1 /*
2 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/e_os.h"
11 #include <string.h>
12
13 #include <openssl/core.h>
14 #include <openssl/core_names.h>
15 #include <openssl/core_object.h>
16 #include <openssl/err.h>
17 #include <openssl/pkcs12.h>
18 #include <openssl/provider.h>
19 #include <openssl/decoder.h>
20 #include <openssl/store.h>
21 #include "internal/provider.h"
22 #include "internal/passphrase.h"
23 #include "crypto/evp.h"
24 #include "crypto/x509.h"
25 #include "store_local.h"
26
27 #ifndef OSSL_OBJECT_PKCS12
28 /*
29 * The object abstraction doesn't know PKCS#12, but we want to indicate
30 * it anyway, so we create our own. Since the public macros use positive
31 * numbers, negative ones should be fine. They must never slip out from
32 * this translation unit anyway.
33 */
34 # define OSSL_OBJECT_PKCS12 -1
35 #endif
36
37 /*
38 * ossl_store_handle_load_result() is initially written to be a companion
39 * to our 'file:' scheme provider implementation, but has been made generic
40 * to serve others as well.
41 *
42 * This result handler takes any object abstraction (see provider-object(7))
43 * and does the best it can with it. If the object is passed by value (not
44 * by reference), the contents are currently expected to be DER encoded.
45 * If an object type is specified, that will be respected; otherwise, this
46 * handler will guess the contents, by trying the following in order:
47 *
48 * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
49 * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
50 * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
51 * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
52 *
53 * For the 'file:' scheme implementation, this is division of labor. Since
54 * the libcrypto <-> provider interface currently doesn't support certain
55 * structures as first class objects, they must be unpacked from DER here
56 * rather than in the provider. The current exception is asymmetric keys,
57 * which can reside within the provider boundary, most of all thanks to
58 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
59 * reference.
60 */
61
62 struct extracted_param_data_st {
63 int object_type;
64 const char *data_type;
65 const char *data_structure;
66 const char *utf8_data;
67 const void *octet_data;
68 size_t octet_data_size;
69 const void *ref;
70 size_t ref_size;
71 const char *desc;
72 };
73
74 static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
75 static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
76 OSSL_STORE_CTX *, const OSSL_PROVIDER *,
77 OSSL_LIB_CTX *, const char *);
78 static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
79 OSSL_LIB_CTX *, const char *);
80 static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
81 OSSL_LIB_CTX *, const char *);
82 static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
83 OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);
84
ossl_store_handle_load_result(const OSSL_PARAM params[],void * arg)85 int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
86 {
87 struct ossl_load_result_data_st *cbdata = arg;
88 OSSL_STORE_INFO **v = &cbdata->v;
89 OSSL_STORE_CTX *ctx = cbdata->ctx;
90 const OSSL_PROVIDER *provider =
91 OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader);
92 OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
93 const char *propq = ctx->properties;
94 const OSSL_PARAM *p;
95 struct extracted_param_data_st helper_data;
96
97 memset(&helper_data, 0, sizeof(helper_data));
98 helper_data.object_type = OSSL_OBJECT_UNKNOWN;
99
100 if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
101 && !OSSL_PARAM_get_int(p, &helper_data.object_type))
102 return 0;
103 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
104 if (p != NULL
105 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
106 return 0;
107 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
108 if (p != NULL
109 && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
110 &helper_data.octet_data_size)
111 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
112 return 0;
113 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE);
114 if (p != NULL
115 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure))
116 return 0;
117 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
118 if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
119 &helper_data.ref_size))
120 return 0;
121 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
122 if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
123 return 0;
124
125 /*
126 * The helper functions return 0 on actual errors, otherwise 1, even if
127 * they didn't fill out |*v|.
128 */
129 ERR_set_mark();
130 if (*v == NULL && !try_name(&helper_data, v))
131 goto err;
132 ERR_pop_to_mark();
133 ERR_set_mark();
134 if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq))
135 goto err;
136 ERR_pop_to_mark();
137 ERR_set_mark();
138 if (*v == NULL && !try_cert(&helper_data, v, libctx, propq))
139 goto err;
140 ERR_pop_to_mark();
141 ERR_set_mark();
142 if (*v == NULL && !try_crl(&helper_data, v, libctx, propq))
143 goto err;
144 ERR_pop_to_mark();
145 ERR_set_mark();
146 if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq))
147 goto err;
148 ERR_pop_to_mark();
149
150 if (*v == NULL)
151 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED);
152
153 return (*v != NULL);
154 err:
155 ERR_clear_last_mark();
156 return 0;
157 }
158
try_name(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v)159 static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
160 {
161 if (data->object_type == OSSL_OBJECT_NAME) {
162 char *newname = NULL, *newdesc = NULL;
163
164 if (data->utf8_data == NULL)
165 return 0;
166 if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
167 || (data->desc != NULL
168 && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
169 || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
170 OPENSSL_free(newname);
171 OPENSSL_free(newdesc);
172 return 0;
173 }
174 OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
175 }
176 return 1;
177 }
178
179 /*
180 * For the rest of the object types, the provider code may not know what
181 * type of data it gave us, so we may need to figure that out on our own.
182 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
183 * only return 0 on error if the object type is known.
184 */
185
try_key_ref(struct extracted_param_data_st * data,OSSL_STORE_CTX * ctx,const OSSL_PROVIDER * provider,OSSL_LIB_CTX * libctx,const char * propq)186 static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
187 OSSL_STORE_CTX *ctx,
188 const OSSL_PROVIDER *provider,
189 OSSL_LIB_CTX *libctx, const char *propq)
190 {
191 EVP_PKEY *pk = NULL;
192 EVP_KEYMGMT *keymgmt = NULL;
193 void *keydata = NULL;
194 int try_fallback = 2;
195
196 /* If we have an object reference, we must have a data type */
197 if (data->data_type == NULL)
198 return 0;
199
200 keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
201 ERR_set_mark();
202 while (keymgmt != NULL && keydata == NULL && try_fallback-- > 0) {
203 /*
204 * There are two possible cases
205 *
206 * 1. The keymgmt is from the same provider as the loader,
207 * so we can use evp_keymgmt_load()
208 * 2. The keymgmt is from another provider, then we must
209 * do the export/import dance.
210 */
211 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
212 /* no point trying fallback here */
213 try_fallback = 0;
214 keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
215 } else {
216 struct evp_keymgmt_util_try_import_data_st import_data;
217 OSSL_FUNC_store_export_object_fn *export_object =
218 ctx->fetched_loader->p_export_object;
219
220 import_data.keymgmt = keymgmt;
221 import_data.keydata = NULL;
222 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
223
224 if (export_object != NULL) {
225 /*
226 * No need to check for errors here, the value of
227 * |import_data.keydata| is as much an indicator.
228 */
229 (void)export_object(ctx->loader_ctx,
230 data->ref, data->ref_size,
231 &evp_keymgmt_util_try_import,
232 &import_data);
233 }
234
235 keydata = import_data.keydata;
236 }
237
238 if (keydata == NULL && try_fallback > 0) {
239 EVP_KEYMGMT_free(keymgmt);
240 keymgmt = evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)provider,
241 data->data_type, propq);
242 if (keymgmt != NULL) {
243 ERR_pop_to_mark();
244 ERR_set_mark();
245 }
246 }
247 }
248 if (keydata != NULL) {
249 ERR_pop_to_mark();
250 pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
251 } else {
252 ERR_clear_last_mark();
253 }
254 EVP_KEYMGMT_free(keymgmt);
255
256 return pk;
257 }
258
try_key_value(struct extracted_param_data_st * data,OSSL_STORE_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg,OSSL_LIB_CTX * libctx,const char * propq)259 static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
260 OSSL_STORE_CTX *ctx,
261 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
262 OSSL_LIB_CTX *libctx, const char *propq)
263 {
264 EVP_PKEY *pk = NULL;
265 OSSL_DECODER_CTX *decoderctx = NULL;
266 const unsigned char *pdata = data->octet_data;
267 size_t pdatalen = data->octet_data_size;
268 int selection = 0;
269
270 switch (ctx->expected_type) {
271 case 0:
272 break;
273 case OSSL_STORE_INFO_PARAMS:
274 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
275 break;
276 case OSSL_STORE_INFO_PUBKEY:
277 selection =
278 OSSL_KEYMGMT_SELECT_PUBLIC_KEY
279 | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
280 break;
281 case OSSL_STORE_INFO_PKEY:
282 selection = OSSL_KEYMGMT_SELECT_ALL;
283 break;
284 default:
285 return NULL;
286 }
287
288 decoderctx =
289 OSSL_DECODER_CTX_new_for_pkey(&pk, NULL, data->data_structure,
290 data->data_type, selection, libctx,
291 propq);
292 (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
293
294 /* No error if this couldn't be decoded */
295 (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
296
297 OSSL_DECODER_CTX_free(decoderctx);
298
299 return pk;
300 }
301
302 typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
303
try_key_value_legacy(struct extracted_param_data_st * data,store_info_new_fn ** store_info_new,OSSL_STORE_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg,OSSL_LIB_CTX * libctx,const char * propq)304 static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
305 store_info_new_fn **store_info_new,
306 OSSL_STORE_CTX *ctx,
307 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
308 OSSL_LIB_CTX *libctx, const char *propq)
309 {
310 EVP_PKEY *pk = NULL;
311 const unsigned char *der = data->octet_data, *derp;
312 long der_len = (long)data->octet_data_size;
313
314 /* Try PUBKEY first, that's a real easy target */
315 if (ctx->expected_type == 0
316 || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
317 derp = der;
318 pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
319
320 if (pk != NULL)
321 *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
322 }
323
324 /* Try private keys next */
325 if (pk == NULL
326 && (ctx->expected_type == 0
327 || ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
328 unsigned char *new_der = NULL;
329 X509_SIG *p8 = NULL;
330 PKCS8_PRIV_KEY_INFO *p8info = NULL;
331
332 /* See if it's an encrypted PKCS#8 and decrypt it. */
333 derp = der;
334 p8 = d2i_X509_SIG(NULL, &derp, der_len);
335
336 if (p8 != NULL) {
337 char pbuf[PEM_BUFSIZE];
338 size_t plen = 0;
339
340 if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
341 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
342 } else {
343 const X509_ALGOR *alg = NULL;
344 const ASN1_OCTET_STRING *oct = NULL;
345 int len = 0;
346
347 X509_SIG_get0(p8, &alg, &oct);
348
349 /*
350 * No need to check the returned value, |new_der|
351 * will be NULL on error anyway.
352 */
353 PKCS12_pbe_crypt(alg, pbuf, plen,
354 oct->data, oct->length,
355 &new_der, &len, 0);
356 der_len = len;
357 der = new_der;
358 }
359 X509_SIG_free(p8);
360 }
361
362 /*
363 * If the encrypted PKCS#8 couldn't be decrypted,
364 * |der| is NULL
365 */
366 if (der != NULL) {
367 /* Try to unpack an unencrypted PKCS#8, that's easy */
368 derp = der;
369 p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
370
371 if (p8info != NULL) {
372 pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
373 PKCS8_PRIV_KEY_INFO_free(p8info);
374 }
375 }
376
377 if (pk != NULL)
378 *store_info_new = OSSL_STORE_INFO_new_PKEY;
379
380 OPENSSL_free(new_der);
381 }
382
383 return pk;
384 }
385
try_key(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_STORE_CTX * ctx,const OSSL_PROVIDER * provider,OSSL_LIB_CTX * libctx,const char * propq)386 static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
387 OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
388 OSSL_LIB_CTX *libctx, const char *propq)
389 {
390 store_info_new_fn *store_info_new = NULL;
391
392 if (data->object_type == OSSL_OBJECT_UNKNOWN
393 || data->object_type == OSSL_OBJECT_PKEY) {
394 EVP_PKEY *pk = NULL;
395
396 /* Prefer key by reference than key by value */
397 if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
398 pk = try_key_ref(data, ctx, provider, libctx, propq);
399
400 /*
401 * If for some reason we couldn't get a key, it's an error.
402 * It indicates that while decoders could make a key reference,
403 * the keymgmt somehow couldn't handle it, or doesn't have a
404 * OSSL_FUNC_keymgmt_load function.
405 */
406 if (pk == NULL)
407 return 0;
408 } else if (data->octet_data != NULL) {
409 OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
410 void *cbarg = &ctx->pwdata;
411
412 pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
413
414 /*
415 * Desperate last maneuver, in case the decoders don't support
416 * the data we have, then we try on our own to at least get an
417 * engine provided legacy key.
418 * This is the same as der2key_decode() does, but in a limited
419 * way and within the walls of libcrypto.
420 */
421 if (pk == NULL)
422 pk = try_key_value_legacy(data, &store_info_new, ctx,
423 cb, cbarg, libctx, propq);
424 }
425
426 if (pk != NULL) {
427 data->object_type = OSSL_OBJECT_PKEY;
428
429 if (store_info_new == NULL) {
430 /*
431 * We determined the object type for OSSL_STORE_INFO, which
432 * makes an explicit difference between an EVP_PKEY with just
433 * (domain) parameters and an EVP_PKEY with actual key
434 * material.
435 * The logic is that an EVP_PKEY with actual key material
436 * always has the public half.
437 */
438 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
439 store_info_new = OSSL_STORE_INFO_new_PKEY;
440 else if (evp_keymgmt_util_has(pk,
441 OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
442 store_info_new = OSSL_STORE_INFO_new_PUBKEY;
443 else
444 store_info_new = OSSL_STORE_INFO_new_PARAMS;
445 }
446 *v = store_info_new(pk);
447 }
448
449 if (*v == NULL)
450 EVP_PKEY_free(pk);
451 }
452
453 return 1;
454 }
455
try_cert(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_LIB_CTX * libctx,const char * propq)456 static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
457 OSSL_LIB_CTX *libctx, const char *propq)
458 {
459 if (data->object_type == OSSL_OBJECT_UNKNOWN
460 || data->object_type == OSSL_OBJECT_CERT) {
461 /*
462 * In most cases, we can try to interpret the serialized
463 * data as a trusted cert (X509 + X509_AUX) and fall back
464 * to reading it as a normal cert (just X509), but if
465 * |data_type| (the PEM name) specifically declares it as a
466 * trusted cert, then no fallback should be engaged.
467 * |ignore_trusted| tells if the fallback can be used (1)
468 * or not (0).
469 */
470 int ignore_trusted = 1;
471 X509 *cert = X509_new_ex(libctx, propq);
472
473 if (cert == NULL)
474 return 0;
475
476 /* If we have a data type, it should be a PEM name */
477 if (data->data_type != NULL
478 && (OPENSSL_strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
479 ignore_trusted = 0;
480
481 if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
482 data->octet_data_size) == NULL
483 && (!ignore_trusted
484 || d2i_X509(&cert, (const unsigned char **)&data->octet_data,
485 data->octet_data_size) == NULL)) {
486 X509_free(cert);
487 cert = NULL;
488 }
489
490 if (cert != NULL) {
491 /* We determined the object type */
492 data->object_type = OSSL_OBJECT_CERT;
493 *v = OSSL_STORE_INFO_new_CERT(cert);
494 if (*v == NULL)
495 X509_free(cert);
496 }
497 }
498
499 return 1;
500 }
501
try_crl(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_LIB_CTX * libctx,const char * propq)502 static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
503 OSSL_LIB_CTX *libctx, const char *propq)
504 {
505 if (data->object_type == OSSL_OBJECT_UNKNOWN
506 || data->object_type == OSSL_OBJECT_CRL) {
507 X509_CRL *crl;
508
509 crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
510 data->octet_data_size);
511
512 if (crl != NULL)
513 /* We determined the object type */
514 data->object_type = OSSL_OBJECT_CRL;
515
516 if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
517 X509_CRL_free(crl);
518 crl = NULL;
519 }
520
521 if (crl != NULL)
522 *v = OSSL_STORE_INFO_new_CRL(crl);
523 if (*v == NULL)
524 X509_CRL_free(crl);
525 }
526
527 return 1;
528 }
529
try_pkcs12(struct extracted_param_data_st * data,OSSL_STORE_INFO ** v,OSSL_STORE_CTX * ctx,OSSL_LIB_CTX * libctx,const char * propq)530 static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
531 OSSL_STORE_CTX *ctx,
532 OSSL_LIB_CTX *libctx, const char *propq)
533 {
534 int ok = 1;
535
536 /* There is no specific object type for PKCS12 */
537 if (data->object_type == OSSL_OBJECT_UNKNOWN) {
538 /* Initial parsing */
539 PKCS12 *p12;
540
541 p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
542 data->octet_data_size);
543
544 if (p12 != NULL) {
545 char *pass = NULL;
546 char tpass[PEM_BUFSIZE + 1];
547 size_t tpass_len;
548 EVP_PKEY *pkey = NULL;
549 X509 *cert = NULL;
550 STACK_OF(X509) *chain = NULL;
551
552 data->object_type = OSSL_OBJECT_PKCS12;
553
554 ok = 0; /* Assume decryption or parse error */
555
556 if (!PKCS12_mac_present(p12)
557 || PKCS12_verify_mac(p12, NULL, 0)) {
558 pass = NULL;
559 } else if (PKCS12_verify_mac(p12, "", 0)) {
560 pass = "";
561 } else {
562 static char prompt_info[] = "PKCS12 import pass phrase";
563 OSSL_PARAM pw_params[] = {
564 OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
565 prompt_info,
566 sizeof(prompt_info) - 1),
567 OSSL_PARAM_END
568 };
569
570 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1,
571 &tpass_len,
572 pw_params, 0, &ctx->pwdata)) {
573 ERR_raise(ERR_LIB_OSSL_STORE,
574 OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
575 goto p12_end;
576 }
577 pass = tpass;
578 /*
579 * ossl_pw_get_passphrase() does not NUL terminate but
580 * we must do it for PKCS12_parse()
581 */
582 pass[tpass_len] = '\0';
583 if (!PKCS12_verify_mac(p12, pass, tpass_len)) {
584 ERR_raise_data(ERR_LIB_OSSL_STORE,
585 OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC,
586 tpass_len == 0 ? "empty password" :
587 "maybe wrong password");
588 goto p12_end;
589 }
590 }
591
592 if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
593 STACK_OF(OSSL_STORE_INFO) *infos = NULL;
594 OSSL_STORE_INFO *osi_pkey = NULL;
595 OSSL_STORE_INFO *osi_cert = NULL;
596 OSSL_STORE_INFO *osi_ca = NULL;
597
598 ok = 1; /* Parsing went through correctly! */
599
600 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
601 if (pkey != NULL) {
602 if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
603 /* clearing pkey here avoids case distinctions */
604 && (pkey = NULL) == NULL
605 && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
606 osi_pkey = NULL;
607 else
608 ok = 0;
609 }
610 if (ok && cert != NULL) {
611 if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
612 /* clearing cert here avoids case distinctions */
613 && (cert = NULL) == NULL
614 && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
615 osi_cert = NULL;
616 else
617 ok = 0;
618 }
619 while (ok && sk_X509_num(chain) > 0) {
620 X509 *ca = sk_X509_value(chain, 0);
621
622 if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
623 && sk_X509_shift(chain) != NULL
624 && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
625 osi_ca = NULL;
626 else
627 ok = 0;
628 }
629 }
630 EVP_PKEY_free(pkey);
631 X509_free(cert);
632 OSSL_STACK_OF_X509_free(chain);
633 OSSL_STORE_INFO_free(osi_pkey);
634 OSSL_STORE_INFO_free(osi_cert);
635 OSSL_STORE_INFO_free(osi_ca);
636 if (!ok) {
637 sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
638 infos = NULL;
639 }
640 ctx->cached_info = infos;
641 }
642 p12_end:
643 OPENSSL_cleanse(tpass, sizeof(tpass));
644 PKCS12_free(p12);
645 }
646 *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
647 }
648
649 return ok;
650 }
651