PROV: Add MSBLOB and PVK to DSA and RSA deserializers

Reviewed-by: N Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12574)

PROV: Add MSBLOB and PVK to DSA and RSA deserializers
Reviewed-by: N Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12574)
37d398c1 · Richard Levitte · fb890008 · 37d398c1 · 37d398c1 · 37d398c1
6 changed file
--- a/providers/deserializers.inc
+++ b/providers/deserializers.inc
@@ -16,6 +16,10 @@
 #endif
 #ifndef OPENSSL_NO_DSA
    DESER("DSA", "yes", "der", der_to_dsa_deserializer_functions),
+    DESER("DSA", "yes", "mblob", msblob_to_dsa_deserializer_functions),
+# ifndef OPENSSL_NO_RC4
+    DESER("DSA", "yes", "pvk", pvk_to_dsa_deserializer_functions),
+# endif
 #endif
 #ifndef OPENSSL_NO_EC
    DESER("EC", "yes", "der", der_to_ec_deserializer_functions),
@@ -26,5 +30,12 @@
 #endif
    DESER("RSA", "yes", "der", der_to_rsa_deserializer_functions),
    DESER("RSA-PSS", "yes", "der", der_to_rsapss_deserializer_functions),
+#ifndef OPENSSL_NO_DSA
+    DESER("RSA", "yes", "mblob", msblob_to_rsa_deserializer_functions),
+# ifndef OPENSSL_NO_RC4
+    DESER("RSA", "yes", "pvk", pvk_to_rsa_deserializer_functions),
+# endif
+#endif
    DESER("DER", "yes", "pem", pem_to_der_deserializer_functions),
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -361,6 +361,8 @@ extern const OSSL_DISPATCH ec_param_pem_serializer_functions[];
 extern const OSSL_DISPATCH der_to_dh_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_dsa_deserializer_functions[];
+extern const OSSL_DISPATCH msblob_to_dsa_deserializer_functions[];
+extern const OSSL_DISPATCH pvk_to_dsa_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_ec_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_x25519_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_x448_deserializer_functions[];
@@ -368,4 +370,6 @@ extern const OSSL_DISPATCH der_to_ed25519_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_ed448_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_rsa_deserializer_functions[];
 extern const OSSL_DISPATCH der_to_rsapss_deserializer_functions[];
+extern const OSSL_DISPATCH msblob_to_rsa_deserializer_functions[];
+extern const OSSL_DISPATCH pvk_to_rsa_deserializer_functions[];
 extern const OSSL_DISPATCH pem_to_der_deserializer_functions[];
--- a/providers/implementations/serializers/build.info
+++ b/providers/implementations/serializers/build.info
@@ -12,7 +12,11 @@ $EC_GOAL=../../libimplementations.a
 SOURCE[$SERIALIZER_GOAL]=serializer_common.c deserialize_common.c
-SOURCE[$RSA_GOAL]=deserialize_der2key.c deserialize_pem2der.c
+SOURCE[$DESERIALIZER_GOAL]=deserialize_der2key.c deserialize_pem2der.c
+IF[{- !$disabled{dsa} -}]
+  SOURCE[$DESERIALIZER_GOAL]=deserialize_ms2key.c
+ENDIF
 SOURCE[$RSA_GOAL]=serializer_rsa.c serializer_rsa_priv.c serializer_rsa_pub.c
 DEPEND[serializer_rsa.o]=../../common/include/prov/der_rsa.h

--- a/providers/implementations/serializers/deserialize_common.c
+++ b/providers/implementations/serializers/deserialize_common.c
@@ -7,11 +7,13 @@
 * https://www.openssl.org/source/license.html
 */
+#include <openssl/core_names.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/buffer.h>
-#include <openssl/pem.h>
+#include <openssl/pem.h>         /* For public PEM and PVK functions */
 #include <openssl/pkcs12.h>
+#include "internal/pem.h"        /* For internal PVK and "blob" functions */
 #include "internal/cryptlib.h"
 #include "crypto/asn1.h"
 #include "prov/bio.h"               /* ossl_prov_bio_printf() */
@@ -45,6 +47,60 @@ int ossl_prov_read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
    return ok;
 }
+#ifndef OPENSSL_NO_DSA
+EVP_PKEY *ossl_prov_read_msblob(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
+                                int *ispub)
+{
+    BIO *in = bio_new_from_core_bio(provctx, cin);
+    EVP_PKEY *pkey = ossl_b2i_bio(in, ispub);
+    BIO_free(in);
+    return pkey;
+}
+struct pwdata_st {
+    OSSL_PASSPHRASE_CALLBACK *pw_cb;
+    void *pw_cbarg;
+};
+pem_password_cb pw_pem_password_to_ossl_passhrase;
+int pw_pem_password_to_ossl_passhrase(char *buf, int size, int rwflag,
+                                      void *userdata)
+{
+    struct pwdata_st *data = userdata;
+    size_t pw_len = 0;
+    static char prompt_info[] = "pass phrase";
+    OSSL_PARAM params[] = {
+        OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, prompt_info,
+                               sizeof(prompt_info) - 1),
+        OSSL_PARAM_END
+    };
+    int ok = data->pw_cb(buf, (size_t)size, &pw_len, params, data->pw_cbarg);
+    if (ok)
+        return (int)pw_len;
+    else
+        return -1;
+}
+# ifndef OPENSSL_NO_RC4
+EVP_PKEY *ossl_prov_read_pvk(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
+                             OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+    BIO *in = bio_new_from_core_bio(provctx, cin);
+    EVP_PKEY *pkey = NULL;
+    struct pwdata_st pwdata;
+    pwdata.pw_cb = pw_cb;
+    pwdata.pw_cbarg = pw_cbarg;
+    pkey = b2i_PVK_bio(in, pw_pem_password_to_ossl_passhrase, &pwdata);
+    BIO_free(in);
+    return pkey;
+}
+# endif
+#endif
 int ossl_prov_der_from_p8(unsigned char **new_der, long *new_der_len,
                          unsigned char *input_der, long input_der_len,
                          OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)

--- a/providers/implementations/serializers/deserialize_ms2key.c
+++ b/providers/implementations/serializers/deserialize_ms2key.c
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+/*
+ * low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/crypto.h>
+#include <openssl/params.h>
+#include <openssl/x509.h>
+#include "internal/pem.h"        /* For PVK and "blob" PEM headers */
+#include "prov/bio.h"
+#include "prov/implementations.h"
+#include "serializer_local.h"
+static OSSL_FUNC_deserializer_freectx_fn ms2key_freectx;
+static OSSL_FUNC_deserializer_gettable_params_fn ms2key_gettable_params;
+static OSSL_FUNC_deserializer_get_params_fn msblob2key_get_params;
+#ifndef OPENSSL_NO_RC4
+static OSSL_FUNC_deserializer_get_params_fn pvk2key_get_params;
+#endif
+static OSSL_FUNC_deserializer_deserialize_fn msblob2key_deserialize;
+#ifndef OPENSSL_NO_RC4
+static OSSL_FUNC_deserializer_deserialize_fn pvk2key_deserialize;
+#endif
+static OSSL_FUNC_deserializer_export_object_fn ms2key_export_object;
+typedef void *(extract_key_fn)(EVP_PKEY *);
+typedef void (free_key_fn)(void *);
+struct keytype_desc_st {
+    int type;                 /* EVP key type */
+    const char *name;         /* Keytype */
+    const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */
+    /*
+     * These must be the correct EVP_PKEY_get1_{TYPE}() and {TYPE}_free()
+     * function for the key.
+     */
+    extract_key_fn *extract_key;
+    free_key_fn *free_key;
+};
+/*
+ * Context used for DER to key deserialization.
+ */
+struct ms2key_ctx_st {
+    PROV_CTX *provctx;
+    const struct keytype_desc_st *desc;
+};
+static struct ms2key_ctx_st *
+ms2key_newctx(void *provctx, const struct keytype_desc_st *desc)
+{
+    struct ms2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx));
+    if (ctx != NULL) {
+        ctx->provctx = provctx;
+        ctx->desc = desc;
+    }
+    return ctx;
+}
+static void ms2key_freectx(void *vctx)
+{
+    struct ms2key_ctx_st *ctx = vctx;
+    OPENSSL_free(ctx);
+}
+static const OSSL_PARAM *ms2key_gettable_params(void)
+{
+    static const OSSL_PARAM gettables[] = {
+        { OSSL_DESERIALIZER_PARAM_INPUT_TYPE, OSSL_PARAM_UTF8_PTR, NULL, 0, 0 },
+        OSSL_PARAM_END,
+    };
+    return gettables;
+}
+static int msblob2key_get_params(OSSL_PARAM params[])
+{
+    OSSL_PARAM *p;
+    p = OSSL_PARAM_locate(params, OSSL_DESERIALIZER_PARAM_INPUT_TYPE);
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "MSBLOB"))
+        return 0;
+    return 1;
+}
+#ifndef OPENSSL_NO_RC4
+static int pvk2key_get_params(OSSL_PARAM params[])
+{
+    OSSL_PARAM *p;
+    p = OSSL_PARAM_locate(params, OSSL_DESERIALIZER_PARAM_INPUT_TYPE);
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "PVK"))
+        return 0;
+    return 1;
+}
+#endif
+static int ms2key_post(struct ms2key_ctx_st *ctx, EVP_PKEY *pkey,
+                       OSSL_CALLBACK *data_cb, void *data_cbarg)
+{
+    void *key = NULL;
+    int ok = 0;
+    if (pkey != NULL) {
+        /*
+         * Tear out the low-level key pointer from the pkey,
+         * but only if it matches the expected key type.
+         *
+         * TODO(3.0): The check should be done with EVP_PKEY_is_a(), but
+         * as long as we still have #legacy internal keys, it's safer to
+         * use the type numbers in side the provider.
+         */
+        if (EVP_PKEY_id(pkey) == ctx->desc->type)
+            key = ctx->desc->extract_key(pkey);
+    }
+    if (key != NULL) {
+        OSSL_PARAM params[3];
+        params[0] =
+            OSSL_PARAM_construct_utf8_string(OSSL_DESERIALIZER_PARAM_DATA_TYPE,
+                                             (char *)ctx->desc->name, 0);
+        /* The address of the key becomes the octet string */
+        params[1] =
+            OSSL_PARAM_construct_octet_string(OSSL_DESERIALIZER_PARAM_REFERENCE,
+                                              &key, sizeof(key));
+        params[2] = OSSL_PARAM_construct_end();
+        ok = data_cb(params, data_cbarg);
+    }
+    ctx->desc->free_key(key);
+    return ok;
+}
+static int msblob2key_deserialize(void *vctx, OSSL_CORE_BIO *cin,
+                                  OSSL_CALLBACK *data_cb, void *data_cbarg,
+                                  OSSL_PASSPHRASE_CALLBACK *pw_cb,
+                                  void *pw_cbarg)
+{
+    struct ms2key_ctx_st *ctx = vctx;
+    int ispub = -1;
+    EVP_PKEY *pkey = ossl_prov_read_msblob(ctx->provctx, cin, &ispub);
+    int ok = ms2key_post(ctx, pkey, data_cb, data_cbarg);
+    EVP_PKEY_free(pkey);
+    return ok;
+}
+#ifndef OPENSSL_NO_RC4
+static int pvk2key_deserialize(void *vctx, OSSL_CORE_BIO *cin,
+                               OSSL_CALLBACK *data_cb, void *data_cbarg,
+                               OSSL_PASSPHRASE_CALLBACK *pw_cb,
+                               void *pw_cbarg)
+{
+    struct ms2key_ctx_st *ctx = vctx;
+    EVP_PKEY *pkey = ossl_prov_read_pvk(ctx->provctx, cin, pw_cb, pw_cbarg);
+    int ok = ms2key_post(ctx, pkey, data_cb, data_cbarg);
+    EVP_PKEY_free(pkey);
+    return ok;
+}
+#endif
+static int ms2key_export_object(void *vctx,
+                                 const void *reference, size_t reference_sz,
+                                 OSSL_CALLBACK *export_cb, void *export_cbarg)
+{
+    struct ms2key_ctx_st *ctx = vctx;
+    OSSL_FUNC_keymgmt_export_fn *export =
+        ossl_prov_get_keymgmt_export(ctx->desc->fns);
+    void *keydata;
+    if (reference_sz == sizeof(keydata) && export != NULL) {
+        /* The contents of the reference is the address to our object */
+        keydata = *(void **)reference;
+        return export(keydata, OSSL_KEYMGMT_SELECT_ALL,
+                      export_cb, export_cbarg);
+    }
+    return 0;
+}
+#define IMPLEMENT_TYPE(KEYTYPEstr, KEYTYPE, keytype, extract, free)     \
+    static const struct keytype_desc_st keytype##_desc;                 \
+    static OSSL_FUNC_deserializer_newctx_fn ms2##keytype##_newctx;      \
+    static void *ms2##keytype##_newctx(void *provctx)                   \
+    {                                                                   \
+        return ms2key_newctx(provctx, &keytype##_desc);                 \
+    }                                                                   \
+    static const struct keytype_desc_st keytype##_desc =                \
+        { EVP_PKEY_##KEYTYPE, KEYTYPEstr, keytype##_keymgmt_functions,  \
+          (extract_key_fn *)extract,                                    \
+          (free_key_fn *)free }
+#define IMPLEMENT_MS(mstype, keytype)                                   \
+    const OSSL_DISPATCH                                                 \
+    mstype##_to_##keytype##_deserializer_functions[] = {                \
+        { OSSL_FUNC_DESERIALIZER_NEWCTX,                                \
+          (void (*)(void))ms2##keytype##_newctx },                      \
+        { OSSL_FUNC_DESERIALIZER_FREECTX,                               \
+          (void (*)(void))ms2key_freectx },                             \
+        { OSSL_FUNC_DESERIALIZER_GETTABLE_PARAMS,                       \
+          (void (*)(void))ms2key_gettable_params },                     \
+        { OSSL_FUNC_DESERIALIZER_GET_PARAMS,                            \
+          (void (*)(void))mstype##2key_get_params },                    \
+        { OSSL_FUNC_DESERIALIZER_DESERIALIZE,                           \
+          (void (*)(void))mstype##2key_deserialize },                   \
+        { OSSL_FUNC_DESERIALIZER_EXPORT_OBJECT,                         \
+          (void (*)(void))ms2key_export_object },                       \
+        { 0, NULL }                                                     \
+    }
+#ifndef OPENSSL_NO_DSA
+IMPLEMENT_TYPE("DSA", DSA, dsa, EVP_PKEY_get1_DSA, DSA_free);
+IMPLEMENT_MS(msblob, dsa);
+# ifndef OPENSSL_NO_RC4
+IMPLEMENT_MS(pvk, dsa);
+# endif
+#endif
+IMPLEMENT_TYPE("RSA", RSA, rsa, EVP_PKEY_get1_RSA, RSA_free);
+IMPLEMENT_MS(msblob, rsa);
+#ifndef OPENSSL_NO_RC4
+IMPLEMENT_MS(pvk, rsa);
+#endif
--- a/providers/implementations/serializers/serializer_local.h
+++ b/providers/implementations/serializers/serializer_local.h
@@ -167,6 +167,14 @@ int ossl_prov_read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
 int ossl_prov_read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
                       char **pem_name, char **pem_header,
                       unsigned char **data, long *len);
+#ifndef OPENSSL_NO_DSA
+EVP_PKEY *ossl_prov_read_msblob(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
+                                int *ispub);
+# ifndef OPENSSL_NO_RC4
+EVP_PKEY *ossl_prov_read_pvk(PROV_CTX *provctx, OSSL_CORE_BIO *cin,
+                             OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg);
+# endif
+#endif
 int ossl_prov_der_from_p8(unsigned char **new_der, long *new_der_len,
                          unsigned char *input_der, long input_der_len,