summaryrefslogtreecommitdiff
path: root/providers/implementations/encode_decode
Commit message (Collapse)AuthorAgeFilesLines
* Do not create DSA keys without parameters by decoderTomas Mraz2023-02-071-1/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Cleanup : directly include of `internal/nelem.h` when required.FdaSilvaYY2022-11-231-0/+1
| | | | | | | | And so clean a few useless includes Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19721)
* Stop raising ERR_R_MALLOC_FAILURE in most placesRichard Levitte2022-10-053-17/+13
| | | | | | | | | | | | | | | | | | | | | | | Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
* Support decode SM2 parametersK12022-08-233-3/+7
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18819)
* dh_to_text: Print the dh->length if setTomas Mraz2022-07-181-0/+6
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* Check return value of ossl_parse_property()Tomas Mraz2022-06-061-1/+1
| | | | | | | | | | Also check if we have d2i_public_key() function pointer. Fixes https://github.com/openssl/openssl/pull/18355#issuecomment-1144893289 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18462)
* Update copyright yearMatt Caswell2022-05-0310-10/+10
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
* Add the missing check of BN_bn2hex return valueZhou Qingyang2022-01-281-0/+3
| | | | | | | | | | | CLA: trivial Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17578)
* OSSL_STORE: Prevent spurious error during loading private keysDr. David von Oheimb2022-01-061-5/+18
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15283)
* Fix typosDimitris Apostolou2022-01-051-1/+1
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
* Check the return value of ossl_bio_new_from_core_bio()x20182022-01-037-8/+33
| | | | | | | | There are missing checks of its return value in 8 different spots. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17154)
* key_to_type_specific_pem_bio_cb: Use passphrase callback from the argumentsTomas Mraz2021-12-061-1/+1
| | | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17181)
* PVK decoder: prompt for PVK passphrase and not PEMTomas Mraz2021-12-061-1/+1
| | | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17181)
* Fix pvk encoder to properly query for the passphraseTomas Mraz2021-12-061-5/+7
| | | | | | | | | | | The passphrase callback data was not properly initialized. Fixes #17054 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17181)
* Fix the return check of OBJ_obj2txtPW Hu2021-11-221-1/+1
| | | | | | | | Also update OBJ_nid2obj.pod to document the possible return values. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17005)
* Fix DER encoder implementations for output structures "EC" and "SM2"Richard Levitte2021-11-091-5/+5
| | | | | | | | | | | | | | | These DER encoder implementations are supposed to be aliases for the "type-specific" output structure, but were made different in so far that they would output a "type specific" public key, which turns out to be garbage (it called i2o_ECPublicKey()). The "type-specific" output structure doesn't support that, and shouldn't. Fixes #16977 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16983) (cherry picked from commit 2cb802e16fff3fb2c57ae664baa7bd9ce3e33805)
* fix some code with obvious wrong coding stylex20182021-10-281-1/+1
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16918)
* Don't crash encoding a public key with no public key valueMatt Caswell2021-10-271-0/+4
| | | | | | | | | | | | If asked to encode an EC_KEY public key, but no public key value is present in the structure, we should fail rather than crash. Fixes the crash seen here: https://mta.openssl.org/pipermail/openssl-users/2021-October/014479.html Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16911)
* ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo outputRichard Levitte2021-09-051-1/+35
| | | | | | | | | | | | Since EncryptedPrivateKeyInfo is a recognised structure, it's reasonable to think that someone might want to specify it. To be noted is that if someone specifies the structure PrivateKeyInfo but has also passed a passphrase callback, the result will still become a EncryptedPrivateKeyInfo structure. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466)
* PEM to DER decoder: Specify object type and data structure more consistentlyRichard Levitte2021-09-051-4/+5
| | | | | | | | | | | | The data structure wasn't given for recognised certificates or CRLs. It's better, though, to specify it for those objects as well, so they can be used to filter what actually gets decoded, which will be helpful for our OSSL_STORE 'file:' scheme implementation. Fixes #16224 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466)
* Fix VS2019 compile error C4703: potentially uninitialized local pointer ↵Kelvin Lee2021-08-061-2/+2
| | | | | | | | | | | | | | variable used. encode_key2text.c(689): error C4703: potentially uninitialized local pointer variable 'modulus_label' used encode_key2text.c(691): error C4703: potentially uninitialized local pointer variable 'exponent_label' used CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12845)
* DECODER & ENCODER: Make sure to pass around the original selection bitsRichard Levitte2021-06-293-10/+16
| | | | | | | | | | | | | | | | | When decoding a key and asking the keymgmt to import the key data, it was told that the key data includes everything. This may not be true, since the user may have specified a different selection, and some keymgmts may want to be informed. Our key decoders' export function, on the other hand, didn't care either, and simply export anything they could, regardless. In both cases, the selection that was specified by the user is now passed all the way. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15934)
* PROV: Have our PEM->DER decoder only recognise our PEM namesRichard Levitte2021-06-291-73/+43
| | | | | | | | | | | This is to avoid creating confusion where other PEM decoder implementations may know better what PEM names that are unknown to us actually mean. Fixes #15929 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15930)
* epki2pki_decode: passphrase callback failure is fatal errorTomas Mraz2021-06-241-0/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15878)
* Update copyright yearMatt Caswell2021-06-172-2/+2
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15801)
* Add a generic SubjectPublicKeyInfo decoderMatt Caswell2021-06-145-19/+147
| | | | | | | | | | | | | | | | Previously all the SubjectPublicKeyInfo decoders were specific to a key type. We would iterate over all them until a match was found for the correct key type. Each one would fully decode the key before then testing whether it was a match or not - throwing it away if not. This was very inefficient. Instead we introduce a generic SubjectPublicKeyInfo decoder which figures out what type of key is contained within it, before subsequently passing on the data to a key type specific SubjectPublicKeyInfo decoder. Fixes #15646 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15662)
* Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8Richard Levitte2021-06-095-142/+334
| | | | | | | | | | | | | | | | | | | This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo", which is sensible considering we already have "SubjectPublicKeyInfo". We also add "EncryptedPrivateKeyInfo", and use it for a special decoder that detects and decrypts an EncryptedPrivateKeyInfo structured DER blob into a PrivateKeyInfo structured DER blob and passes that on to the next decoder implementation. The result of this change is that PKCS#8 decryption should only happen once per decoding instead of once for every expected key type. Furthermore, this new decoder implementation sets the data type to the OID of the algorithmIdentifier field, thus reducing how many decoder implementations are tentativaly run further down the call chain. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15498)
* PROV: drop get_params() and gettable_params() from all encoder implementatioRichard Levitte2021-06-054-171/+0
| | | | | | | | | | | | They aren't needed at all any more, since the properties contain the same information. This also drops the parameter names OSSL_ENCODER_PARAM_OUTPUT_TYPE and OSSL_ENCODER_PARAM_OUTPUT_STRUCTURE Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15570)
* ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPERichard Levitte2021-06-052-20/+4
| | | | | | | | | | This was a poor substitute for using the name of the decoder implementation, and since there is functionality to get the latter now, this parameter can be dropped. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15570)
* PROV: drop get_params() and gettable_params() from all decoder implementationsRichard Levitte2021-06-054-132/+0
| | | | | | | | | | | | They aren't needed at all any more, since the properties contain the same information. This also drops the parameter names OSSL_DECODER_PARAM_INPUT_TYPE and OSSL_DECODER_PARAM_INPUT_STRUCTURE. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15570)
* providers: remove TODOsPauli2021-06-021-1/+0
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15539)
* Pass library context and property query into private key decodersJon Spillett2021-06-011-4/+6
| | | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14587)
* Fix up encoder/decoder issues caused by not passing a library context to the ↵Jon Spillett2021-06-012-3/+2
| | | | | | | | | PKCS8 encrypt/decrypt Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14587)
* Enhance the encoder/decoder tests to allow testing with a non-default ↵Jon Spillett2021-06-012-3/+6
| | | | | | | | | library context and configurable providers Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14587)
* A few cleanups of the provider build.infosTomas Mraz2021-05-121-6/+0
| | | | | | | | | Remove a TODO that is no longer relevant and drop some more non-fips sources from the fips checksums. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15191)
* Mark pop/clear error stack in der2key_decode_p8Daniel Bevenius2021-05-091-0/+5
| | | | | | | | | | | | | | | | | | | | | | This commit sets the error mark before calling d2i_X509_SIG and clear it if that function call is successful. The motivation for this is that if d2i_X509_SIG returns NULL then the else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be called. If d2i_X509_SIG raised any errors those error will be on the error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it returns successfully those errors will still be on the error stack. We ran into this issue when upgrading Node.js to 3.0.0-alpha15. More details can be found in the ref links below. Refs: https://github.com/nodejs/node/issues/38373 Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/15067)
* Drop libimplementations.aRichard Levitte2021-05-071-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libimplementations.a was a nice idea, but had a few flaws: 1. The idea to have common code in libimplementations.a and FIPS sensitive helper functions in libfips.a / libnonfips.a didn't catch on, and we saw full implementation ending up in them instead and not appearing in libimplementations.a at all. 2. Because more or less ALL algorithm implementations were included in libimplementations.a (the idea being that the appropriate objects from it would be selected automatically by the linker when building the shared libraries), it's very hard to find only the implementation source that should go into the FIPS module, with the result that the FIPS checksum mechanism include source files that it shouldn't To mitigate, we drop libimplementations.a, but retain the idea of collecting implementations in static libraries. With that, we not have: libfips.a Includes all implementations that should become part of the FIPS provider. liblegacy.a Includes all implementations that should become part of the legacy provider. libdefault.a Includes all implementations that should become part of the default and base providers. With this, libnonfips.a becomes irrelevant and is dropped. libcommon.a is retained to include common provider code that can be used uniformly by all providers. Fixes #15157 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15171)
* Adapt our decoder implementations to the new way to indicate succes / failureRichard Levitte2021-04-214-44/+77
| | | | | | | This includes the special decoder used in our STOREMGMT 'file:' implementation Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14834)
* Update copyright yearMatt Caswell2021-04-081-1/+1
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14801)
* Add "save-parameters" encoder parameterTomas Mraz2021-04-011-29/+31
| | | | | | | | | | | The parameter makes the dsa key encoder to skip saving the DSA key parameters similarly to what the legacy dsa key encoder did. Fixes #14362 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14746)
* RSA-PSS: When printing parameters, always print the trailerfield ASN.1 valueRichard Levitte2021-03-261-7/+0
| | | | | | | | | | | | | The legacy implementation would print the ASN.1 value of the trailerfield, except when it wasn't set (i.e. is default). For better consistency, we now always print the ASN.1 value, both in the legacy and the provided implementation. Fixes #14363 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14676)
* PROV: Add type specific MSBLOB and PVK decoding for the MS->key decodersRichard Levitte2021-03-194-274/+518
| | | | | | | | | | | | To make this cleaner, decoder_ms2key.c is split into decoder_msblob2key.c and decoder_pvk2key.c. This required a great deal of refactoring of crypto/pem/pvkfmt.c, to make cleaner internal functions that our decoder implementations can use. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14314)
* PROV: Add type specific PKCS#8 decoding to the DER->key decodersRichard Levitte2021-03-191-149/+140
| | | | | | | | | | | | This required refactoring a number of functions from the diverse EVP_PKEY_ASN1_METHOD implementations to become shared backend functions. It also meant modifying a few of them to return pointers to our internal RSA / DSA/ DH / EC_KEY, ... structures instead of manipulating an EVP_PKEY pointer directly, letting the caller do the latter. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14314)
* PROV: Add type specific SubjectPublicKeyInfo decoding to the DER->key decodersRichard Levitte2021-03-191-5/+37
| | | | | | | | | | | This makes it possible to use d2i_<TYPE>_PUBKEY instead of the generic d2i_PUBKEY() This required adding a number of new d2i_<TYPE>_PUBKEY functions. These are all kept internal. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14314)
* PROV: Refactor DER->key decoderRichard Levitte2021-03-191-56/+125
| | | | | | | | | | | | | | | | | | | | | | | | The decoding of DER into keys with keytype specific routines depended entirely on the absence of the generic algo specific C type from EVP_PKEYs. That is not necessary, and may even prove to be a bit of a disadvantage, depending on what libcrypto has to offer in terms of type specific d2i functionality for different kinds of input structures. To remedy, we try with all available type specific functions first, and only turn to the general d2i functions (those that return an EVP_PKEY) as a last resort. Furthermore, there are cases where the decoder might not get the key type it expected. This may happen when certain key types that share the same OpenSSL structure may be mixed up somehow. The known cases are EC vs SM2 and RSA vs RSA-PSS. To remedy, we add the possibility to specify a checking function that can check if the key that was decoded meets decoder expectations. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14314)
* Add ossl_ x509 symbolsShane Lontis2021-03-181-1/+1
| | | | | | | Partial fix for #12964 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14473)
* Fix misc external ossl_ symbols.Shane Lontis2021-03-187-9/+9
| | | | | | | Partial fix for #12964 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14473)
* Update copyright yearMatt Caswell2021-03-111-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14512)
* OSSL_STORE: restore diagnostics on decrypt error; provide password hintsDr. David von Oheimb2021-03-041-1/+7
| | | | | | | Fixes #13493 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13525)
* Remove todos in decode_der2key.c and decode_ms2key.cTomas Mraz2021-03-032-2/+2
| | | | | | | | Those TODOs do not really apply to 3.0 as the legacy internal keys will stay. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14367)
View Lorry Controller Status