EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { EVP_PKEY *ret = X509_PUBKEY_get0(key); if (ret != NULL) EVP_PKEY_up_ref(ret); return ret; }
/* * Create an EVP_PKEY OpenSSL object for a given key * Returns private or public key depending on isPrivate */ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate) { if (key->isPrivate != isPrivate) key = pkcs11_find_key_from_key(key); if (key == NULL) return NULL; if (key->evp_key == NULL) { PKCS11_KEY_private *kpriv = PRIVKEY(key); key->evp_key = kpriv->ops->get_evp_key(key); if (key->evp_key == NULL) return NULL; kpriv->always_authenticate = CK_FALSE; if(isPrivate) { if(key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE, &kpriv->always_authenticate, sizeof(CK_BBOOL))) fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n"); } } #if OPENSSL_VERSION_NUMBER >= 0x10100000L EVP_PKEY_up_ref(key->evp_key); #else CRYPTO_add(&key->evp_key->references, 1, CRYPTO_LOCK_EVP_PKEY); #endif return key->evp_key; }
int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) { int ret; if (!ctx || !ctx->pmeth || !(ctx->pmeth->derive || ctx->pmeth->encrypt || ctx->pmeth->decrypt) || !ctx->pmeth->ctrl) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } if (ctx->operation != EVP_PKEY_OP_DERIVE && ctx->operation != EVP_PKEY_OP_ENCRYPT && ctx->operation != EVP_PKEY_OP_DECRYPT) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); return 0; } ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 0, peer); if (ret <= 0) { return 0; } if (ret == 2) { return 1; } if (!ctx->pkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET); return 0; } if (ctx->pkey->type != peer->type) { OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES); return 0; } /* [email protected]: For clarity. The error is if parameters in peer are * present (!missing) but don't match. EVP_PKEY_cmp_parameters may return * 1 (match), 0 (don't match) and -2 (comparison is not defined). -1 * (different key types) is impossible here because it is checked earlier. * -2 is OK for us here, as well as 1, so we can check for 0 only. */ if (!EVP_PKEY_missing_parameters(peer) && !EVP_PKEY_cmp_parameters(ctx->pkey, peer)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_PARAMETERS); return 0; } EVP_PKEY_free(ctx->peerkey); ctx->peerkey = peer; ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer); if (ret <= 0) { ctx->peerkey = NULL; return 0; } EVP_PKEY_up_ref(peer); return 1; }
int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) { EVP_PKEY_free(ctx->signer_key); ctx->signer_key = key; EVP_PKEY_up_ref(ctx->signer_key); return 1; }
EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) { EVP_PKEY_CTX *rctx; if (!pctx->pmeth || !pctx->pmeth->copy) return NULL; #ifndef OPENSSL_NO_ENGINE /* Make sure it's safe to copy a pkey context using an ENGINE */ if (pctx->engine && !ENGINE_init(pctx->engine)) { EVPerr(EVP_F_EVP_PKEY_CTX_DUP, ERR_R_ENGINE_LIB); return 0; } #endif rctx = OPENSSL_malloc(sizeof(*rctx)); if (rctx == NULL) return NULL; rctx->pmeth = pctx->pmeth; #ifndef OPENSSL_NO_ENGINE rctx->engine = pctx->engine; #endif if (pctx->pkey) EVP_PKEY_up_ref(pctx->pkey); rctx->pkey = pctx->pkey; if (pctx->peerkey) EVP_PKEY_up_ref(pctx->peerkey); rctx->peerkey = pctx->peerkey; rctx->data = NULL; rctx->app_data = NULL; rctx->operation = pctx->operation; if (pctx->pmeth->copy(rctx, pctx) > 0) return rctx; rctx->pmeth = NULL; EVP_PKEY_CTX_free(rctx); return NULL; }
int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { ctx->tlsext_channel_id_enabled = 1; if (EVP_PKEY_id(private_key) != EVP_PKEY_EC || EVP_PKEY_bits(private_key) != 256) { OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); return 0; } EVP_PKEY_free(ctx->tlsext_channel_id_private); ctx->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key); return 1; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } OPENSSL_memset(ret, 0, sizeof(CERT)); ret->chain = sk_CRYPTO_BUFFER_deep_copy(cert->chain, buffer_up_ref, CRYPTO_BUFFER_free); if (cert->privatekey != NULL) { EVP_PKEY_up_ref(cert->privatekey); ret->privatekey = cert->privatekey; } ret->key_method = cert->key_method; ret->x509_method = cert->x509_method; if (cert->sigalgs != NULL) { ret->sigalgs = BUF_memdup(cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0])); if (ret->sigalgs == NULL) { goto err; } } ret->num_sigalgs = cert->num_sigalgs; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; ret->x509_method->cert_dup(ret, cert); if (cert->signed_cert_timestamp_list != NULL) { CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list); ret->signed_cert_timestamp_list = cert->signed_cert_timestamp_list; } if (cert->ocsp_response != NULL) { CRYPTO_BUFFER_up_ref(cert->ocsp_response); ret->ocsp_response = cert->ocsp_response; } ret->sid_ctx_length = cert->sid_ctx_length; OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx)); ret->enable_early_data = cert->enable_early_data; return ret; err: ssl_cert_free(ret); return NULL; }
EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) { EVP_PKEY_CTX *rctx; if (!pctx->pmeth || !pctx->pmeth->copy) { return NULL; } rctx = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); if (!rctx) { return NULL; } memset(rctx, 0, sizeof(EVP_PKEY_CTX)); rctx->pmeth = pctx->pmeth; rctx->engine = pctx->engine; rctx->operation = pctx->operation; if (pctx->pkey) { rctx->pkey = EVP_PKEY_up_ref(pctx->pkey); if (rctx->pkey == NULL) { goto err; } } if (pctx->peerkey) { rctx->peerkey = EVP_PKEY_up_ref(pctx->peerkey); if (rctx->peerkey == NULL) { goto err; } } if (pctx->pmeth->copy(rctx, pctx) > 0) { return rctx; } err: EVP_PKEY_CTX_free(rctx); OPENSSL_PUT_ERROR(EVP, ERR_LIB_EVP); return NULL; }
int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { if (!is_p256_key(private_key)) { OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); return 0; } EVP_PKEY_free(ssl->tlsext_channel_id_private); ssl->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key); ssl->tlsext_channel_id_enabled = 1; return 1; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(CERT)); ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); goto err; } } ret->dh_tmp_cb = cert->dh_tmp_cb; if (cert->x509 != NULL) { ret->x509 = X509_up_ref(cert->x509); } if (cert->privatekey != NULL) { ret->privatekey = EVP_PKEY_up_ref(cert->privatekey); } if (cert->chain) { ret->chain = X509_chain_up_ref(cert->chain); if (!ret->chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } ret->key_method = cert->key_method; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store != NULL) { X509_STORE_up_ref(cert->verify_store); ret->verify_store = cert->verify_store; } return ret; err: ssl_cert_free(ret); return NULL; }
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { int i; i = ssl_cert_type(NULL, pkey); if (i < 0) { SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return (0); } #ifndef OPENSSL_NO_GMTLS if (i == SSL_PKEY_SM2 && c->pkeys[SSL_PKEY_SM2_ENC].x509) i = SSL_PKEY_SM2_ENC; #endif if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; pktmp = X509_get0_pubkey(c->pkeys[i].x509); if (pktmp == NULL) { SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); return 0; } /* * The return code from EVP_PKEY_copy_parameters is deliberately * ignored. Some EVP_PKEY types cannot do this. */ EVP_PKEY_copy_parameters(pktmp, pkey); ERR_clear_error(); #ifndef OPENSSL_NO_RSA /* * Don't check the public/private key, this is mostly for smart * cards. */ if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; else #endif if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { X509_free(c->pkeys[i].x509); c->pkeys[i].x509 = NULL; return 0; } } EVP_PKEY_free(c->pkeys[i].privatekey); EVP_PKEY_up_ref(pkey); c->pkeys[i].privatekey = pkey; c->key = &(c->pkeys[i]); return (1); }
int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { if (EVP_PKEY_id(private_key) != EVP_PKEY_EC || EC_GROUP_get_curve_name(EC_KEY_get0_group(private_key->pkey.ec)) != NID_X9_62_prime256v1) { OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); return 0; } EVP_PKEY_free(ssl->tlsext_channel_id_private); ssl->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key); ssl->tlsext_channel_id_enabled = 1; return 1; }
static int cert_set_chain_and_key( CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) { if (num_certs == 0 || (privkey == NULL && privkey_method == NULL)) { OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (privkey != NULL && privkey_method != NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD); return 0; } switch (check_leaf_cert_and_privkey(certs[0], privkey)) { case leaf_cert_and_privkey_error: return 0; case leaf_cert_and_privkey_mismatch: OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH); return 0; case leaf_cert_and_privkey_ok: break; } STACK_OF(CRYPTO_BUFFER) *certs_sk = sk_CRYPTO_BUFFER_new_null(); if (certs_sk == NULL) { return 0; } for (size_t i = 0; i < num_certs; i++) { if (!sk_CRYPTO_BUFFER_push(certs_sk, certs[i])) { sk_CRYPTO_BUFFER_pop_free(certs_sk, CRYPTO_BUFFER_free); return 0; } CRYPTO_BUFFER_up_ref(certs[i]); } EVP_PKEY_free(cert->privatekey); cert->privatekey = privkey; if (privkey != NULL) { EVP_PKEY_up_ref(privkey); } cert->key_method = privkey_method; sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free); cert->chain = certs_sk; return 1; }
static void test_rsa_sign(void) { ptls_openssl_sign_certificate_t *sc = (ptls_openssl_sign_certificate_t *)ctx->sign_certificate; const void *message = "hello world"; ptls_buffer_t sigbuf; uint8_t sigbuf_small[1024]; ptls_buffer_init(&sigbuf, sigbuf_small, sizeof(sigbuf_small)); ok(do_sign(sc->key, &sigbuf, ptls_iovec_init(message, strlen(message)), EVP_sha256()) == 0); EVP_PKEY_up_ref(sc->key); ok(verify_sign(sc->key, ptls_iovec_init(message, strlen(message)), ptls_iovec_init(sigbuf.base, sigbuf.off)) == 0); ptls_buffer_dispose(&sigbuf); }
int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst) { int ret; /* We now need to add another PKCS7_SIGNER_INFO entry */ if (!ASN1_INTEGER_set(p7i->version, 1)) goto err; if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, X509_get_issuer_name(x509))) goto err; /* * because ASN1_INTEGER_set is used to set a 'long' we will do things the * ugly way. */ ASN1_INTEGER_free(p7i->issuer_and_serial->serial); if (!(p7i->issuer_and_serial->serial = ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) goto err; /* lets keep the pkey around for a while */ EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; /* Set the algorithms */ X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_type(dgst)), V_ASN1_NULL, NULL); if (pkey->ameth && pkey->ameth->pkey_ctrl) { ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i); if (ret > 0) return 1; if (ret != -2) { PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET, PKCS7_R_SIGNING_CTRL_FAILURE); return 0; } } PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); err: return 0; }
static EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) { EVP_PKEY_CTX *ret; const EVP_PKEY_METHOD *pmeth; if (id == -1) { if (!pkey || !pkey->ameth) { return NULL; } id = pkey->ameth->pkey_id; } pmeth = evp_pkey_meth_find(id); if (pmeth == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); ERR_add_error_dataf("algorithm %d", id); return NULL; } ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); if (!ret) { OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(EVP_PKEY_CTX)); ret->engine = e; ret->pmeth = pmeth; ret->operation = EVP_PKEY_OP_UNDEFINED; if (pkey) { ret->pkey = EVP_PKEY_up_ref(pkey); } if (pmeth->init) { if (pmeth->init(ret) <= 0) { EVP_PKEY_free(ret->pkey); OPENSSL_free(ret); return NULL; } } return ret; }
int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, unsigned int flags) { CMS_KeyAgreeRecipientInfo *kari; CMS_RecipientEncryptedKey *rek = NULL; ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo); if (!ri->d.kari) return 0; ri->type = CMS_RECIPINFO_AGREE; kari = ri->d.kari; kari->version = 3; rek = M_ASN1_new_of(CMS_RecipientEncryptedKey); if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { M_ASN1_free_of(rek, CMS_RecipientEncryptedKey); return 0; } if (flags & CMS_USE_KEYID) { rek->rid->type = CMS_REK_KEYIDENTIFIER; rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); if (rek->rid->d.rKeyId == NULL) return 0; if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) return 0; } else { rek->rid->type = CMS_REK_ISSUER_SERIAL; if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) return 0; } /* Create ephemeral key */ if (!cms_kari_create_ephemeral_key(kari, pk)) return 0; EVP_PKEY_up_ref(pk); rek->pkey = pk; return 1; }
static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { if (!is_key_type_supported(pkey->type)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } if (cert->chain != NULL && sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL && /* Sanity-check that the private key and the certificate match, unless * the key is opaque (in case of, say, a smartcard). */ !EVP_PKEY_is_opaque(pkey) && !ssl_cert_check_private_key(cert, pkey)) { return 0; } EVP_PKEY_free(cert->privatekey); EVP_PKEY_up_ref(pkey); cert->privatekey = pkey; return 1; }
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { if (!is_key_type_supported(pkey->type)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } if (c->x509 != NULL) { /* Sanity-check that the private key and the certificate match, unless the * key is opaque (in case of, say, a smartcard). */ if (!EVP_PKEY_is_opaque(pkey) && !X509_check_private_key(c->x509, pkey)) { X509_free(c->x509); c->x509 = NULL; return 0; } } EVP_PKEY_free(c->privatekey); c->privatekey = EVP_PKEY_up_ref(pkey); return 1; }
int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { X509_PUBKEY *pk = NULL; if (x == NULL) return 0; if ((pk = X509_PUBKEY_new()) == NULL) goto error; if (pkey->ameth) { if (pkey->ameth->pub_encode) { if (!pkey->ameth->pub_encode(pk, pkey)) { X509err(X509_F_X509_PUBKEY_SET, X509_R_PUBLIC_KEY_ENCODE_ERROR); goto error; } } else { X509err(X509_F_X509_PUBKEY_SET, X509_R_METHOD_NOT_SUPPORTED); goto error; } } else { X509err(X509_F_X509_PUBKEY_SET, X509_R_UNSUPPORTED_ALGORITHM); goto error; } X509_PUBKEY_free(*x); *x = pk; pk->pkey = pkey; EVP_PKEY_up_ref(pkey); return 1; error: X509_PUBKEY_free(pk); return 0; }
static void test_ecdsa_sign(void) { EVP_PKEY *pkey; { /* create pkey */ EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); EC_KEY_generate_key(eckey); pkey = EVP_PKEY_new(); EVP_PKEY_set1_EC_KEY(pkey, eckey); EC_KEY_free(eckey); } const char *message = "hello world"; ptls_buffer_t sigbuf; uint8_t sigbuf_small[1024]; ptls_buffer_init(&sigbuf, sigbuf_small, sizeof(sigbuf_small)); ok(do_sign(pkey, &sigbuf, ptls_iovec_init(message, strlen(message)), EVP_sha256()) == 0); EVP_PKEY_up_ref(pkey); ok(verify_sign(pkey, ptls_iovec_init(message, strlen(message)), ptls_iovec_init(sigbuf.base, sigbuf.off)) == 0); ptls_buffer_dispose(&sigbuf); EVP_PKEY_free(pkey); }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_zalloc(sizeof(*ret)); int i; if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return NULL; } ret->references = 1; ret->key = &ret->pkeys[cert->key - cert->pkeys]; ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); OPENSSL_free(ret); return NULL; } #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = cpk->x509; X509_up_ref(rpk->x509); } if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; EVP_PKEY_up_ref(cpk->privatekey); } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } } if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ ret->pkeys[i].serverinfo = OPENSSL_malloc(cert->pkeys[i].serverinfo_length); if (ret->pkeys[i].serverinfo == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length; memcpy(ret->pkeys[i].serverinfo, cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length); } } /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); if (ret->conf_sigalgs == NULL) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); if (ret->ctype == NULL) goto err; ret->ctype_len = cert->ctype_len; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { X509_STORE_up_ref(cert->verify_store); ret->verify_store = cert->verify_store; } if (cert->chain_store) { X509_STORE_up_ref(cert->chain_store); ret->chain_store = cert->chain_store; } ret->sec_cb = cert->sec_cb; ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; if (!custom_exts_copy(&ret->custext, &cert->custext)) goto err; #ifndef OPENSSL_NO_PSK if (cert->psk_identity_hint) { ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); if (ret->psk_identity_hint == NULL) goto err; } #endif return ret; err: ssl_cert_free(ret); return NULL; }
EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { EVP_PKEY *ret=NULL; if (key == NULL) goto error; CRYPTO_STATIC_MUTEX_lock_read(&g_pubkey_lock); if (key->pkey != NULL) { CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); return EVP_PKEY_up_ref(key->pkey); } CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); if (key->public_key == NULL) goto error; if ((ret = EVP_PKEY_new()) == NULL) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, ERR_R_MALLOC_FAILURE); goto error; } if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_UNSUPPORTED_ALGORITHM); goto error; } if (ret->ameth->pub_decode) { if (!ret->ameth->pub_decode(ret, key)) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_PUBLIC_KEY_DECODE_ERROR); goto error; } } else { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_METHOD_NOT_SUPPORTED); goto error; } /* Check to see if another thread set key->pkey first */ CRYPTO_STATIC_MUTEX_lock_write(&g_pubkey_lock); if (key->pkey) { CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); EVP_PKEY_free(ret); ret = key->pkey; } else { key->pkey = ret; CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); } return EVP_PKEY_up_ref(ret); error: if (ret != NULL) EVP_PKEY_free(ret); return(NULL); }
CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk, const EVP_MD *md, unsigned int flags) { CMS_SignedData *sd; CMS_SignerInfo *si = NULL; X509_ALGOR *alg; int i, type; if (!X509_check_private_key(signer, pk)) { CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); return NULL; } sd = cms_signed_data_init(cms); if (!sd) goto err; si = M_ASN1_new_of(CMS_SignerInfo); if (!si) goto merr; /* Call for side-effect of computing hash and caching extensions */ X509_check_purpose(signer, -1, -1); X509_up_ref(signer); EVP_PKEY_up_ref(pk); si->pkey = pk; si->signer = signer; si->mctx = EVP_MD_CTX_new(); si->pctx = NULL; if (si->mctx == NULL) { CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE); goto err; } if (flags & CMS_USE_KEYID) { si->version = 3; if (sd->version < 3) sd->version = 3; type = CMS_SIGNERINFO_KEYIDENTIFIER; } else { type = CMS_SIGNERINFO_ISSUER_SERIAL; si->version = 1; } if (!cms_set1_SignerIdentifier(si->sid, signer, type)) goto err; if (md == NULL) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) goto err; md = EVP_get_digestbynid(def_nid); if (md == NULL) { CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DEFAULT_DIGEST); goto err; } } if (!md) { CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DIGEST_SET); goto err; } X509_ALGOR_set_md(si->digestAlgorithm, md); /* See if digest is present in digestAlgorithms */ for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { const ASN1_OBJECT *aoid; alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i); X509_ALGOR_get0(&aoid, NULL, NULL, alg); if (OBJ_obj2nid(aoid) == EVP_MD_type(md)) break; } if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) { alg = X509_ALGOR_new(); if (alg == NULL) goto merr; X509_ALGOR_set_md(alg, md); if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) { X509_ALGOR_free(alg); goto merr; } } if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) goto err; if (!(flags & CMS_NOATTR)) { /* * Initialize signed attributes structure so other attributes * such as signing time etc are added later even if we add none here. */ if (!si->signedAttrs) { si->signedAttrs = sk_X509_ATTRIBUTE_new_null(); if (!si->signedAttrs) goto merr; } if (!(flags & CMS_NOSMIMECAP)) { STACK_OF(X509_ALGOR) *smcap = NULL; i = CMS_add_standard_smimecap(&smcap); if (i) i = CMS_add_smimecap(si, smcap); sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); if (!i) goto merr; } if (flags & CMS_REUSE_DIGEST) { if (!cms_copy_messageDigest(cms, si)) goto err; if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) && !CMS_SignerInfo_sign(si)) goto err; } } if (!(flags & CMS_NOCERTS)) { /* NB ignore -1 return for duplicate cert */ if (!CMS_add1_cert(cms, signer)) goto merr; } if (flags & CMS_KEY_PARAM) { if (flags & CMS_NOATTR) { si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL); if (si->pctx == NULL) goto err; if (EVP_PKEY_sign_init(si->pctx) <= 0) goto err; if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) goto err; } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 0) goto err; } if (!sd->signerInfos) sd->signerInfos = sk_CMS_SignerInfo_new_null(); if (!sd->signerInfos || !sk_CMS_SignerInfo_push(sd->signerInfos, si)) goto merr; return si; merr: CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE); err: M_ASN1_free_of(si, CMS_SignerInfo); return NULL; }
static int test_EVP_PKEY_check(int i) { int ret = 0; const unsigned char *p; EVP_PKEY *pkey = NULL; #ifndef OPENSSL_NO_EC EC_KEY *eckey = NULL; #endif EVP_PKEY_CTX *ctx = NULL; EVP_PKEY_CTX *ctx2 = NULL; const APK_DATA *ak = &keycheckdata[i]; const unsigned char *input = ak->kder; size_t input_len = ak->size; int expected_id = ak->evptype; int expected_check = ak->check; int expected_pub_check = ak->pub_check; int expected_param_check = ak->param_check; int type = ak->type; BIO *pubkey = NULL; p = input; switch (type) { case 0: if (!TEST_ptr(pkey = d2i_AutoPrivateKey(NULL, &p, input_len)) || !TEST_ptr_eq(p, input + input_len) || !TEST_int_eq(EVP_PKEY_id(pkey), expected_id)) goto done; break; #ifndef OPENSSL_NO_EC case 1: if (!TEST_ptr(pubkey = BIO_new_mem_buf(input, input_len)) || !TEST_ptr(eckey = d2i_EC_PUBKEY_bio(pubkey, NULL)) || !TEST_ptr(pkey = EVP_PKEY_new()) || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) goto done; break; case 2: if (!TEST_ptr(eckey = d2i_ECParameters(NULL, &p, input_len)) || !TEST_ptr_eq(p, input + input_len) || !TEST_ptr(pkey = EVP_PKEY_new()) || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) goto done; break; #endif default: return 0; } if (!TEST_ptr(ctx = EVP_PKEY_CTX_new(pkey, NULL))) goto done; if (!TEST_int_eq(EVP_PKEY_check(ctx), expected_check)) goto done; if (!TEST_int_eq(EVP_PKEY_public_check(ctx), expected_pub_check)) goto done; if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check)) goto done; ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL); /* assign the pkey directly, as an internal test */ EVP_PKEY_up_ref(pkey); ctx2->pkey = pkey; if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef)) goto done; if (!TEST_int_eq(EVP_PKEY_public_check(ctx2), 0xbeef)) goto done; if (!TEST_int_eq(EVP_PKEY_param_check(ctx2), 0xbeef)) goto done; ret = 1; done: EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(ctx2); EVP_PKEY_free(pkey); BIO_free(pubkey); return ret; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(CERT)); ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->ecdh_nid = cert->ecdh_nid; ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; if (cert->x509 != NULL) { ret->x509 = X509_up_ref(cert->x509); } if (cert->privatekey != NULL) { ret->privatekey = EVP_PKEY_up_ref(cert->privatekey); } if (cert->chain) { ret->chain = X509_chain_up_ref(cert->chain); if (!ret->chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } /* Copy over signature algorithm configuration. */ if (cert->conf_sigalgs) { ret->conf_sigalgs = BUF_memdup(cert->conf_sigalgs, cert->conf_sigalgslen); if (!ret->conf_sigalgs) { goto err; } ret->conf_sigalgslen = cert->conf_sigalgslen; } if (cert->client_sigalgs) { ret->client_sigalgs = BUF_memdup(cert->client_sigalgs, cert->client_sigalgslen); if (!ret->client_sigalgs) { goto err; } ret->client_sigalgslen = cert->client_sigalgslen; } /* Copy any custom client certificate types */ if (cert->client_certificate_types) { ret->client_certificate_types = BUF_memdup( cert->client_certificate_types, cert->num_client_certificate_types); if (!ret->client_certificate_types) { goto err; } ret->num_client_certificate_types = cert->num_client_certificate_types; } ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_refcount_inc(&cert->verify_store->references); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_refcount_inc(&cert->chain_store->references); ret->chain_store = cert->chain_store; } return ret; err: ssl_cert_free(ret); return NULL; }
EVP_PKEY * mono_btls_key_up_ref (EVP_PKEY *pkey) { return EVP_PKEY_up_ref (pkey); }
static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) { EVP_PKEY_CTX *ret; const EVP_PKEY_METHOD *pmeth; if (id == -1) { if (!pkey || !pkey->ameth) return NULL; id = pkey->ameth->pkey_id; } #ifndef OPENSSL_NO_ENGINE if (pkey && pkey->engine) e = pkey->engine; /* Try to find an ENGINE which implements this method */ if (e) { if (!ENGINE_init(e)) { EVPerr(EVP_F_INT_CTX_NEW, ERR_R_ENGINE_LIB); return NULL; } } else e = ENGINE_get_pkey_meth_engine(id); /* * If an ENGINE handled this method look it up. Otherwise use internal * tables. */ if (e) pmeth = ENGINE_get_pkey_meth(e, id); else #endif pmeth = EVP_PKEY_meth_find(id); if (pmeth == NULL) { EVPerr(EVP_F_INT_CTX_NEW, EVP_R_UNSUPPORTED_ALGORITHM); return NULL; } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { #ifndef OPENSSL_NO_ENGINE ENGINE_finish(e); #endif EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } ret->engine = e; ret->pmeth = pmeth; ret->operation = EVP_PKEY_OP_UNDEFINED; ret->pkey = pkey; if (pkey) EVP_PKEY_up_ref(pkey); if (pmeth->init) { if (pmeth->init(ret) <= 0) { EVP_PKEY_CTX_free(ret); return NULL; } } return ret; }