)
948 *
949 * EncryptedPrivateKeyInfo ::= SEQUENCE {
950 * encryptionAlgorithm EncryptionAlgorithmIdentifier,
951 * encryptedData EncryptedData
952 * }
953 *
954 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
955 *
956 * EncryptedData ::= OCTET STRING
957 *
958 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
959 */
960 if( ( ret = asn1_get_tag( &p, end, &len,
961 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
962 {
963 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
964 }
965
966 end = p + len;
967
968 if( ( ret = asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
969 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
970
971 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
972 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT + ret );
973
974 if( len > sizeof( buf ) )
975 return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
976
977 /*
978 * Decrypt EncryptedData with appropriate PDE
979 */
980 #if defined(POLARSSL_PKCS12_C)
981 if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
982 {
983 if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
984 cipher_alg, md_alg,
985 pwd, pwdlen, p, len, buf ) ) != 0 )
986 {
987 if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
988 return( POLARSSL_ERR_PK_PASSWORD_MISMATCH );
989
990 return( ret );
991 }
992
993 decrypted = 1;
994 }
995 else if( OID_CMP( OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) )
996 {
997 if( ( ret = pkcs12_pbe_sha1_rc4_128( &pbe_params,
998 PKCS12_PBE_DECRYPT,
999 pwd, pwdlen,
1000 p, len, buf ) ) != 0 )
1001 {
1002 return( ret );
1003 }
1004
1005 // Best guess for password mismatch when using RC4. If first tag is
1006 // not ASN1_CONSTRUCTED | ASN1_SEQUENCE
1007 //
1008 if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
1009 return( POLARSSL_ERR_PK_PASSWORD_MISMATCH );
1010
1011 decrypted = 1;
1012 }
1013 else
1014 #endif /* POLARSSL_PKCS12_C */
1015 #if defined(POLARSSL_PKCS5_C)
1016 if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
1017 {
1018 if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen,
1019 p, len, buf ) ) != 0 )
1020 {
1021 if( ret == POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH )
1022 return( POLARSSL_ERR_PK_PASSWORD_MISMATCH );
1023
1024 return( ret );
1025 }
1026
1027 decrypted = 1;
1028 }
1029 else
1030 #endif /* POLARSSL_PKCS5_C */
1031 {
1032 ((void) pwd);
1033 }
1034
1035 if( decrypted == 0 )
1036 return( POLARSSL_ERR_PK_FEATURE_UNAVAILABLE );
1037
1038 return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
1039 }
1040
1041 /*
1042 * Parse a private key
1043 */
1044 int pk_parse_key( pk_context *pk,
1045 const unsigned char *key, size_t keylen,
1046 const unsigned char *pwd, size_t pwdlen )
1047 {
1048 int ret;
1049 const pk_info_t *pk_info;
1050
1051 #if defined(POLARSSL_PEM_PARSE_C)
1052 size_t len;
1053 pem_context pem;
1054
1055 pem_init( &pem );
1056
1057 #if defined(POLARSSL_RSA_C)
1058 ret = pem_read_buffer( &pem,
1059 "-----BEGIN RSA PRIVATE KEY-----",
1060 "-----END RSA PRIVATE KEY-----",
1061 key, pwd, pwdlen, &len );
1062 if( ret == 0 )
1063 {
1064 if( ( pk_info = pk_info_from_type( POLARSSL_PK_RSA ) ) == NULL )
1065 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
1066
1067 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ||
1068 ( ret = pk_parse_key_pkcs1_der( pk_rsa( *pk ),
1069 pem.buf, pem.buflen ) ) != 0 )
1070 {
1071 pk_free( pk );
1072 }
1073
1074 pem_free( &pem );
1075 return( ret );
1076 }
1077 else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH )
1078 return( POLARSSL_ERR_PK_PASSWORD_MISMATCH );
1079 else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED )
1080 return( POLARSSL_ERR_PK_PASSWORD_REQUIRED );
1081 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1082 return( ret );
1083 #endif /* POLARSSL_RSA_C */
1084
1085 #if defined(POLARSSL_ECP_C)
1086 ret = pem_read_buffer( &pem,
1087 "-----BEGIN EC PRIVATE KEY-----",
1088 "-----END EC PRIVATE KEY-----",
1089 key, pwd, pwdlen, &len );
1090 if( ret == 0 )
1091 {
1092 if( ( pk_info = pk_info_from_type( POLARSSL_PK_ECKEY ) ) == NULL )
1093 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
1094
1095 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ||
1096 ( ret = pk_parse_key_sec1_der( pk_ec( *pk ),
1097 pem.buf, pem.buflen ) ) != 0 )
1098 {
1099 pk_free( pk );
1100 }
1101
1102 pem_free( &pem );
1103 return( ret );
1104 }
1105 else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH )
1106 return( POLARSSL_ERR_PK_PASSWORD_MISMATCH );
1107 else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED )
1108 return( POLARSSL_ERR_PK_PASSWORD_REQUIRED );
1109 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1110 return( ret );
1111 #endif /* POLARSSL_ECP_C */
1112
1113 ret = pem_read_buffer( &pem,
1114 "-----BEGIN PRIVATE KEY-----",
1115 "-----END PRIVATE KEY-----",
1116 key, NULL, 0, &len );
1117 if( ret == 0 )
1118 {
1119 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
1120 pem.buf, pem.buflen ) ) != 0 )
1121 {
1122 pk_free( pk );
1123 }
1124
1125 pem_free( &pem );
1126 return( ret );
1127 }
1128 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1129 return( ret );
1130
1131 ret = pem_read_buffer( &pem,
1132 "-----BEGIN ENCRYPTED PRIVATE KEY-----",
1133 "-----END ENCRYPTED PRIVATE KEY-----",
1134 key, NULL, 0, &len );
1135 if( ret == 0 )
1136 {
1137 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
1138 pem.buf, pem.buflen,
1139 pwd, pwdlen ) ) != 0 )
1140 {
1141 pk_free( pk );
1142 }
1143
1144 pem_free( &pem );
1145 return( ret );
1146 }
1147 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1148 return( ret );
1149 #else
1150 ((void) pwd);
1151 ((void) pwdlen);
1152 #endif /* POLARSSL_PEM_PARSE_C */
1153
1154 /*
1155 * At this point we only know it's not a PEM formatted key. Could be any
1156 * of the known DER encoded private key formats
1157 *
1158 * We try the different DER format parsers to see if one passes without
1159 * error
1160 */
1161 if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen,
1162 pwd, pwdlen ) ) == 0 )
1163 {
1164 return( 0 );
1165 }
1166
1167 pk_free( pk );
1168
1169 if( ret == POLARSSL_ERR_PK_PASSWORD_MISMATCH )
1170 {
1171 return( ret );
1172 }
1173
1174 if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
1175 return( 0 );
1176
1177 pk_free( pk );
1178
1179 #if defined(POLARSSL_RSA_C)
1180 if( ( pk_info = pk_info_from_type( POLARSSL_PK_RSA ) ) == NULL )
1181 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
1182
1183 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ||
1184 ( ret = pk_parse_key_pkcs1_der( pk_rsa( *pk ), key, keylen ) ) == 0 )
1185 {
1186 return( 0 );
1187 }
1188
1189 pk_free( pk );
1190 #endif /* POLARSSL_RSA_C */
1191
1192 #if defined(POLARSSL_ECP_C)
1193 if( ( pk_info = pk_info_from_type( POLARSSL_PK_ECKEY ) ) == NULL )
1194 return( POLARSSL_ERR_PK_UNKNOWN_PK_ALG );
1195
1196 if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ||
1197 ( ret = pk_parse_key_sec1_der( pk_ec( *pk ), key, keylen ) ) == 0 )
1198 {
1199 return( 0 );
1200 }
1201
1202 pk_free( pk );
1203 #endif /* POLARSSL_ECP_C */
1204
1205 return( POLARSSL_ERR_PK_KEY_INVALID_FORMAT );
1206 }
1207
1208 /*
1209 * Parse a public key
1210 */
1211 int pk_parse_public_key( pk_context *ctx,
1212 const unsigned char *key, size_t keylen )
1213 {
1214 int ret;
1215 unsigned char *p;
1216 #if defined(POLARSSL_PEM_PARSE_C)
1217 size_t len;
1218 pem_context pem;
1219
1220 pem_init( &pem );
1221 ret = pem_read_buffer( &pem,
1222 "-----BEGIN PUBLIC KEY-----",
1223 "-----END PUBLIC KEY-----",
1224 key, NULL, 0, &len );
1225
1226 if( ret == 0 )
1227 {
1228 /*
1229 * Was PEM encoded
1230 */
1231 key = pem.buf;
1232 keylen = pem.buflen;
1233 }
1234 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1235 {
1236 pem_free( &pem );
1237 return( ret );
1238 }
1239 #endif /* POLARSSL_PEM_PARSE_C */
1240 p = (unsigned char *) key;
1241
1242 ret = pk_parse_subpubkey( &p, p + keylen, ctx );
1243
1244 #if defined(POLARSSL_PEM_PARSE_C)
1245 pem_free( &pem );
1246 #endif
1247
1248 return( ret );
1249 }
1250
1251 #endif /* POLARSSL_PK_PARSE_C */
syren