mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-09 05:51:54 +08:00
Code Issues Packages Projects Releases Wiki Activity
f552d90045
openssl/crypto/evp/pmeth_gn.c

267 lines
6.8 KiB
C
Raw Normal View History

Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
/*
Copyright consolidation 04/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-18 02:24:46 +08:00
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Initial keygen support.
2006-04-11 21:28:52 +08:00
*
Following the license change, modify the boilerplates in crypto/evp/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7794)
2018-12-06 20:40:06 +08:00
* Licensed under the Apache License 2.0 (the "License"). You may not use
Copyright consolidation 04/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-18 02:24:46 +08:00
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
Initial keygen support.
2006-04-11 21:28:52 +08:00
*/
#include <stdio.h>
#include <stdlib.h>
Identify and move common internal libcrypto header files There are header files in crypto/ that are used by a number of crypto/ submodules. Move those to crypto/include/internal and adapt the affected source code and Makefiles. The header files that got moved are: crypto/cryptolib.h crypto/md32_common.h Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-14 22:56:48 +08:00
#include "internal/cryptlib.h"
Fix (most) WIN32 warnings and errors.
2006-04-17 20:08:22 +08:00
#include <openssl/objects.h>
Initial keygen support.
2006-04-11 21:28:52 +08:00
#include <openssl/evp.h>
Reorganize private crypto header files Currently, there are two different directories which contain internal header files of libcrypto which are meant to be shared internally: While header files in 'include/internal' are intended to be shared between libcrypto and libssl, the files in 'crypto/include/internal' are intended to be shared inside libcrypto only. To make things complicated, the include search path is set up in such a way that the directive #include "internal/file.h" could refer to a file in either of these two directoroes. This makes it necessary in some cases to add a '_int.h' suffix to some files to resolve this ambiguity: #include "internal/file.h" # located in 'include/internal' #include "internal/file_int.h" # located in 'crypto/include/internal' This commit moves the private crypto headers from 'crypto/include/internal' to 'include/crypto' As a result, the include directives become unambiguous #include "internal/file.h" # located in 'include/internal' #include "crypto/file.h" # located in 'include/crypto' hence the superfluous '_int.h' suffixes can be stripped. The files 'store_int.h' and 'store.h' need to be treated specially; they are joined into a single file. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 06:45:33 +08:00
#include "crypto/bn.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
Add EVP functionality to create domain params and keys by user data This is the EVP operation that corresponds to creating direct RSA, DH and DSA keys and set their numbers, to then assign them to an EVP_PKEY, but done entirely using an algorithm agnostic EVP interface. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10187)
2019-10-15 20:50:35 +08:00
#include "evp_local.h"
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
#ifndef FIPS_MODE
Initial keygen support.
2006-04-11 21:28:52 +08:00
int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
int ret;
if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) {
EVPerr(EVP_F_EVP_PKEY_PARAMGEN_INIT,
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
ctx->operation = EVP_PKEY_OP_PARAMGEN;
if (!ctx->pmeth->paramgen_init)
return 1;
ret = ctx->pmeth->paramgen_init(ctx);
if (ret <= 0)
ctx->operation = EVP_PKEY_OP_UNDEFINED;
return ret;
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
int ret;
if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) {
EVPerr(EVP_F_EVP_PKEY_PARAMGEN,
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
if (ctx->operation != EVP_PKEY_OP_PARAMGEN) {
EVPerr(EVP_F_EVP_PKEY_PARAMGEN, EVP_R_OPERATON_NOT_INITIALIZED);
return -1;
}
RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-09-01 22:31:55 +08:00
if (ppkey == NULL)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
return -1;
RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-09-01 22:31:55 +08:00
if (*ppkey == NULL)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
*ppkey = EVP_PKEY_new();
RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-09-01 22:31:55 +08:00
if (*ppkey == NULL) {
EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE);
return -1;
}
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
ret = ctx->pmeth->paramgen(ctx, *ppkey);
if (ret <= 0) {
EVP_PKEY_free(*ppkey);
*ppkey = NULL;
}
return ret;
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
int ret;
if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) {
EVPerr(EVP_F_EVP_PKEY_KEYGEN_INIT,
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
ctx->operation = EVP_PKEY_OP_KEYGEN;
if (!ctx->pmeth->keygen_init)
return 1;
ret = ctx->pmeth->keygen_init(ctx);
if (ret <= 0)
ctx->operation = EVP_PKEY_OP_UNDEFINED;
return ret;
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
int ret;
if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) {
EVPerr(EVP_F_EVP_PKEY_KEYGEN,
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
if (ctx->operation != EVP_PKEY_OP_KEYGEN) {
EVPerr(EVP_F_EVP_PKEY_KEYGEN, EVP_R_OPERATON_NOT_INITIALIZED);
return -1;
}
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-10-30 19:12:26 +08:00
if (ppkey == NULL)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
return -1;
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-10-30 19:12:26 +08:00
if (*ppkey == NULL)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
*ppkey = EVP_PKEY_new();
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-10-30 19:12:26 +08:00
if (*ppkey == NULL)
return -1;
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
ret = ctx->pmeth->keygen(ctx, *ppkey);
if (ret <= 0) {
EVP_PKEY_free(*ppkey);
*ppkey = NULL;
}
return ret;
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
ctx->pkey_gencb = cb;
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
New pkey functions for keygen callbacks and retrieving operation type.
2006-06-01 01:34:14 +08:00
EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
return ctx->pkey_gencb;
}
New pkey functions for keygen callbacks and retrieving operation type.
2006-06-01 01:34:14 +08:00
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
/*
* "translation callback" to call EVP_PKEY_CTX callbacks using BN_GENCB style
* callbacks.
Initial keygen support.
2006-04-11 21:28:52 +08:00
*/
static int trans_cb(int a, int b, BN_GENCB *gcb)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
EVP_PKEY_CTX *ctx = BN_GENCB_get_arg(gcb);
ctx->keygen_info[0] = a;
ctx->keygen_info[1] = b;
return ctx->pkey_gencb(ctx);
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
BN_GENCB_set(cb, trans_cb, ctx);
}
Initial keygen support.
2006-04-11 21:28:52 +08:00
int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
if (idx == -1)
return ctx->keygen_info_count;
if (idx < 0 || idx > ctx->keygen_info_count)
return 0;
return ctx->keygen_info[idx];
}
New -mac and -macopt options to dgst utility. Reimplement -hmac option in terms of new API.
2007-04-12 01:20:40 +08:00
EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
const unsigned char *key, int keylen)
{
EVP_PKEY_CTX *mac_ctx = NULL;
EVP_PKEY *mac_key = NULL;
mac_ctx = EVP_PKEY_CTX_new_id(type, e);
if (!mac_ctx)
return NULL;
if (EVP_PKEY_keygen_init(mac_ctx) <= 0)
goto merr;
New macro to set mac key. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-11 02:06:56 +08:00
if (EVP_PKEY_CTX_set_mac_key(mac_ctx, key, keylen) <= 0)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
goto merr;
if (EVP_PKEY_keygen(mac_ctx, &mac_key) <= 0)
goto merr;
merr:
free NULL cleanup EVP_.*free; this gets: EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-28 22:54:15 +08:00
EVP_PKEY_CTX_free(mac_ctx);
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
return mac_key;
}
Support key check in EVP interface A new method is added to EVP_PKEY_METH as: int (*check) (EVP_PKEY_CTX *ctx); and to EVP_PKEY_ASN1_METHOD as: int (*pkey_check) (EVP_PKEY_CTX *ctx); This is used to check the validity of a specific key. The order of calls is: EVP_PKEY_check -> pmeth.check -> ameth.pkey_check. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4337)
2017-09-04 22:02:59 +08:00
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
#endif /* FIPS_MODE */
/*- All methods below can also be used in FIPS_MODE */
static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
{
if (ctx == NULL || ctx->keytype == NULL)
goto not_supported;
evp_pkey_ctx_free_old_ops(ctx);
ctx->operation = operation;
if (ctx->keymgmt == NULL)
ctx->keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ctx->keytype,
ctx->propquery);
if (ctx->keymgmt == NULL)
goto not_supported;
return 1;
not_supported:
ctx->operation = EVP_PKEY_OP_UNDEFINED;
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
int EVP_PKEY_param_fromdata_init(EVP_PKEY_CTX *ctx)
{
return fromdata_init(ctx, EVP_PKEY_OP_PARAMFROMDATA);
}
int EVP_PKEY_key_fromdata_init(EVP_PKEY_CTX *ctx)
{
return fromdata_init(ctx, EVP_PKEY_OP_KEYFROMDATA);
}
int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, OSSL_PARAM params[])
{
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
void *keydata = NULL;
int selection;
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
if (ctx == NULL || (ctx->operation & EVP_PKEY_OP_TYPE_FROMDATA) == 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
if (ppkey == NULL)
return -1;
if (*ppkey == NULL)
*ppkey = EVP_PKEY_new();
if (*ppkey == NULL) {
ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
return -1;
}
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
if (ctx->operation == EVP_PKEY_OP_PARAMFROMDATA)
selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
else
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY types (which normally have a SEQUENCE at the top level). For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the code can still be shared with EC. The EC serializer only supports named curves currently. NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be added in another PR. (Probably when deserialization is considered). EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non optional. As this is not the case for any other key the code has been modified. Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11107)
2020-02-16 17:54:08 +08:00
selection = OSSL_KEYMGMT_SELECT_ALL;
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
keydata = evp_keymgmt_util_fromdata(*ppkey, ctx->keymgmt, selection,
params);
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
if (keydata == NULL)
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
return 0;
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
/* keydata is cached in *ppkey, so we need not bother with it further */
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
return 1;
}
/*
* TODO(3.0) Re-evaluate the names, it's possible that we find these to be
* better:
*
* EVP_PKEY_param_settable()
* EVP_PKEY_param_gettable()
*/
const OSSL_PARAM *EVP_PKEY_param_fromdata_settable(EVP_PKEY_CTX *ctx)
{
/* We call fromdata_init to get ctx->keymgmt populated */
if (fromdata_init(ctx, EVP_PKEY_OP_UNDEFINED))
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
return evp_keymgmt_import_types(ctx->keymgmt,
OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
return NULL;
}
const OSSL_PARAM *EVP_PKEY_key_fromdata_settable(EVP_PKEY_CTX *ctx)
{
/* We call fromdata_init to get ctx->keymgmt populated */
if (fromdata_init(ctx, EVP_PKEY_OP_UNDEFINED))
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
return evp_keymgmt_import_types(ctx->keymgmt,
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY types (which normally have a SEQUENCE at the top level). For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the code can still be shared with EC. The EC serializer only supports named curves currently. NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be added in another PR. (Probably when deserialization is considered). EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non optional. As this is not the case for any other key the code has been modified. Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11107)
2020-02-16 17:54:08 +08:00
OSSL_KEYMGMT_SELECT_ALL);
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
2020-01-12 09:32:12 +08:00
return NULL;
}
Reference in New Issue Copy Permalink