1 /*
2  *  Public Key layer for parsing key files and structures
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "common.h"
21 
22 #if defined(MBEDTLS_PK_PARSE_C)
23 
24 #include "mbedtls/pk.h"
25 #include "mbedtls/asn1.h"
26 #include "mbedtls/oid.h"
27 #include "mbedtls/platform_util.h"
28 #include "mbedtls/error.h"
29 
30 #include <string.h>
31 
32 #if defined(MBEDTLS_RSA_C)
33 #include "mbedtls/rsa.h"
34 #endif
35 #if defined(MBEDTLS_ECP_C)
36 #include "mbedtls/ecp.h"
37 #endif
38 #if defined(MBEDTLS_ECDSA_C)
39 #include "mbedtls/ecdsa.h"
40 #endif
41 #if defined(MBEDTLS_PEM_PARSE_C)
42 #include "mbedtls/pem.h"
43 #endif
44 #if defined(MBEDTLS_PKCS5_C)
45 #include "mbedtls/pkcs5.h"
46 #endif
47 #if defined(MBEDTLS_PKCS12_C)
48 #include "mbedtls/pkcs12.h"
49 #endif
50 
51 #if defined(MBEDTLS_PLATFORM_C)
52 #include "mbedtls/platform.h"
53 #else
54 #include <stdlib.h>
55 #define mbedtls_calloc    calloc
56 #define mbedtls_free       free
57 #endif
58 
59 /* Parameter validation macros based on platform_util.h */
60 #define PK_VALIDATE_RET( cond )    \
61     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
62 #define PK_VALIDATE( cond )        \
63     MBEDTLS_INTERNAL_VALIDATE( cond )
64 
65 #if defined(MBEDTLS_FS_IO)
66 /*
67  * Load all data from a file into a given buffer.
68  *
69  * The file is expected to contain either PEM or DER encoded data.
70  * A terminating null byte is always appended. It is included in the announced
71  * length only if the data looks like it is PEM encoded.
72  */
mbedtls_pk_load_file(const char * path,unsigned char ** buf,size_t * n)73 int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
74 {
75     FILE *f;
76     long size;
77 
78     PK_VALIDATE_RET( path != NULL );
79     PK_VALIDATE_RET( buf != NULL );
80     PK_VALIDATE_RET( n != NULL );
81 
82     if( ( f = fopen( path, "rb" ) ) == NULL )
83         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
84 
85     fseek( f, 0, SEEK_END );
86     if( ( size = ftell( f ) ) == -1 )
87     {
88         fclose( f );
89         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
90     }
91     fseek( f, 0, SEEK_SET );
92 
93     *n = (size_t) size;
94 
95     if( *n + 1 == 0 ||
96         ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
97     {
98         fclose( f );
99         return( MBEDTLS_ERR_PK_ALLOC_FAILED );
100     }
101 
102     if( fread( *buf, 1, *n, f ) != *n )
103     {
104         fclose( f );
105 
106         mbedtls_platform_zeroize( *buf, *n );
107         mbedtls_free( *buf );
108 
109         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
110     }
111 
112     fclose( f );
113 
114     (*buf)[*n] = '\0';
115 
116     if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
117         ++*n;
118 
119     return( 0 );
120 }
121 
122 /*
123  * Load and parse a private key
124  */
mbedtls_pk_parse_keyfile(mbedtls_pk_context * ctx,const char * path,const char * pwd)125 int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
126                       const char *path, const char *pwd )
127 {
128     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
129     size_t n;
130     unsigned char *buf;
131 
132     PK_VALIDATE_RET( ctx != NULL );
133     PK_VALIDATE_RET( path != NULL );
134 
135     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
136         return( ret );
137 
138     if( pwd == NULL )
139         ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
140     else
141         ret = mbedtls_pk_parse_key( ctx, buf, n,
142                 (const unsigned char *) pwd, strlen( pwd ) );
143 
144     mbedtls_platform_zeroize( buf, n );
145     mbedtls_free( buf );
146 
147     return( ret );
148 }
149 
150 /*
151  * Load and parse a public key
152  */
mbedtls_pk_parse_public_keyfile(mbedtls_pk_context * ctx,const char * path)153 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
154 {
155     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
156     size_t n;
157     unsigned char *buf;
158 
159     PK_VALIDATE_RET( ctx != NULL );
160     PK_VALIDATE_RET( path != NULL );
161 
162     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
163         return( ret );
164 
165     ret = mbedtls_pk_parse_public_key( ctx, buf, n );
166 
167     mbedtls_platform_zeroize( buf, n );
168     mbedtls_free( buf );
169 
170     return( ret );
171 }
172 #endif /* MBEDTLS_FS_IO */
173 
174 #if defined(MBEDTLS_ECP_C)
175 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
176  *
177  * ECParameters ::= CHOICE {
178  *   namedCurve         OBJECT IDENTIFIER
179  *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
180  *   -- implicitCurve   NULL
181  * }
182  */
pk_get_ecparams(unsigned char ** p,const unsigned char * end,mbedtls_asn1_buf * params)183 static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
184                             mbedtls_asn1_buf *params )
185 {
186     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 
188     if ( end - *p < 1 )
189         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
190                 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
191 
192     /* Tag may be either OID or SEQUENCE */
193     params->tag = **p;
194     if( params->tag != MBEDTLS_ASN1_OID
195 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
196             && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
197 #endif
198             )
199     {
200         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
201                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
202     }
203 
204     if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
205     {
206         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
207     }
208 
209     params->p = *p;
210     *p += params->len;
211 
212     if( *p != end )
213         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
214                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
215 
216     return( 0 );
217 }
218 
219 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
220 /*
221  * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
222  * WARNING: the resulting group should only be used with
223  * pk_group_id_from_specified(), since its base point may not be set correctly
224  * if it was encoded compressed.
225  *
226  *  SpecifiedECDomain ::= SEQUENCE {
227  *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
228  *      fieldID FieldID {{FieldTypes}},
229  *      curve Curve,
230  *      base ECPoint,
231  *      order INTEGER,
232  *      cofactor INTEGER OPTIONAL,
233  *      hash HashAlgorithm OPTIONAL,
234  *      ...
235  *  }
236  *
237  * We only support prime-field as field type, and ignore hash and cofactor.
238  */
pk_group_from_specified(const mbedtls_asn1_buf * params,mbedtls_ecp_group * grp)239 static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
240 {
241     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
242     unsigned char *p = params->p;
243     const unsigned char * const end = params->p + params->len;
244     const unsigned char *end_field, *end_curve;
245     size_t len;
246     int ver;
247 
248     /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
249     if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
250         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
251 
252     if( ver < 1 || ver > 3 )
253         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
254 
255     /*
256      * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
257      *       fieldType FIELD-ID.&id({IOSet}),
258      *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
259      * }
260      */
261     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
262             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
263         return( ret );
264 
265     end_field = p + len;
266 
267     /*
268      * FIELD-ID ::= TYPE-IDENTIFIER
269      * FieldTypes FIELD-ID ::= {
270      *       { Prime-p IDENTIFIED BY prime-field } |
271      *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
272      * }
273      * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
274      */
275     if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
276         return( ret );
277 
278     if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
279         memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
280     {
281         return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
282     }
283 
284     p += len;
285 
286     /* Prime-p ::= INTEGER -- Field of size p. */
287     if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
288         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
289 
290     grp->pbits = mbedtls_mpi_bitlen( &grp->P );
291 
292     if( p != end_field )
293         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
294                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
295 
296     /*
297      * Curve ::= SEQUENCE {
298      *       a FieldElement,
299      *       b FieldElement,
300      *       seed BIT STRING OPTIONAL
301      *       -- Shall be present if used in SpecifiedECDomain
302      *       -- with version equal to ecdpVer2 or ecdpVer3
303      * }
304      */
305     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
306             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
307         return( ret );
308 
309     end_curve = p + len;
310 
311     /*
312      * FieldElement ::= OCTET STRING
313      * containing an integer in the case of a prime field
314      */
315     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
316         ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
317     {
318         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
319     }
320 
321     p += len;
322 
323     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
324         ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
325     {
326         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
327     }
328 
329     p += len;
330 
331     /* Ignore seed BIT STRING OPTIONAL */
332     if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
333         p += len;
334 
335     if( p != end_curve )
336         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
337                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
338 
339     /*
340      * ECPoint ::= OCTET STRING
341      */
342     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
343         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
344 
345     if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
346                                       ( const unsigned char *) p, len ) ) != 0 )
347     {
348         /*
349          * If we can't read the point because it's compressed, cheat by
350          * reading only the X coordinate and the parity bit of Y.
351          */
352         if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
353             ( p[0] != 0x02 && p[0] != 0x03 ) ||
354             len != mbedtls_mpi_size( &grp->P ) + 1 ||
355             mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
356             mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
357             mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
358         {
359             return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
360         }
361     }
362 
363     p += len;
364 
365     /*
366      * order INTEGER
367      */
368     if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
369         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
370 
371     grp->nbits = mbedtls_mpi_bitlen( &grp->N );
372 
373     /*
374      * Allow optional elements by purposefully not enforcing p == end here.
375      */
376 
377     return( 0 );
378 }
379 
380 /*
381  * Find the group id associated with an (almost filled) group as generated by
382  * pk_group_from_specified(), or return an error if unknown.
383  */
pk_group_id_from_group(const mbedtls_ecp_group * grp,mbedtls_ecp_group_id * grp_id)384 static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
385 {
386     int ret = 0;
387     mbedtls_ecp_group ref;
388     const mbedtls_ecp_group_id *id;
389 
390     mbedtls_ecp_group_init( &ref );
391 
392     for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
393     {
394         /* Load the group associated to that id */
395         mbedtls_ecp_group_free( &ref );
396         MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
397 
398         /* Compare to the group we were given, starting with easy tests */
399         if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
400             mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
401             mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
402             mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
403             mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
404             mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
405             mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
406             /* For Y we may only know the parity bit, so compare only that */
407             mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
408         {
409             break;
410         }
411 
412     }
413 
414 cleanup:
415     mbedtls_ecp_group_free( &ref );
416 
417     *grp_id = *id;
418 
419     if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
420         ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
421 
422     return( ret );
423 }
424 
425 /*
426  * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
427  */
pk_group_id_from_specified(const mbedtls_asn1_buf * params,mbedtls_ecp_group_id * grp_id)428 static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
429                                        mbedtls_ecp_group_id *grp_id )
430 {
431     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
432     mbedtls_ecp_group grp;
433 
434     mbedtls_ecp_group_init( &grp );
435 
436     if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
437         goto cleanup;
438 
439     ret = pk_group_id_from_group( &grp, grp_id );
440 
441 cleanup:
442     mbedtls_ecp_group_free( &grp );
443 
444     return( ret );
445 }
446 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
447 
448 /*
449  * Use EC parameters to initialise an EC group
450  *
451  * ECParameters ::= CHOICE {
452  *   namedCurve         OBJECT IDENTIFIER
453  *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
454  *   -- implicitCurve   NULL
455  */
pk_use_ecparams(const mbedtls_asn1_buf * params,mbedtls_ecp_group * grp)456 static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
457 {
458     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
459     mbedtls_ecp_group_id grp_id;
460 
461     if( params->tag == MBEDTLS_ASN1_OID )
462     {
463         if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
464             return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
465     }
466     else
467     {
468 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
469         if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
470             return( ret );
471 #else
472         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
473 #endif
474     }
475 
476     /*
477      * grp may already be initialized; if so, make sure IDs match
478      */
479     if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
480         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
481 
482     if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
483         return( ret );
484 
485     return( 0 );
486 }
487 
488 /*
489  * EC public key is an EC point
490  *
491  * The caller is responsible for clearing the structure upon failure if
492  * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
493  * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
494  */
pk_get_ecpubkey(unsigned char ** p,const unsigned char * end,mbedtls_ecp_keypair * key)495 static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
496                             mbedtls_ecp_keypair *key )
497 {
498     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
499 
500     if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
501                     (const unsigned char *) *p, end - *p ) ) == 0 )
502     {
503         ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
504     }
505 
506     /*
507      * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
508      */
509     *p = (unsigned char *) end;
510 
511     return( ret );
512 }
513 #endif /* MBEDTLS_ECP_C */
514 
515 #if defined(MBEDTLS_RSA_C)
516 /*
517  *  RSAPublicKey ::= SEQUENCE {
518  *      modulus           INTEGER,  -- n
519  *      publicExponent    INTEGER   -- e
520  *  }
521  */
pk_get_rsapubkey(unsigned char ** p,const unsigned char * end,mbedtls_rsa_context * rsa)522 static int pk_get_rsapubkey( unsigned char **p,
523                              const unsigned char *end,
524                              mbedtls_rsa_context *rsa )
525 {
526     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
527     size_t len;
528 
529     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
530             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
531         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
532 
533     if( *p + len != end )
534         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
535                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
536 
537     /* Import N */
538     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
539         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
540 
541     if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
542                                         NULL, 0, NULL, 0 ) ) != 0 )
543         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
544 
545     *p += len;
546 
547     /* Import E */
548     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
549         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
550 
551     if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
552                                         NULL, 0, *p, len ) ) != 0 )
553         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
554 
555     *p += len;
556 
557     if( mbedtls_rsa_complete( rsa ) != 0 ||
558         mbedtls_rsa_check_pubkey( rsa ) != 0 )
559     {
560         return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
561     }
562 
563     if( *p != end )
564         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
565                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
566 
567     return( 0 );
568 }
569 #endif /* MBEDTLS_RSA_C */
570 
571 /* Get a PK algorithm identifier
572  *
573  *  AlgorithmIdentifier  ::=  SEQUENCE  {
574  *       algorithm               OBJECT IDENTIFIER,
575  *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
576  */
pk_get_pk_alg(unsigned char ** p,const unsigned char * end,mbedtls_pk_type_t * pk_alg,mbedtls_asn1_buf * params)577 static int pk_get_pk_alg( unsigned char **p,
578                           const unsigned char *end,
579                           mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
580 {
581     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
582     mbedtls_asn1_buf alg_oid;
583 
584     memset( params, 0, sizeof(mbedtls_asn1_buf) );
585 
586     if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
587         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_ALG, ret ) );
588 
589     if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
590         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
591 
592     /*
593      * No parameters with RSA (only for EC)
594      */
595     if( *pk_alg == MBEDTLS_PK_RSA &&
596             ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
597                 params->len != 0 ) )
598     {
599         return( MBEDTLS_ERR_PK_INVALID_ALG );
600     }
601 
602     return( 0 );
603 }
604 
605 /*
606  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
607  *       algorithm            AlgorithmIdentifier,
608  *       subjectPublicKey     BIT STRING }
609  */
mbedtls_pk_parse_subpubkey(unsigned char ** p,const unsigned char * end,mbedtls_pk_context * pk)610 int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
611                         mbedtls_pk_context *pk )
612 {
613     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
614     size_t len;
615     mbedtls_asn1_buf alg_params;
616     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
617     const mbedtls_pk_info_t *pk_info;
618 
619     PK_VALIDATE_RET( p != NULL );
620     PK_VALIDATE_RET( *p != NULL );
621     PK_VALIDATE_RET( end != NULL );
622     PK_VALIDATE_RET( pk != NULL );
623 
624     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
625                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
626     {
627         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
628     }
629 
630     end = *p + len;
631 
632     if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
633         return( ret );
634 
635     if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
636         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
637 
638     if( *p + len != end )
639         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
640                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
641 
642     if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
643         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
644 
645     if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
646         return( ret );
647 
648 #if defined(MBEDTLS_RSA_C)
649     if( pk_alg == MBEDTLS_PK_RSA )
650     {
651         ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
652     } else
653 #endif /* MBEDTLS_RSA_C */
654 #if defined(MBEDTLS_ECP_C)
655     if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
656     {
657         ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
658         if( ret == 0 )
659             ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
660     } else
661 #endif /* MBEDTLS_ECP_C */
662         ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
663 
664     if( ret == 0 && *p != end )
665         ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
666               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
667 
668     if( ret != 0 )
669         mbedtls_pk_free( pk );
670 
671     return( ret );
672 }
673 
674 #if defined(MBEDTLS_RSA_C)
675 /*
676  * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
677  *
678  * The value zero is:
679  * - never a valid value for an RSA parameter
680  * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
681  *
682  * Since values can't be omitted in PKCS#1, passing a zero value to
683  * rsa_complete() would be incorrect, so reject zero values early.
684  */
asn1_get_nonzero_mpi(unsigned char ** p,const unsigned char * end,mbedtls_mpi * X)685 static int asn1_get_nonzero_mpi( unsigned char **p,
686                                  const unsigned char *end,
687                                  mbedtls_mpi *X )
688 {
689     int ret;
690 
691     ret = mbedtls_asn1_get_mpi( p, end, X );
692     if( ret != 0 )
693         return( ret );
694 
695     if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
696         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
697 
698     return( 0 );
699 }
700 
701 /*
702  * Parse a PKCS#1 encoded private RSA key
703  */
pk_parse_key_pkcs1_der(mbedtls_rsa_context * rsa,const unsigned char * key,size_t keylen)704 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
705                                    const unsigned char *key,
706                                    size_t keylen )
707 {
708     int ret, version;
709     size_t len;
710     unsigned char *p, *end;
711 
712     mbedtls_mpi T;
713     mbedtls_mpi_init( &T );
714 
715     p = (unsigned char *) key;
716     end = p + keylen;
717 
718     /*
719      * This function parses the RSAPrivateKey (PKCS#1)
720      *
721      *  RSAPrivateKey ::= SEQUENCE {
722      *      version           Version,
723      *      modulus           INTEGER,  -- n
724      *      publicExponent    INTEGER,  -- e
725      *      privateExponent   INTEGER,  -- d
726      *      prime1            INTEGER,  -- p
727      *      prime2            INTEGER,  -- q
728      *      exponent1         INTEGER,  -- d mod (p-1)
729      *      exponent2         INTEGER,  -- d mod (q-1)
730      *      coefficient       INTEGER,  -- (inverse of q) mod p
731      *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
732      *  }
733      */
734     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
735             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
736     {
737         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
738     }
739 
740     end = p + len;
741 
742     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
743     {
744         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
745     }
746 
747     if( version != 0 )
748     {
749         return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
750     }
751 
752     /* Import N */
753     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
754         ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
755                                         NULL, NULL ) ) != 0 )
756         goto cleanup;
757 
758     /* Import E */
759     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
760         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
761                                         NULL, &T ) ) != 0 )
762         goto cleanup;
763 
764     /* Import D */
765     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
766         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
767                                         &T, NULL ) ) != 0 )
768         goto cleanup;
769 
770     /* Import P */
771     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
772         ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
773                                         NULL, NULL ) ) != 0 )
774         goto cleanup;
775 
776     /* Import Q */
777     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
778         ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
779                                         NULL, NULL ) ) != 0 )
780         goto cleanup;
781 
782 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
783     /*
784     * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
785     * that they can be easily recomputed from D, P and Q. However by
786     * parsing them from the PKCS1 structure it is possible to avoid
787     * recalculating them which both reduces the overhead of loading
788     * RSA private keys into memory and also avoids side channels which
789     * can arise when computing those values, since all of D, P, and Q
790     * are secret. See https://eprint.iacr.org/2020/055 for a
791     * description of one such attack.
792     */
793 
794     /* Import DP */
795     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
796         ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
797        goto cleanup;
798 
799     /* Import DQ */
800     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
801         ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
802        goto cleanup;
803 
804     /* Import QP */
805     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
806         ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
807        goto cleanup;
808 
809 #else
810     /* Verify existence of the CRT params */
811     if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
812         ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
813         ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
814        goto cleanup;
815 #endif
816 
817     /* rsa_complete() doesn't complete anything with the default
818      * implementation but is still called:
819      * - for the benefit of alternative implementation that may want to
820      *   pre-compute stuff beyond what's provided (eg Montgomery factors)
821      * - as is also sanity-checks the key
822      *
823      * Furthermore, we also check the public part for consistency with
824      * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
825      */
826     if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
827         ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
828     {
829         goto cleanup;
830     }
831 
832     if( p != end )
833     {
834         ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
835               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
836     }
837 
838 cleanup:
839 
840     mbedtls_mpi_free( &T );
841 
842     if( ret != 0 )
843     {
844         /* Wrap error code if it's coming from a lower level */
845         if( ( ret & 0xff80 ) == 0 )
846             ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret );
847         else
848             ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
849 
850         mbedtls_rsa_free( rsa );
851     }
852 
853     return( ret );
854 }
855 #endif /* MBEDTLS_RSA_C */
856 
857 #if defined(MBEDTLS_ECP_C)
858 /*
859  * Parse a SEC1 encoded private EC key
860  */
pk_parse_key_sec1_der(mbedtls_ecp_keypair * eck,const unsigned char * key,size_t keylen)861 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
862                                   const unsigned char *key,
863                                   size_t keylen )
864 {
865     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
866     int version, pubkey_done;
867     size_t len;
868     mbedtls_asn1_buf params;
869     unsigned char *p = (unsigned char *) key;
870     unsigned char *end = p + keylen;
871     unsigned char *end2;
872 
873     /*
874      * RFC 5915, or SEC1 Appendix C.4
875      *
876      * ECPrivateKey ::= SEQUENCE {
877      *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
878      *      privateKey     OCTET STRING,
879      *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
880      *      publicKey  [1] BIT STRING OPTIONAL
881      *    }
882      */
883     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
884             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
885     {
886         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
887     }
888 
889     end = p + len;
890 
891     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
892         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
893 
894     if( version != 1 )
895         return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
896 
897     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
898         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
899 
900     if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
901     {
902         mbedtls_ecp_keypair_free( eck );
903         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
904     }
905 
906     p += len;
907 
908     pubkey_done = 0;
909     if( p != end )
910     {
911         /*
912          * Is 'parameters' present?
913          */
914         if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
915                         MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
916         {
917             if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
918                 ( ret = pk_use_ecparams( &params, &eck->grp )  ) != 0 )
919             {
920                 mbedtls_ecp_keypair_free( eck );
921                 return( ret );
922             }
923         }
924         else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
925         {
926             mbedtls_ecp_keypair_free( eck );
927             return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
928         }
929     }
930 
931     if( p != end )
932     {
933         /*
934          * Is 'publickey' present? If not, or if we can't read it (eg because it
935          * is compressed), create it from the private key.
936          */
937         if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
938                         MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
939         {
940             end2 = p + len;
941 
942             if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
943                 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
944 
945             if( p + len != end2 )
946                 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
947                         MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
948 
949             if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
950                 pubkey_done = 1;
951             else
952             {
953                 /*
954                  * The only acceptable failure mode of pk_get_ecpubkey() above
955                  * is if the point format is not recognized.
956                  */
957                 if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
958                     return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
959             }
960         }
961         else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
962         {
963             mbedtls_ecp_keypair_free( eck );
964             return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
965         }
966     }
967 
968     if( ! pubkey_done &&
969         ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
970                                                       NULL, NULL ) ) != 0 )
971     {
972         mbedtls_ecp_keypair_free( eck );
973         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
974     }
975 
976     if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
977     {
978         mbedtls_ecp_keypair_free( eck );
979         return( ret );
980     }
981 
982     return( 0 );
983 }
984 #endif /* MBEDTLS_ECP_C */
985 
986 /*
987  * Parse an unencrypted PKCS#8 encoded private key
988  *
989  * Notes:
990  *
991  * - This function does not own the key buffer. It is the
992  *   responsibility of the caller to take care of zeroizing
993  *   and freeing it after use.
994  *
995  * - The function is responsible for freeing the provided
996  *   PK context on failure.
997  *
998  */
pk_parse_key_pkcs8_unencrypted_der(mbedtls_pk_context * pk,const unsigned char * key,size_t keylen)999 static int pk_parse_key_pkcs8_unencrypted_der(
1000                                     mbedtls_pk_context *pk,
1001                                     const unsigned char* key,
1002                                     size_t keylen )
1003 {
1004     int ret, version;
1005     size_t len;
1006     mbedtls_asn1_buf params;
1007     unsigned char *p = (unsigned char *) key;
1008     unsigned char *end = p + keylen;
1009     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
1010     const mbedtls_pk_info_t *pk_info;
1011 
1012     /*
1013      * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
1014      *
1015      *    PrivateKeyInfo ::= SEQUENCE {
1016      *      version                   Version,
1017      *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
1018      *      privateKey                PrivateKey,
1019      *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
1020      *
1021      *    Version ::= INTEGER
1022      *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
1023      *    PrivateKey ::= OCTET STRING
1024      *
1025      *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
1026      */
1027 
1028     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1029             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1030     {
1031         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1032     }
1033 
1034     end = p + len;
1035 
1036     if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
1037         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1038 
1039     if( version != 0 )
1040         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret ) );
1041 
1042     if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
1043     {
1044         return( ret );
1045     }
1046 
1047     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1048         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1049 
1050     if( len < 1 )
1051         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
1052                 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
1053 
1054     if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
1055         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1056 
1057     if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
1058         return( ret );
1059 
1060 #if defined(MBEDTLS_RSA_C)
1061     if( pk_alg == MBEDTLS_PK_RSA )
1062     {
1063         if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
1064         {
1065             mbedtls_pk_free( pk );
1066             return( ret );
1067         }
1068     } else
1069 #endif /* MBEDTLS_RSA_C */
1070 #if defined(MBEDTLS_ECP_C)
1071     if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
1072     {
1073         if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
1074             ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len )  ) != 0 )
1075         {
1076             mbedtls_pk_free( pk );
1077             return( ret );
1078         }
1079     } else
1080 #endif /* MBEDTLS_ECP_C */
1081         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1082 
1083     return( 0 );
1084 }
1085 
1086 /*
1087  * Parse an encrypted PKCS#8 encoded private key
1088  *
1089  * To save space, the decryption happens in-place on the given key buffer.
1090  * Also, while this function may modify the keybuffer, it doesn't own it,
1091  * and instead it is the responsibility of the caller to zeroize and properly
1092  * free it after use.
1093  *
1094  */
1095 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
pk_parse_key_pkcs8_encrypted_der(mbedtls_pk_context * pk,unsigned char * key,size_t keylen,const unsigned char * pwd,size_t pwdlen)1096 static int pk_parse_key_pkcs8_encrypted_der(
1097                                     mbedtls_pk_context *pk,
1098                                     unsigned char *key, size_t keylen,
1099                                     const unsigned char *pwd, size_t pwdlen )
1100 {
1101     int ret, decrypted = 0;
1102     size_t len;
1103     unsigned char *buf;
1104     unsigned char *p, *end;
1105     mbedtls_asn1_buf pbe_alg_oid, pbe_params;
1106 #if defined(MBEDTLS_PKCS12_C)
1107     mbedtls_cipher_type_t cipher_alg;
1108     mbedtls_md_type_t md_alg;
1109 #endif
1110 
1111     p = key;
1112     end = p + keylen;
1113 
1114     if( pwdlen == 0 )
1115         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1116 
1117     /*
1118      * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
1119      *
1120      *  EncryptedPrivateKeyInfo ::= SEQUENCE {
1121      *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
1122      *    encryptedData        EncryptedData
1123      *  }
1124      *
1125      *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1126      *
1127      *  EncryptedData ::= OCTET STRING
1128      *
1129      *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
1130      *
1131      */
1132     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1133             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1134     {
1135         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1136     }
1137 
1138     end = p + len;
1139 
1140     if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
1141         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1142 
1143     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1144         return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
1145 
1146     buf = p;
1147 
1148     /*
1149      * Decrypt EncryptedData with appropriate PBE
1150      */
1151 #if defined(MBEDTLS_PKCS12_C)
1152     if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
1153     {
1154         if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
1155                                 cipher_alg, md_alg,
1156                                 pwd, pwdlen, p, len, buf ) ) != 0 )
1157         {
1158             if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
1159                 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1160 
1161             return( ret );
1162         }
1163 
1164         decrypted = 1;
1165     }
1166     else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
1167     {
1168         if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
1169                                              MBEDTLS_PKCS12_PBE_DECRYPT,
1170                                              pwd, pwdlen,
1171                                              p, len, buf ) ) != 0 )
1172         {
1173             return( ret );
1174         }
1175 
1176         // Best guess for password mismatch when using RC4. If first tag is
1177         // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
1178         //
1179         if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
1180             return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1181 
1182         decrypted = 1;
1183     }
1184     else
1185 #endif /* MBEDTLS_PKCS12_C */
1186 #if defined(MBEDTLS_PKCS5_C)
1187     if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
1188     {
1189         if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
1190                                   p, len, buf ) ) != 0 )
1191         {
1192             if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
1193                 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1194 
1195             return( ret );
1196         }
1197 
1198         decrypted = 1;
1199     }
1200     else
1201 #endif /* MBEDTLS_PKCS5_C */
1202     {
1203         ((void) pwd);
1204     }
1205 
1206     if( decrypted == 0 )
1207         return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1208 
1209     return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
1210 }
1211 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1212 
1213 /*
1214  * Parse a private key
1215  */
mbedtls_pk_parse_key(mbedtls_pk_context * pk,const unsigned char * key,size_t keylen,const unsigned char * pwd,size_t pwdlen)1216 int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
1217                   const unsigned char *key, size_t keylen,
1218                   const unsigned char *pwd, size_t pwdlen )
1219 {
1220     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1221     const mbedtls_pk_info_t *pk_info;
1222 #if defined(MBEDTLS_PEM_PARSE_C)
1223     size_t len;
1224     mbedtls_pem_context pem;
1225 #endif
1226 
1227     PK_VALIDATE_RET( pk != NULL );
1228     if( keylen == 0 )
1229         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1230     PK_VALIDATE_RET( key != NULL );
1231 
1232 #if defined(MBEDTLS_PEM_PARSE_C)
1233    mbedtls_pem_init( &pem );
1234 
1235 #if defined(MBEDTLS_RSA_C)
1236     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1237     if( key[keylen - 1] != '\0' )
1238         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1239     else
1240         ret = mbedtls_pem_read_buffer( &pem,
1241                                "-----BEGIN RSA PRIVATE KEY-----",
1242                                "-----END RSA PRIVATE KEY-----",
1243                                key, pwd, pwdlen, &len );
1244 
1245     if( ret == 0 )
1246     {
1247         pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1248         if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
1249             ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
1250                                             pem.buf, pem.buflen ) ) != 0 )
1251         {
1252             mbedtls_pk_free( pk );
1253         }
1254 
1255         mbedtls_pem_free( &pem );
1256         return( ret );
1257     }
1258     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1259         return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1260     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1261         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1262     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1263         return( ret );
1264 #endif /* MBEDTLS_RSA_C */
1265 
1266 #if defined(MBEDTLS_ECP_C)
1267     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1268     if( key[keylen - 1] != '\0' )
1269         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1270     else
1271         ret = mbedtls_pem_read_buffer( &pem,
1272                                "-----BEGIN EC PRIVATE KEY-----",
1273                                "-----END EC PRIVATE KEY-----",
1274                                key, pwd, pwdlen, &len );
1275     if( ret == 0 )
1276     {
1277         pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
1278 
1279         if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
1280             ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1281                                            pem.buf, pem.buflen ) ) != 0 )
1282         {
1283             mbedtls_pk_free( pk );
1284         }
1285 
1286         mbedtls_pem_free( &pem );
1287         return( ret );
1288     }
1289     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
1290         return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
1291     else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
1292         return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
1293     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1294         return( ret );
1295 #endif /* MBEDTLS_ECP_C */
1296 
1297     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1298     if( key[keylen - 1] != '\0' )
1299         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1300     else
1301         ret = mbedtls_pem_read_buffer( &pem,
1302                                "-----BEGIN PRIVATE KEY-----",
1303                                "-----END PRIVATE KEY-----",
1304                                key, NULL, 0, &len );
1305     if( ret == 0 )
1306     {
1307         if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
1308                                                 pem.buf, pem.buflen ) ) != 0 )
1309         {
1310             mbedtls_pk_free( pk );
1311         }
1312 
1313         mbedtls_pem_free( &pem );
1314         return( ret );
1315     }
1316     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1317         return( ret );
1318 
1319 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1320     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1321     if( key[keylen - 1] != '\0' )
1322         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1323     else
1324         ret = mbedtls_pem_read_buffer( &pem,
1325                                "-----BEGIN ENCRYPTED PRIVATE KEY-----",
1326                                "-----END ENCRYPTED PRIVATE KEY-----",
1327                                key, NULL, 0, &len );
1328     if( ret == 0 )
1329     {
1330         if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
1331                                                       pem.buf, pem.buflen,
1332                                                       pwd, pwdlen ) ) != 0 )
1333         {
1334             mbedtls_pk_free( pk );
1335         }
1336 
1337         mbedtls_pem_free( &pem );
1338         return( ret );
1339     }
1340     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1341         return( ret );
1342 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1343 #else
1344     ((void) pwd);
1345     ((void) pwdlen);
1346 #endif /* MBEDTLS_PEM_PARSE_C */
1347 
1348     /*
1349      * At this point we only know it's not a PEM formatted key. Could be any
1350      * of the known DER encoded private key formats
1351      *
1352      * We try the different DER format parsers to see if one passes without
1353      * error
1354      */
1355 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1356     {
1357         unsigned char *key_copy;
1358 
1359         if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
1360             return( MBEDTLS_ERR_PK_ALLOC_FAILED );
1361 
1362         memcpy( key_copy, key, keylen );
1363 
1364         ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
1365                                                 pwd, pwdlen );
1366 
1367         mbedtls_platform_zeroize( key_copy, keylen );
1368         mbedtls_free( key_copy );
1369     }
1370 
1371     if( ret == 0 )
1372         return( 0 );
1373 
1374     mbedtls_pk_free( pk );
1375     mbedtls_pk_init( pk );
1376 
1377     if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
1378     {
1379         return( ret );
1380     }
1381 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1382 
1383     ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen );
1384     if( ret == 0 )
1385     {
1386         return( 0 );
1387     }
1388 
1389     mbedtls_pk_free( pk );
1390     mbedtls_pk_init( pk );
1391 
1392 #if defined(MBEDTLS_RSA_C)
1393 
1394     pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
1395     if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1396         pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
1397     {
1398         return( 0 );
1399     }
1400 
1401     mbedtls_pk_free( pk );
1402     mbedtls_pk_init( pk );
1403 #endif /* MBEDTLS_RSA_C */
1404 
1405 #if defined(MBEDTLS_ECP_C)
1406     pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
1407     if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
1408         pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
1409                                key, keylen ) == 0 )
1410     {
1411         return( 0 );
1412     }
1413     mbedtls_pk_free( pk );
1414 #endif /* MBEDTLS_ECP_C */
1415 
1416     /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
1417      * it is ok to leave the PK context initialized but not
1418      * freed: It is the caller's responsibility to call pk_init()
1419      * before calling this function, and to call pk_free()
1420      * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
1421      * isn't, this leads to mbedtls_pk_free() being called
1422      * twice, once here and once by the caller, but this is
1423      * also ok and in line with the mbedtls_pk_free() calls
1424      * on failed PEM parsing attempts. */
1425 
1426     return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1427 }
1428 
1429 /*
1430  * Parse a public key
1431  */
mbedtls_pk_parse_public_key(mbedtls_pk_context * ctx,const unsigned char * key,size_t keylen)1432 int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
1433                          const unsigned char *key, size_t keylen )
1434 {
1435     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1436     unsigned char *p;
1437 #if defined(MBEDTLS_RSA_C)
1438     const mbedtls_pk_info_t *pk_info;
1439 #endif
1440 #if defined(MBEDTLS_PEM_PARSE_C)
1441     size_t len;
1442     mbedtls_pem_context pem;
1443 #endif
1444 
1445     PK_VALIDATE_RET( ctx != NULL );
1446     if( keylen == 0 )
1447         return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
1448     PK_VALIDATE_RET( key != NULL || keylen == 0 );
1449 
1450 #if defined(MBEDTLS_PEM_PARSE_C)
1451     mbedtls_pem_init( &pem );
1452 #if defined(MBEDTLS_RSA_C)
1453     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1454     if( key[keylen - 1] != '\0' )
1455         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1456     else
1457         ret = mbedtls_pem_read_buffer( &pem,
1458                                "-----BEGIN RSA PUBLIC KEY-----",
1459                                "-----END RSA PUBLIC KEY-----",
1460                                key, NULL, 0, &len );
1461 
1462     if( ret == 0 )
1463     {
1464         p = pem.buf;
1465         if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1466         {
1467             mbedtls_pem_free( &pem );
1468             return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1469         }
1470 
1471         if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1472         {
1473             mbedtls_pem_free( &pem );
1474             return( ret );
1475         }
1476 
1477         if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
1478             mbedtls_pk_free( ctx );
1479 
1480         mbedtls_pem_free( &pem );
1481         return( ret );
1482     }
1483     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1484     {
1485         mbedtls_pem_free( &pem );
1486         return( ret );
1487     }
1488 #endif /* MBEDTLS_RSA_C */
1489 
1490     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1491     if( key[keylen - 1] != '\0' )
1492         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
1493     else
1494         ret = mbedtls_pem_read_buffer( &pem,
1495                 "-----BEGIN PUBLIC KEY-----",
1496                 "-----END PUBLIC KEY-----",
1497                 key, NULL, 0, &len );
1498 
1499     if( ret == 0 )
1500     {
1501         /*
1502          * Was PEM encoded
1503          */
1504         p = pem.buf;
1505 
1506         ret = mbedtls_pk_parse_subpubkey( &p,  p + pem.buflen, ctx );
1507         mbedtls_pem_free( &pem );
1508         return( ret );
1509     }
1510     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1511     {
1512         mbedtls_pem_free( &pem );
1513         return( ret );
1514     }
1515     mbedtls_pem_free( &pem );
1516 #endif /* MBEDTLS_PEM_PARSE_C */
1517 
1518 #if defined(MBEDTLS_RSA_C)
1519     if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
1520         return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
1521 
1522     if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
1523         return( ret );
1524 
1525     p = (unsigned char *)key;
1526     ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
1527     if( ret == 0 )
1528     {
1529         return( ret );
1530     }
1531     mbedtls_pk_free( ctx );
1532     if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
1533                                     MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) )
1534     {
1535         return( ret );
1536     }
1537 #endif /* MBEDTLS_RSA_C */
1538     p = (unsigned char *) key;
1539 
1540     ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
1541 
1542     return( ret );
1543 }
1544 
1545 #endif /* MBEDTLS_PK_PARSE_C */
1546