1 | /* |
2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include "internal/cryptlib.h" |
11 | #include "internal/nelem.h" |
12 | #include "crypto/evp.h" |
13 | #include "crypto/asn1.h" |
14 | #include "internal/core.h" |
15 | #include "internal/provider.h" |
16 | #include "evp_local.h" |
17 | |
18 | struct import_data_st { |
19 | void *provctx; |
20 | void *(*importfn)(void *provctx, const OSSL_PARAM params[]); |
21 | |
22 | /* Result */ |
23 | void *provdata; |
24 | }; |
25 | |
26 | static int try_import(const OSSL_PARAM params[], void *arg) |
27 | { |
28 | struct import_data_st *data = arg; |
29 | |
30 | data->provdata = data->importfn(data->provctx, params); |
31 | return data->provdata != NULL; |
32 | } |
33 | |
34 | void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, |
35 | int want_domainparams) |
36 | { |
37 | void *provdata = NULL; |
38 | size_t i, j; |
39 | |
40 | /* |
41 | * If there is an underlying legacy key and it has changed, invalidate |
42 | * the cache of provider keys. |
43 | */ |
44 | if (pk->pkey.ptr != NULL) { |
45 | /* |
46 | * If there is no dirty counter, this key can't be used with |
47 | * providers. |
48 | */ |
49 | if (pk->ameth->dirty_cnt == NULL) |
50 | return NULL; |
51 | |
52 | if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy) |
53 | evp_keymgmt_clear_pkey_cache(pk); |
54 | } |
55 | |
56 | /* |
57 | * See if we have exported to this provider already. |
58 | * If we have, return immediately. |
59 | */ |
60 | for (i = 0; |
61 | i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL; |
62 | i++) { |
63 | if (keymgmt == pk->pkeys[i].keymgmt |
64 | && want_domainparams == pk->pkeys[i].domainparams) |
65 | return pk->pkeys[i].provdata; |
66 | } |
67 | |
68 | if (pk->pkey.ptr != NULL) { |
69 | /* There is a legacy key, try to export that one to the provider */ |
70 | |
71 | /* If the legacy key doesn't have an export function, give up */ |
72 | if (pk->ameth->export_to == NULL) |
73 | return NULL; |
74 | |
75 | /* Otherwise, simply use it. */ |
76 | provdata = pk->ameth->export_to(pk, keymgmt, want_domainparams); |
77 | |
78 | /* Synchronize the dirty count, but only if we exported successfully */ |
79 | if (provdata != NULL) |
80 | pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk); |
81 | |
82 | } else { |
83 | /* |
84 | * Here, there is no legacy key, so we look at the already cached |
85 | * provider keys, and import from the first that supports it |
86 | * (i.e. use its export function), and export the imported data to |
87 | * the new provider. |
88 | */ |
89 | |
90 | /* Setup for the export callback */ |
91 | struct import_data_st import_data; |
92 | |
93 | import_data.importfn = |
94 | want_domainparams ? keymgmt->importdomparams : keymgmt->importkey; |
95 | import_data.provdata = NULL; |
96 | |
97 | /* |
98 | * If the given keymgmt doesn't have an import function, give up |
99 | */ |
100 | if (import_data.importfn == NULL) |
101 | return NULL; |
102 | |
103 | for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) { |
104 | int (*exportfn)(void *provctx, OSSL_CALLBACK *cb, void *cbarg) = |
105 | want_domainparams |
106 | ? pk->pkeys[j].keymgmt->exportdomparams |
107 | : pk->pkeys[j].keymgmt->exportkey; |
108 | |
109 | if (exportfn != NULL) { |
110 | import_data.provctx = |
111 | ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
112 | |
113 | /* |
114 | * The export function calls the callback (try_import), which |
115 | * does the import for us. |
116 | * Even though we got a success return, we double check that |
117 | * we actually got something, just in case some implementation |
118 | * forgets to check the return value. |
119 | |
120 | */ |
121 | if (exportfn(pk->pkeys[j].provdata, &try_import, &import_data) |
122 | && (provdata = import_data.provdata) != NULL) |
123 | break; |
124 | } |
125 | } |
126 | } |
127 | |
128 | /* |
129 | * TODO(3.0) Right now, we assume we have ample space. We will |
130 | * have to think about a cache aging scheme, though, if |i| indexes |
131 | * outside the array. |
132 | */ |
133 | j = ossl_assert(i < OSSL_NELEM(pk->pkeys)); |
134 | |
135 | if (provdata != NULL) { |
136 | EVP_KEYMGMT_up_ref(keymgmt); |
137 | pk->pkeys[i].keymgmt = keymgmt; |
138 | pk->pkeys[i].provdata = provdata; |
139 | pk->pkeys[i].domainparams = want_domainparams; |
140 | } |
141 | |
142 | return provdata; |
143 | } |
144 | |
145 | void evp_keymgmt_clear_pkey_cache(EVP_PKEY *pk) |
146 | { |
147 | size_t i; |
148 | |
149 | if (pk != NULL) { |
150 | for (i = 0; |
151 | i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL; |
152 | i++) { |
153 | EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt; |
154 | void *provdata = pk->pkeys[i].provdata; |
155 | |
156 | pk->pkeys[i].keymgmt = NULL; |
157 | pk->pkeys[i].provdata = NULL; |
158 | if (pk->pkeys[i].domainparams) |
159 | keymgmt->freedomparams(provdata); |
160 | else |
161 | keymgmt->freekey(provdata); |
162 | EVP_KEYMGMT_free(keymgmt); |
163 | } |
164 | } |
165 | } |
166 | |
167 | void *evp_keymgmt_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, |
168 | const OSSL_PARAM params[], int domainparams) |
169 | { |
170 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
171 | void *provdata = domainparams |
172 | ? keymgmt->importdomparams(provctx, params) |
173 | : keymgmt->importkey(provctx, params); |
174 | |
175 | evp_keymgmt_clear_pkey_cache(target); |
176 | if (provdata != NULL) { |
177 | EVP_KEYMGMT_up_ref(keymgmt); |
178 | target->pkeys[0].keymgmt = keymgmt; |
179 | target->pkeys[0].provdata = provdata; |
180 | target->pkeys[0].domainparams = domainparams; |
181 | } |
182 | |
183 | return provdata; |
184 | } |
185 | |
186 | /* internal functions */ |
187 | /* TODO(3.0) decide if these should be public or internal */ |
188 | void *evp_keymgmt_importdomparams(const EVP_KEYMGMT *keymgmt, |
189 | const OSSL_PARAM params[]) |
190 | { |
191 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
192 | |
193 | return keymgmt->importdomparams(provctx, params); |
194 | } |
195 | |
196 | void *evp_keymgmt_gendomparams(const EVP_KEYMGMT *keymgmt, |
197 | const OSSL_PARAM params[]) |
198 | { |
199 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
200 | |
201 | return keymgmt->gendomparams(provctx, params); |
202 | } |
203 | |
204 | void evp_keymgmt_freedomparams(const EVP_KEYMGMT *keymgmt, |
205 | void *provdomparams) |
206 | { |
207 | keymgmt->freedomparams(provdomparams); |
208 | } |
209 | |
210 | int evp_keymgmt_exportdomparams(const EVP_KEYMGMT *keymgmt, |
211 | void *provdomparams, |
212 | OSSL_CALLBACK *param_cb, void *cbarg) |
213 | { |
214 | return keymgmt->exportdomparams(provdomparams, param_cb, cbarg); |
215 | } |
216 | |
217 | const OSSL_PARAM *evp_keymgmt_importdomparam_types(const EVP_KEYMGMT *keymgmt) |
218 | { |
219 | return keymgmt->importdomparam_types(); |
220 | } |
221 | |
222 | /* |
223 | * TODO(v3.0) investigate if we need this function. 'openssl provider' may |
224 | * be a caller... |
225 | */ |
226 | const OSSL_PARAM *evp_keymgmt_exportdomparam_types(const EVP_KEYMGMT *keymgmt) |
227 | { |
228 | return keymgmt->exportdomparam_types(); |
229 | } |
230 | |
231 | |
232 | void *evp_keymgmt_importkey(const EVP_KEYMGMT *keymgmt, |
233 | const OSSL_PARAM params[]) |
234 | { |
235 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
236 | |
237 | return keymgmt->importkey(provctx, params); |
238 | } |
239 | |
240 | void *evp_keymgmt_genkey(const EVP_KEYMGMT *keymgmt, void *domparams, |
241 | const OSSL_PARAM params[]) |
242 | { |
243 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
244 | |
245 | return keymgmt->genkey(provctx, domparams, params); |
246 | } |
247 | |
248 | void *evp_keymgmt_loadkey(const EVP_KEYMGMT *keymgmt, |
249 | void *id, size_t idlen) |
250 | { |
251 | void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); |
252 | |
253 | return keymgmt->loadkey(provctx, id, idlen); |
254 | } |
255 | |
256 | void evp_keymgmt_freekey(const EVP_KEYMGMT *keymgmt, void *provkey) |
257 | { |
258 | keymgmt->freekey(provkey); |
259 | } |
260 | |
261 | int evp_keymgmt_exportkey(const EVP_KEYMGMT *keymgmt, void *provkey, |
262 | OSSL_CALLBACK *param_cb, void *cbarg) |
263 | { |
264 | return keymgmt->exportkey(provkey, param_cb, cbarg); |
265 | } |
266 | |
267 | const OSSL_PARAM *evp_keymgmt_importkey_types(const EVP_KEYMGMT *keymgmt) |
268 | { |
269 | return keymgmt->importkey_types(); |
270 | } |
271 | |
272 | /* |
273 | * TODO(v3.0) investigate if we need this function. 'openssl provider' may |
274 | * be a caller... |
275 | */ |
276 | const OSSL_PARAM *evp_keymgmt_exportkey_types(const EVP_KEYMGMT *keymgmt) |
277 | { |
278 | return keymgmt->exportkey_types(); |
279 | } |
280 | |