2 * Public Key layer for parsing key files and structures
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
25 #include MBEDTLS_CONFIG_FILE
28 #if defined(MBEDTLS_PK_PARSE_C)
30 #include "mbedtls/pk.h"
31 #include "mbedtls/asn1.h"
32 #include "mbedtls/oid.h"
36 #if defined(MBEDTLS_RSA_C)
37 #include "mbedtls/rsa.h"
39 #if defined(MBEDTLS_ECP_C)
40 #include "mbedtls/ecp.h"
42 #if defined(MBEDTLS_ECDSA_C)
43 #include "mbedtls/ecdsa.h"
45 #if defined(MBEDTLS_PEM_PARSE_C)
46 #include "mbedtls/pem.h"
48 #if defined(MBEDTLS_PKCS5_C)
49 #include "mbedtls/pkcs5.h"
51 #if defined(MBEDTLS_PKCS12_C)
52 #include "mbedtls/pkcs12.h"
55 #if defined(MBEDTLS_PLATFORM_C)
56 #include "mbedtls/platform.h"
59 #define mbedtls_calloc calloc
60 #define mbedtls_free free
63 #if defined(MBEDTLS_FS_IO)
64 /* Implementation that should never be optimized out by the compiler */
65 static void mbedtls_zeroize( void *v
, size_t n
) {
66 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
70 * Load all data from a file into a given buffer.
72 * The file is expected to contain either PEM or DER encoded data.
73 * A terminating null byte is always appended. It is included in the announced
74 * length only if the data looks like it is PEM encoded.
76 int mbedtls_pk_load_file( const char *path
, unsigned char **buf
, size_t *n
)
81 if( ( f
= fopen( path
, "rb" ) ) == NULL
)
82 return( MBEDTLS_ERR_PK_FILE_IO_ERROR
);
84 fseek( f
, 0, SEEK_END
);
85 if( ( size
= ftell( f
) ) == -1 )
88 return( MBEDTLS_ERR_PK_FILE_IO_ERROR
);
90 fseek( f
, 0, SEEK_SET
);
95 ( *buf
= mbedtls_calloc( 1, *n
+ 1 ) ) == NULL
)
98 return( MBEDTLS_ERR_PK_ALLOC_FAILED
);
101 if( fread( *buf
, 1, *n
, f
) != *n
)
104 mbedtls_free( *buf
);
105 return( MBEDTLS_ERR_PK_FILE_IO_ERROR
);
112 if( strstr( (const char *) *buf
, "-----BEGIN " ) != NULL
)
119 * Load and parse a private key
121 int mbedtls_pk_parse_keyfile( mbedtls_pk_context
*ctx
,
122 const char *path
, const char *pwd
)
128 if( ( ret
= mbedtls_pk_load_file( path
, &buf
, &n
) ) != 0 )
132 ret
= mbedtls_pk_parse_key( ctx
, buf
, n
, NULL
, 0 );
134 ret
= mbedtls_pk_parse_key( ctx
, buf
, n
,
135 (const unsigned char *) pwd
, strlen( pwd
) );
137 mbedtls_zeroize( buf
, n
);
144 * Load and parse a public key
146 int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context
*ctx
, const char *path
)
152 if( ( ret
= mbedtls_pk_load_file( path
, &buf
, &n
) ) != 0 )
155 ret
= mbedtls_pk_parse_public_key( ctx
, buf
, n
);
157 mbedtls_zeroize( buf
, n
);
162 #endif /* MBEDTLS_FS_IO */
164 #if defined(MBEDTLS_ECP_C)
165 /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
167 * ECParameters ::= CHOICE {
168 * namedCurve OBJECT IDENTIFIER
169 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
170 * -- implicitCurve NULL
173 static int pk_get_ecparams( unsigned char **p
, const unsigned char *end
,
174 mbedtls_asn1_buf
*params
)
178 /* Tag may be either OID or SEQUENCE */
180 if( params
->tag
!= MBEDTLS_ASN1_OID
181 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
182 && params
->tag
!= ( MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
)
186 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
187 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
190 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, ¶ms
->len
, params
->tag
) ) != 0 )
192 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
199 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
200 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
205 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
207 * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
208 * WARNING: the resulting group should only be used with
209 * pk_group_id_from_specified(), since its base point may not be set correctly
210 * if it was encoded compressed.
212 * SpecifiedECDomain ::= SEQUENCE {
213 * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
214 * fieldID FieldID {{FieldTypes}},
218 * cofactor INTEGER OPTIONAL,
219 * hash HashAlgorithm OPTIONAL,
223 * We only support prime-field as field type, and ignore hash and cofactor.
225 static int pk_group_from_specified( const mbedtls_asn1_buf
*params
, mbedtls_ecp_group
*grp
)
228 unsigned char *p
= params
->p
;
229 const unsigned char * const end
= params
->p
+ params
->len
;
230 const unsigned char *end_field
, *end_curve
;
234 /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
235 if( ( ret
= mbedtls_asn1_get_int( &p
, end
, &ver
) ) != 0 )
236 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
238 if( ver
< 1 || ver
> 3 )
239 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
242 * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
243 * fieldType FIELD-ID.&id({IOSet}),
244 * parameters FIELD-ID.&Type({IOSet}{@fieldType})
247 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
248 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
254 * FIELD-ID ::= TYPE-IDENTIFIER
255 * FieldTypes FIELD-ID ::= {
256 * { Prime-p IDENTIFIED BY prime-field } |
257 * { Characteristic-two IDENTIFIED BY characteristic-two-field }
259 * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
261 if( ( ret
= mbedtls_asn1_get_tag( &p
, end_field
, &len
, MBEDTLS_ASN1_OID
) ) != 0 )
264 if( len
!= MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
) ||
265 memcmp( p
, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
, len
) != 0 )
267 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
);
272 /* Prime-p ::= INTEGER -- Field of size p. */
273 if( ( ret
= mbedtls_asn1_get_mpi( &p
, end_field
, &grp
->P
) ) != 0 )
274 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
276 grp
->pbits
= mbedtls_mpi_bitlen( &grp
->P
);
279 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
280 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
283 * Curve ::= SEQUENCE {
286 * seed BIT STRING OPTIONAL
287 * -- Shall be present if used in SpecifiedECDomain
288 * -- with version equal to ecdpVer2 or ecdpVer3
291 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
292 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
298 * FieldElement ::= OCTET STRING
299 * containing an integer in the case of a prime field
301 if( ( ret
= mbedtls_asn1_get_tag( &p
, end_curve
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 ||
302 ( ret
= mbedtls_mpi_read_binary( &grp
->A
, p
, len
) ) != 0 )
304 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
309 if( ( ret
= mbedtls_asn1_get_tag( &p
, end_curve
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 ||
310 ( ret
= mbedtls_mpi_read_binary( &grp
->B
, p
, len
) ) != 0 )
312 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
317 /* Ignore seed BIT STRING OPTIONAL */
318 if( ( ret
= mbedtls_asn1_get_tag( &p
, end_curve
, &len
, MBEDTLS_ASN1_BIT_STRING
) ) == 0 )
322 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
323 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
326 * ECPoint ::= OCTET STRING
328 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
329 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
331 if( ( ret
= mbedtls_ecp_point_read_binary( grp
, &grp
->G
,
332 ( const unsigned char *) p
, len
) ) != 0 )
335 * If we can't read the point because it's compressed, cheat by
336 * reading only the X coordinate and the parity bit of Y.
338 if( ret
!= MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
||
339 ( p
[0] != 0x02 && p
[0] != 0x03 ) ||
340 len
!= mbedtls_mpi_size( &grp
->P
) + 1 ||
341 mbedtls_mpi_read_binary( &grp
->G
.X
, p
+ 1, len
- 1 ) != 0 ||
342 mbedtls_mpi_lset( &grp
->G
.Y
, p
[0] - 2 ) != 0 ||
343 mbedtls_mpi_lset( &grp
->G
.Z
, 1 ) != 0 )
345 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
354 if( ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &grp
->N
) ) != 0 )
355 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
357 grp
->nbits
= mbedtls_mpi_bitlen( &grp
->N
);
360 * Allow optional elements by purposefully not enforcing p == end here.
367 * Find the group id associated with an (almost filled) group as generated by
368 * pk_group_from_specified(), or return an error if unknown.
370 static int pk_group_id_from_group( const mbedtls_ecp_group
*grp
, mbedtls_ecp_group_id
*grp_id
)
373 mbedtls_ecp_group ref
;
374 const mbedtls_ecp_group_id
*id
;
376 mbedtls_ecp_group_init( &ref
);
378 for( id
= mbedtls_ecp_grp_id_list(); *id
!= MBEDTLS_ECP_DP_NONE
; id
++ )
380 /* Load the group associated to that id */
381 mbedtls_ecp_group_free( &ref
);
382 MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref
, *id
) );
384 /* Compare to the group we were given, starting with easy tests */
385 if( grp
->pbits
== ref
.pbits
&& grp
->nbits
== ref
.nbits
&&
386 mbedtls_mpi_cmp_mpi( &grp
->P
, &ref
.P
) == 0 &&
387 mbedtls_mpi_cmp_mpi( &grp
->A
, &ref
.A
) == 0 &&
388 mbedtls_mpi_cmp_mpi( &grp
->B
, &ref
.B
) == 0 &&
389 mbedtls_mpi_cmp_mpi( &grp
->N
, &ref
.N
) == 0 &&
390 mbedtls_mpi_cmp_mpi( &grp
->G
.X
, &ref
.G
.X
) == 0 &&
391 mbedtls_mpi_cmp_mpi( &grp
->G
.Z
, &ref
.G
.Z
) == 0 &&
392 /* For Y we may only know the parity bit, so compare only that */
393 mbedtls_mpi_get_bit( &grp
->G
.Y
, 0 ) == mbedtls_mpi_get_bit( &ref
.G
.Y
, 0 ) )
401 mbedtls_ecp_group_free( &ref
);
405 if( ret
== 0 && *id
== MBEDTLS_ECP_DP_NONE
)
406 ret
= MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
;
412 * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
414 static int pk_group_id_from_specified( const mbedtls_asn1_buf
*params
,
415 mbedtls_ecp_group_id
*grp_id
)
418 mbedtls_ecp_group grp
;
420 mbedtls_ecp_group_init( &grp
);
422 if( ( ret
= pk_group_from_specified( params
, &grp
) ) != 0 )
425 ret
= pk_group_id_from_group( &grp
, grp_id
);
428 mbedtls_ecp_group_free( &grp
);
432 #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
435 * Use EC parameters to initialise an EC group
437 * ECParameters ::= CHOICE {
438 * namedCurve OBJECT IDENTIFIER
439 * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
440 * -- implicitCurve NULL
442 static int pk_use_ecparams( const mbedtls_asn1_buf
*params
, mbedtls_ecp_group
*grp
)
445 mbedtls_ecp_group_id grp_id
;
447 if( params
->tag
== MBEDTLS_ASN1_OID
)
449 if( mbedtls_oid_get_ec_grp( params
, &grp_id
) != 0 )
450 return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
);
454 #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
455 if( ( ret
= pk_group_id_from_specified( params
, &grp_id
) ) != 0 )
458 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
463 * grp may already be initilialized; if so, make sure IDs match
465 if( grp
->id
!= MBEDTLS_ECP_DP_NONE
&& grp
->id
!= grp_id
)
466 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
468 if( ( ret
= mbedtls_ecp_group_load( grp
, grp_id
) ) != 0 )
475 * EC public key is an EC point
477 * The caller is responsible for clearing the structure upon failure if
478 * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
479 * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
481 static int pk_get_ecpubkey( unsigned char **p
, const unsigned char *end
,
482 mbedtls_ecp_keypair
*key
)
486 if( ( ret
= mbedtls_ecp_point_read_binary( &key
->grp
, &key
->Q
,
487 (const unsigned char *) *p
, end
- *p
) ) == 0 )
489 ret
= mbedtls_ecp_check_pubkey( &key
->grp
, &key
->Q
);
493 * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
495 *p
= (unsigned char *) end
;
499 #endif /* MBEDTLS_ECP_C */
501 #if defined(MBEDTLS_RSA_C)
503 * RSAPublicKey ::= SEQUENCE {
504 * modulus INTEGER, -- n
505 * publicExponent INTEGER -- e
508 static int pk_get_rsapubkey( unsigned char **p
,
509 const unsigned char *end
,
510 mbedtls_rsa_context
*rsa
)
515 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &len
,
516 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
517 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+ ret
);
519 if( *p
+ len
!= end
)
520 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+
521 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
523 if( ( ret
= mbedtls_asn1_get_mpi( p
, end
, &rsa
->N
) ) != 0 ||
524 ( ret
= mbedtls_asn1_get_mpi( p
, end
, &rsa
->E
) ) != 0 )
525 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+ ret
);
528 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+
529 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
531 if( ( ret
= mbedtls_rsa_check_pubkey( rsa
) ) != 0 )
532 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
);
534 rsa
->len
= mbedtls_mpi_size( &rsa
->N
);
538 #endif /* MBEDTLS_RSA_C */
540 /* Get a PK algorithm identifier
542 * AlgorithmIdentifier ::= SEQUENCE {
543 * algorithm OBJECT IDENTIFIER,
544 * parameters ANY DEFINED BY algorithm OPTIONAL }
546 static int pk_get_pk_alg( unsigned char **p
,
547 const unsigned char *end
,
548 mbedtls_pk_type_t
*pk_alg
, mbedtls_asn1_buf
*params
)
551 mbedtls_asn1_buf alg_oid
;
553 memset( params
, 0, sizeof(mbedtls_asn1_buf
) );
555 if( ( ret
= mbedtls_asn1_get_alg( p
, end
, &alg_oid
, params
) ) != 0 )
556 return( MBEDTLS_ERR_PK_INVALID_ALG
+ ret
);
558 if( mbedtls_oid_get_pk_alg( &alg_oid
, pk_alg
) != 0 )
559 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
562 * No parameters with RSA (only for EC)
564 if( *pk_alg
== MBEDTLS_PK_RSA
&&
565 ( ( params
->tag
!= MBEDTLS_ASN1_NULL
&& params
->tag
!= 0 ) ||
568 return( MBEDTLS_ERR_PK_INVALID_ALG
);
575 * SubjectPublicKeyInfo ::= SEQUENCE {
576 * algorithm AlgorithmIdentifier,
577 * subjectPublicKey BIT STRING }
579 int mbedtls_pk_parse_subpubkey( unsigned char **p
, const unsigned char *end
,
580 mbedtls_pk_context
*pk
)
584 mbedtls_asn1_buf alg_params
;
585 mbedtls_pk_type_t pk_alg
= MBEDTLS_PK_NONE
;
586 const mbedtls_pk_info_t
*pk_info
;
588 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &len
,
589 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
591 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
596 if( ( ret
= pk_get_pk_alg( p
, end
, &pk_alg
, &alg_params
) ) != 0 )
599 if( ( ret
= mbedtls_asn1_get_bitstring_null( p
, end
, &len
) ) != 0 )
600 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+ ret
);
602 if( *p
+ len
!= end
)
603 return( MBEDTLS_ERR_PK_INVALID_PUBKEY
+
604 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
606 if( ( pk_info
= mbedtls_pk_info_from_type( pk_alg
) ) == NULL
)
607 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
609 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 )
612 #if defined(MBEDTLS_RSA_C)
613 if( pk_alg
== MBEDTLS_PK_RSA
)
615 ret
= pk_get_rsapubkey( p
, end
, mbedtls_pk_rsa( *pk
) );
617 #endif /* MBEDTLS_RSA_C */
618 #if defined(MBEDTLS_ECP_C)
619 if( pk_alg
== MBEDTLS_PK_ECKEY_DH
|| pk_alg
== MBEDTLS_PK_ECKEY
)
621 ret
= pk_use_ecparams( &alg_params
, &mbedtls_pk_ec( *pk
)->grp
);
623 ret
= pk_get_ecpubkey( p
, end
, mbedtls_pk_ec( *pk
) );
625 #endif /* MBEDTLS_ECP_C */
626 ret
= MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
;
628 if( ret
== 0 && *p
!= end
)
629 ret
= MBEDTLS_ERR_PK_INVALID_PUBKEY
630 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
;
633 mbedtls_pk_free( pk
);
638 #if defined(MBEDTLS_RSA_C)
640 * Parse a PKCS#1 encoded private RSA key
642 static int pk_parse_key_pkcs1_der( mbedtls_rsa_context
*rsa
,
643 const unsigned char *key
,
648 unsigned char *p
, *end
;
650 p
= (unsigned char *) key
;
654 * This function parses the RSAPrivateKey (PKCS#1)
656 * RSAPrivateKey ::= SEQUENCE {
658 * modulus INTEGER, -- n
659 * publicExponent INTEGER, -- e
660 * privateExponent INTEGER, -- d
661 * prime1 INTEGER, -- p
662 * prime2 INTEGER, -- q
663 * exponent1 INTEGER, -- d mod (p-1)
664 * exponent2 INTEGER, -- d mod (q-1)
665 * coefficient INTEGER, -- (inverse of q) mod p
666 * otherPrimeInfos OtherPrimeInfos OPTIONAL
669 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
670 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
672 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
677 if( ( ret
= mbedtls_asn1_get_int( &p
, end
, &rsa
->ver
) ) != 0 )
679 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
684 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION
);
687 if( ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->N
) ) != 0 ||
688 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->E
) ) != 0 ||
689 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->D
) ) != 0 ||
690 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->P
) ) != 0 ||
691 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->Q
) ) != 0 ||
692 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->DP
) ) != 0 ||
693 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->DQ
) ) != 0 ||
694 ( ret
= mbedtls_asn1_get_mpi( &p
, end
, &rsa
->QP
) ) != 0 )
696 mbedtls_rsa_free( rsa
);
697 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
700 rsa
->len
= mbedtls_mpi_size( &rsa
->N
);
704 mbedtls_rsa_free( rsa
);
705 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
706 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
709 if( ( ret
= mbedtls_rsa_check_privkey( rsa
) ) != 0 )
711 mbedtls_rsa_free( rsa
);
717 #endif /* MBEDTLS_RSA_C */
719 #if defined(MBEDTLS_ECP_C)
721 * Parse a SEC1 encoded private EC key
723 static int pk_parse_key_sec1_der( mbedtls_ecp_keypair
*eck
,
724 const unsigned char *key
,
728 int version
, pubkey_done
;
730 mbedtls_asn1_buf params
;
731 unsigned char *p
= (unsigned char *) key
;
732 unsigned char *end
= p
+ keylen
;
736 * RFC 5915, or SEC1 Appendix C.4
738 * ECPrivateKey ::= SEQUENCE {
739 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
740 * privateKey OCTET STRING,
741 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
742 * publicKey [1] BIT STRING OPTIONAL
745 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
746 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
748 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
753 if( ( ret
= mbedtls_asn1_get_int( &p
, end
, &version
) ) != 0 )
754 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
757 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION
);
759 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
760 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
762 if( ( ret
= mbedtls_mpi_read_binary( &eck
->d
, p
, len
) ) != 0 )
764 mbedtls_ecp_keypair_free( eck
);
765 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
774 * Is 'parameters' present?
776 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
777 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 0 ) ) == 0 )
779 if( ( ret
= pk_get_ecparams( &p
, p
+ len
, ¶ms
) ) != 0 ||
780 ( ret
= pk_use_ecparams( ¶ms
, &eck
->grp
) ) != 0 )
782 mbedtls_ecp_keypair_free( eck
);
786 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
788 mbedtls_ecp_keypair_free( eck
);
789 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
793 * Is 'publickey' present? If not, or if we can't read it (eg because it
794 * is compressed), create it from the private key.
796 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
797 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 1 ) ) == 0 )
801 if( ( ret
= mbedtls_asn1_get_bitstring_null( &p
, end2
, &len
) ) != 0 )
802 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
804 if( p
+ len
!= end2
)
805 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
806 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
808 if( ( ret
= pk_get_ecpubkey( &p
, end2
, eck
) ) == 0 )
813 * The only acceptable failure mode of pk_get_ecpubkey() above
814 * is if the point format is not recognized.
816 if( ret
!= MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
)
817 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
820 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
822 mbedtls_ecp_keypair_free( eck
);
823 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
828 ( ret
= mbedtls_ecp_mul( &eck
->grp
, &eck
->Q
, &eck
->d
, &eck
->grp
.G
,
829 NULL
, NULL
) ) != 0 )
831 mbedtls_ecp_keypair_free( eck
);
832 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
835 if( ( ret
= mbedtls_ecp_check_privkey( &eck
->grp
, &eck
->d
) ) != 0 )
837 mbedtls_ecp_keypair_free( eck
);
843 #endif /* MBEDTLS_ECP_C */
846 * Parse an unencrypted PKCS#8 encoded private key
848 static int pk_parse_key_pkcs8_unencrypted_der(
849 mbedtls_pk_context
*pk
,
850 const unsigned char* key
,
855 mbedtls_asn1_buf params
;
856 unsigned char *p
= (unsigned char *) key
;
857 unsigned char *end
= p
+ keylen
;
858 mbedtls_pk_type_t pk_alg
= MBEDTLS_PK_NONE
;
859 const mbedtls_pk_info_t
*pk_info
;
862 * This function parses the PrivatKeyInfo object (PKCS#8 v1.2 = RFC 5208)
864 * PrivateKeyInfo ::= SEQUENCE {
866 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
867 * privateKey PrivateKey,
868 * attributes [0] IMPLICIT Attributes OPTIONAL }
870 * Version ::= INTEGER
871 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
872 * PrivateKey ::= OCTET STRING
874 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
877 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
878 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
880 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
885 if( ( ret
= mbedtls_asn1_get_int( &p
, end
, &version
) ) != 0 )
886 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
889 return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION
+ ret
);
891 if( ( ret
= pk_get_pk_alg( &p
, end
, &pk_alg
, ¶ms
) ) != 0 )
892 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
894 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
895 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
898 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
899 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
901 if( ( pk_info
= mbedtls_pk_info_from_type( pk_alg
) ) == NULL
)
902 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
904 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 )
907 #if defined(MBEDTLS_RSA_C)
908 if( pk_alg
== MBEDTLS_PK_RSA
)
910 if( ( ret
= pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk
), p
, len
) ) != 0 )
912 mbedtls_pk_free( pk
);
916 #endif /* MBEDTLS_RSA_C */
917 #if defined(MBEDTLS_ECP_C)
918 if( pk_alg
== MBEDTLS_PK_ECKEY
|| pk_alg
== MBEDTLS_PK_ECKEY_DH
)
920 if( ( ret
= pk_use_ecparams( ¶ms
, &mbedtls_pk_ec( *pk
)->grp
) ) != 0 ||
921 ( ret
= pk_parse_key_sec1_der( mbedtls_pk_ec( *pk
), p
, len
) ) != 0 )
923 mbedtls_pk_free( pk
);
927 #endif /* MBEDTLS_ECP_C */
928 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
934 * Parse an encrypted PKCS#8 encoded private key
936 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
937 static int pk_parse_key_pkcs8_encrypted_der(
938 mbedtls_pk_context
*pk
,
939 const unsigned char *key
, size_t keylen
,
940 const unsigned char *pwd
, size_t pwdlen
)
942 int ret
, decrypted
= 0;
944 unsigned char buf
[2048];
945 unsigned char *p
, *end
;
946 mbedtls_asn1_buf pbe_alg_oid
, pbe_params
;
947 #if defined(MBEDTLS_PKCS12_C)
948 mbedtls_cipher_type_t cipher_alg
;
949 mbedtls_md_type_t md_alg
;
952 memset( buf
, 0, sizeof( buf
) );
954 p
= (unsigned char *) key
;
958 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED
);
961 * This function parses the EncryptedPrivatKeyInfo object (PKCS#8)
963 * EncryptedPrivateKeyInfo ::= SEQUENCE {
964 * encryptionAlgorithm EncryptionAlgorithmIdentifier,
965 * encryptedData EncryptedData
968 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
970 * EncryptedData ::= OCTET STRING
972 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
974 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
975 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
977 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
982 if( ( ret
= mbedtls_asn1_get_alg( &p
, end
, &pbe_alg_oid
, &pbe_params
) ) != 0 )
983 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
985 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
986 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+ ret
);
988 if( len
> sizeof( buf
) )
989 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA
);
992 * Decrypt EncryptedData with appropriate PDE
994 #if defined(MBEDTLS_PKCS12_C)
995 if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid
, &md_alg
, &cipher_alg
) == 0 )
997 if( ( ret
= mbedtls_pkcs12_pbe( &pbe_params
, MBEDTLS_PKCS12_PBE_DECRYPT
,
999 pwd
, pwdlen
, p
, len
, buf
) ) != 0 )
1001 if( ret
== MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
)
1002 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH
);
1009 else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
, &pbe_alg_oid
) == 0 )
1011 if( ( ret
= mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params
,
1012 MBEDTLS_PKCS12_PBE_DECRYPT
,
1014 p
, len
, buf
) ) != 0 )
1019 // Best guess for password mismatch when using RC4. If first tag is
1020 // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
1022 if( *buf
!= ( MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) )
1023 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH
);
1028 #endif /* MBEDTLS_PKCS12_C */
1029 #if defined(MBEDTLS_PKCS5_C)
1030 if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2
, &pbe_alg_oid
) == 0 )
1032 if( ( ret
= mbedtls_pkcs5_pbes2( &pbe_params
, MBEDTLS_PKCS5_DECRYPT
, pwd
, pwdlen
,
1033 p
, len
, buf
) ) != 0 )
1035 if( ret
== MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
)
1036 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH
);
1044 #endif /* MBEDTLS_PKCS5_C */
1049 if( decrypted
== 0 )
1050 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
);
1052 return( pk_parse_key_pkcs8_unencrypted_der( pk
, buf
, len
) );
1054 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1057 * Parse a private key
1059 int mbedtls_pk_parse_key( mbedtls_pk_context
*pk
,
1060 const unsigned char *key
, size_t keylen
,
1061 const unsigned char *pwd
, size_t pwdlen
)
1064 const mbedtls_pk_info_t
*pk_info
;
1066 #if defined(MBEDTLS_PEM_PARSE_C)
1068 mbedtls_pem_context pem
;
1070 mbedtls_pem_init( &pem
);
1072 #if defined(MBEDTLS_RSA_C)
1073 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1074 if( keylen
== 0 || key
[keylen
- 1] != '\0' )
1075 ret
= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
;
1077 ret
= mbedtls_pem_read_buffer( &pem
,
1078 "-----BEGIN RSA PRIVATE KEY-----",
1079 "-----END RSA PRIVATE KEY-----",
1080 key
, pwd
, pwdlen
, &len
);
1084 if( ( pk_info
= mbedtls_pk_info_from_type( MBEDTLS_PK_RSA
) ) == NULL
)
1085 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
1087 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 ||
1088 ( ret
= pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk
),
1089 pem
.buf
, pem
.buflen
) ) != 0 )
1091 mbedtls_pk_free( pk
);
1094 mbedtls_pem_free( &pem
);
1097 else if( ret
== MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
)
1098 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH
);
1099 else if( ret
== MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
)
1100 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED
);
1101 else if( ret
!= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
)
1103 #endif /* MBEDTLS_RSA_C */
1105 #if defined(MBEDTLS_ECP_C)
1106 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1107 if( keylen
== 0 || key
[keylen
- 1] != '\0' )
1108 ret
= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
;
1110 ret
= mbedtls_pem_read_buffer( &pem
,
1111 "-----BEGIN EC PRIVATE KEY-----",
1112 "-----END EC PRIVATE KEY-----",
1113 key
, pwd
, pwdlen
, &len
);
1116 if( ( pk_info
= mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY
) ) == NULL
)
1117 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
1119 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 ||
1120 ( ret
= pk_parse_key_sec1_der( mbedtls_pk_ec( *pk
),
1121 pem
.buf
, pem
.buflen
) ) != 0 )
1123 mbedtls_pk_free( pk
);
1126 mbedtls_pem_free( &pem
);
1129 else if( ret
== MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
)
1130 return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH
);
1131 else if( ret
== MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
)
1132 return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED
);
1133 else if( ret
!= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
)
1135 #endif /* MBEDTLS_ECP_C */
1137 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1138 if( keylen
== 0 || key
[keylen
- 1] != '\0' )
1139 ret
= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
;
1141 ret
= mbedtls_pem_read_buffer( &pem
,
1142 "-----BEGIN PRIVATE KEY-----",
1143 "-----END PRIVATE KEY-----",
1144 key
, NULL
, 0, &len
);
1147 if( ( ret
= pk_parse_key_pkcs8_unencrypted_der( pk
,
1148 pem
.buf
, pem
.buflen
) ) != 0 )
1150 mbedtls_pk_free( pk
);
1153 mbedtls_pem_free( &pem
);
1156 else if( ret
!= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
)
1159 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1160 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1161 if( keylen
== 0 || key
[keylen
- 1] != '\0' )
1162 ret
= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
;
1164 ret
= mbedtls_pem_read_buffer( &pem
,
1165 "-----BEGIN ENCRYPTED PRIVATE KEY-----",
1166 "-----END ENCRYPTED PRIVATE KEY-----",
1167 key
, NULL
, 0, &len
);
1170 if( ( ret
= pk_parse_key_pkcs8_encrypted_der( pk
,
1171 pem
.buf
, pem
.buflen
,
1172 pwd
, pwdlen
) ) != 0 )
1174 mbedtls_pk_free( pk
);
1177 mbedtls_pem_free( &pem
);
1180 else if( ret
!= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
)
1182 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1187 #endif /* MBEDTLS_PEM_PARSE_C */
1190 * At this point we only know it's not a PEM formatted key. Could be any
1191 * of the known DER encoded private key formats
1193 * We try the different DER format parsers to see if one passes without
1196 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
1197 if( ( ret
= pk_parse_key_pkcs8_encrypted_der( pk
, key
, keylen
,
1198 pwd
, pwdlen
) ) == 0 )
1203 mbedtls_pk_free( pk
);
1205 if( ret
== MBEDTLS_ERR_PK_PASSWORD_MISMATCH
)
1209 #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
1211 if( ( ret
= pk_parse_key_pkcs8_unencrypted_der( pk
, key
, keylen
) ) == 0 )
1214 mbedtls_pk_free( pk
);
1216 #if defined(MBEDTLS_RSA_C)
1217 if( ( pk_info
= mbedtls_pk_info_from_type( MBEDTLS_PK_RSA
) ) == NULL
)
1218 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
1220 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 ||
1221 ( ret
= pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk
), key
, keylen
) ) == 0 )
1226 mbedtls_pk_free( pk
);
1227 #endif /* MBEDTLS_RSA_C */
1229 #if defined(MBEDTLS_ECP_C)
1230 if( ( pk_info
= mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY
) ) == NULL
)
1231 return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
);
1233 if( ( ret
= mbedtls_pk_setup( pk
, pk_info
) ) != 0 ||
1234 ( ret
= pk_parse_key_sec1_der( mbedtls_pk_ec( *pk
), key
, keylen
) ) == 0 )
1239 mbedtls_pk_free( pk
);
1240 #endif /* MBEDTLS_ECP_C */
1242 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
);
1246 * Parse a public key
1248 int mbedtls_pk_parse_public_key( mbedtls_pk_context
*ctx
,
1249 const unsigned char *key
, size_t keylen
)
1253 #if defined(MBEDTLS_PEM_PARSE_C)
1255 mbedtls_pem_context pem
;
1257 mbedtls_pem_init( &pem
);
1259 /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
1260 if( keylen
== 0 || key
[keylen
- 1] != '\0' )
1261 ret
= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
;
1263 ret
= mbedtls_pem_read_buffer( &pem
,
1264 "-----BEGIN PUBLIC KEY-----",
1265 "-----END PUBLIC KEY-----",
1266 key
, NULL
, 0, &len
);
1274 keylen
= pem
.buflen
;
1276 else if( ret
!= MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
)
1278 mbedtls_pem_free( &pem
);
1281 #endif /* MBEDTLS_PEM_PARSE_C */
1282 p
= (unsigned char *) key
;
1284 ret
= mbedtls_pk_parse_subpubkey( &p
, p
+ keylen
, ctx
);
1286 #if defined(MBEDTLS_PEM_PARSE_C)
1287 mbedtls_pem_free( &pem
);
1293 #endif /* MBEDTLS_PK_PARSE_C */