The branch master has been updated via d85722d31ac9ff0dc54c06cdc8d125acf56ca27a (commit) via 751148e2b0d1048522d754d55319166435cdda86 (commit) from 5e006082199e9a0f37ba35116ff217bc643dd317 (commit)
- Log ----------------------------------------------------------------- commit d85722d31ac9ff0dc54c06cdc8d125acf56ca27a Author: Richard Levitte <levi...@openssl.org> Date: Fri Oct 27 22:42:04 2017 +0200 EVP_PKEY_asn1_add0(): Check that this method isn't already registered No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4596) commit 751148e2b0d1048522d754d55319166435cdda86 Author: Richard Levitte <levi...@openssl.org> Date: Fri Oct 27 00:11:11 2017 +0200 Document EVP_PKEY_ASN1_METHOD and associated functions [skip ci] Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4596) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/ameth_lib.c | 5 + doc/man3/EVP_PKEY_ASN1_METHOD.pod | 369 +++++++++++++++++++++++++++++++++++ doc/man3/EVP_PKEY_asn1_get_count.pod | 80 ++++++++ 3 files changed, 454 insertions(+) create mode 100644 doc/man3/EVP_PKEY_ASN1_METHOD.pod create mode 100644 doc/man3/EVP_PKEY_asn1_get_count.pod diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 5f523b2..87a3eba 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -137,6 +137,11 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth) { + if (pkey_asn1_find(ameth->pkey_id) != NULL) { + EVPerr(EVP_F_EVP_PKEY_ASN1_ADD0, + EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED); + return 0; + } if (app_methods == NULL) { app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp); if (app_methods == NULL) diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod new file mode 100644 index 0000000..88df5b9 --- /dev/null +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -0,0 +1,369 @@ +=pod + +=head1 NAME + +EVP_PKEY_ASN1_METHOD, +- manipulating and registering EVP_PKEY_ASN1_METHOD structure + +=head1 SYNOPSIS + + #include <openssl/evp.h> + + typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD; + + EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, + const char *pem_str, + const char *info); + void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, + const EVP_PKEY_ASN1_METHOD *src); + void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth); + int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth); + int EVP_PKEY_asn1_add_alias(int to, int from); + + void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, + int (*pub_decode) (EVP_PKEY *pk, + X509_PUBKEY *pub), + int (*pub_encode) (X509_PUBKEY *pub, + const EVP_PKEY *pk), + int (*pub_cmp) (const EVP_PKEY *a, + const EVP_PKEY *b), + int (*pub_print) (BIO *out, + const EVP_PKEY *pkey, + int indent, ASN1_PCTX *pctx), + int (*pkey_size) (const EVP_PKEY *pk), + int (*pkey_bits) (const EVP_PKEY *pk)); + void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth, + int (*priv_decode) (EVP_PKEY *pk, + const PKCS8_PRIV_KEY_INFO + *p8inf), + int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, + const EVP_PKEY *pk), + int (*priv_print) (BIO *out, + const EVP_PKEY *pkey, + int indent, + ASN1_PCTX *pctx)); + void EVP_PKEY_asn1_set_param(EVP_PKEY_ASN1_METHOD *ameth, + int (*param_decode) (EVP_PKEY *pkey, + const unsigned char **pder, + int derlen), + int (*param_encode) (const EVP_PKEY *pkey, + unsigned char **pder), + int (*param_missing) (const EVP_PKEY *pk), + int (*param_copy) (EVP_PKEY *to, + const EVP_PKEY *from), + int (*param_cmp) (const EVP_PKEY *a, + const EVP_PKEY *b), + int (*param_print) (BIO *out, + const EVP_PKEY *pkey, + int indent, + ASN1_PCTX *pctx)); + + void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth, + void (*pkey_free) (EVP_PKEY *pkey)); + void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, + int (*pkey_ctrl) (EVP_PKEY *pkey, int op, + long arg1, void *arg2)); + void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth, + int (*item_verify) (EVP_MD_CTX *ctx, + const ASN1_ITEM *it, + void *asn, + X509_ALGOR *a, + ASN1_BIT_STRING *sig, + EVP_PKEY *pkey), + int (*item_sign) (EVP_MD_CTX *ctx, + const ASN1_ITEM *it, + void *asn, + X509_ALGOR *alg1, + X509_ALGOR *alg2, + ASN1_BIT_STRING *sig)); + + void EVP_PKEY_asn1_set_siginf(EVP_PKEY_ASN1_METHOD *ameth, + int (*siginf_set) (X509_SIG_INFO *siginf, + const X509_ALGOR *alg, + const ASN1_STRING *sig)); + + void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth, + int (*pkey_check) (const EVP_PKEY *pk)); + + void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth, + int (*pkey_security_bits) (const EVP_PKEY + *pk)); + + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey); + +=head1 DESCRIPTION + +B<EVP_PKEY_ASN1_METHOD> is a structure which holds a set of ASN.1 +conversion, printing and information methods for a specific public key +algorithm. + +There are two places where the B<EVP_PKEY_ASN1_METHOD> objects are +stored: one is a built-in array representing the standard methods for +different algorithms, and the other one is a stack of user-defined +application-specific methods, which can be manipulated by using +L<EVP_PKEY_asn1_add0(3)>. + +=head2 Methods + +The methods are the underlying implementations of a particular public +key algorithm present by the B<EVP_PKEY> object. + + int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub); + int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk); + int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); + int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *pctx); + +The pub_decode() and pub_encode() methods are called to decode / +encode B<X509_PUBKEY> ASN.1 parameters to / from B<pk>. +They MUST return 0 on error, 1 on success. +They're called by L<X509_PUBKEY_get0(3)> and L<X509_PUBKEY_set(3)>. + +The pub_cmp() method is called when two public keys are to be +compared. +It MUST return 1 when the keys are equal, 0 otherwise. +It's called by L<EVP_PKEY_cmp(3)>. + +The pub_print() method is called to print a public key in humanly +readable text to B<out>, indented B<indent> spaces. +It MUST return 0 on error, 1 on success. +It's called by L<EVP_PKEY_print_public(3)>. + + int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf); + int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk); + int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *pctx); + +The priv_decode() and priv_encode() methods are called to decode / +encode B<PKCS8_PRIV_KEY_INFO> form private key to / from B<pk>. +They MUST return 0 on error, 1 on success. +They're called by L<EVP_PKCS82PKEY(3)> and L<EVP_PKEY2PKCS8(3)>. + +The priv_print() method is called to print a private key in humanly +readable text to B<out>, indented B<indent> spaces. +It MUST return 0 on error, 1 on success. +It's called by L<EVP_PKEY_print_private(3)>. + + int (*pkey_size) (const EVP_PKEY *pk); + int (*pkey_bits) (const EVP_PKEY *pk); + int (*pkey_security_bits) (const EVP_PKEY *pk); + +The pkey_size() method returns the key size in bytes. +It's called by L<EVP_PKEY_size(3)>. + +The pkey_bits() method returns the key size in bits. +It's called by L<EVP_PKEY_bits(3)>. + + int (*param_decode) (EVP_PKEY *pkey, + const unsigned char **pder, int derlen); + int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder); + int (*param_missing) (const EVP_PKEY *pk); + int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from); + int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); + int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *pctx); + +The param_decode() and param_encode() methods are called to decode / +encode DER formatted parameters to / from B<pk>. +They MUST return 0 on error, 1 on success. +They're called by L<PEM_read_bio_Parameters(3)> and the B<file:> +L<OSSL_STORE_LOADER(3)>. + +The param_missing() method returns 0 if a key parameter is missing, +otherwise 1. +It's called by L<EVP_PKEY_missing_parameters(3)>. + +The param_copy() method copies key parameters from B<from> to B<to>. +It MUST return 0 on error, 1 on success. +It's called by L<EVP_PKEY_copy_parameters(3)>. + +The param_cmp() method compares the parameters of keys B<a> and B<b>. +It MUST return 1 when the keys are equal, 0 when not equal, or a +negative number on error. +It's called by L<EVP_PKEY_cmp_parameters(3)>. + +The param_print() method prints the private key parameters in humanly +readable text to B<out>, indented B<indent> spaces. +It MUST return 0 on error, 1 on success. +It's called by L<EVP_PKEY_print_params(3)>. + + int (*sig_print) (BIO *out, + const X509_ALGOR *sigalg, const ASN1_STRING *sig, + int indent, ASN1_PCTX *pctx); + +The sig_print() method prints a signature in humanly readable text to +B<out>, indented B<indent> spaces. +B<sigalg> contains the exact signature algorithm. +If the signature in B<sig> doesn't correspond to what this method +expects, X509_signature_dump() must be used as a last resort. +It MUST return 0 on error, 1 on success. +It's called by L<X509_signature_print(3)>. + + void (*pkey_free) (EVP_PKEY *pkey); + +The pkey_free() method helps freeing the internals of B<pkey>. +It's called by L<EVP_PKEY_free(3)>, L<EVP_PKEY_set_type(3)>, +L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>. + + int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2); + +The pkey_ctrl() method adds extra algorithm specific control. +It's called by L<EVP_PKEY_get_default_digest_nid(3)>, +L<EVP_PKEY_set1_tls_encodedpoint(3)>, +L<EVP_PKEY_get1_tls_encodedpoint(3)>, L<PKCS7_SIGNER_INFO_set(3)>, +L<PKCS7_RECIP_INFO_set(3)>, ... + + int (*old_priv_decode) (EVP_PKEY *pkey, + const unsigned char **pder, int derlen); + int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder); + +The old_priv_decode() and old_priv_encode() methods decode / encode +they private key B<pkey> from / to a DER formatted array. +These are exclusively used to help decoding / encoding older (pre +PKCS#8) PEM formatted encrypted private keys. +old_priv_decode() MUST return 0 on error, 1 on success. +old_priv_encode() MUST the return same kind of values as +i2d_PrivateKey(). +They're called by L<d2i_PrivateKey(3)> and L<i2d_PrivateKey(3)>. + + int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey); + int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *alg1, X509_ALGOR *alg2, + ASN1_BIT_STRING *sig); + +The item_sign() and item_verify() methods make it possible to have +algorithm specific signatures and verification of them. + +item_sign() MUST return one of: + +=over 4 + +=item <=0 + +error + +=item 1 + +item_sign() did everything, OpenSSL internals just needs to pass the +signature length back. + +=item 2 + +item_sign() did nothing, OpenSSL internal standard routines are +expected to continue with the default signature production. + +=item 3 + +item_sign() set the algorithm identifier B<algor1> and B<algor2>, +OpenSSL internals should just sign using those algorithms. + +=back + +item_verify() MUST return one of: + +=over 4 + +=item <=0 + +error + +=item 1 + +item_sign() did everything, OpenSSL internals just needs to pass the +signature length back. + +=item 2 + +item_sign() did nothing, OpenSSL internal standard routines are +expected to continue with the default signature production. + +=back + +item_verify() and item_sign() are called by L<ASN1_item_verify(3)> and +L<ASN1_item_sign(3)>, and by extension, L<X509_verify(3)>, +L<X509_REQ_verify(3)>, L<X509_sign(3)>, L<X509_REQ_sign(3)>, ... + + int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig); + +The siginf_set() method is used to set custom B<X509_SIG_INFO> +parameters. +It MUST return 0 on error, or 1 on success. +It's called as part of L<X509_check_purpose(3)>, L<X509_check_ca(3)> +and L<X509_check_issued(3)>. + + int (*pkey_check) (const EVP_PKEY *pk); + +The pkey_check() method is used to check the validity of B<pk>. +It MUST return 0 for an invalid key, or 1 for a valid key. +It's called by L<EVP_PKEY_check(3)>. + +=head2 Functions + +EVP_PKEY_asn1_new() creates and returns a new B<EVP_PKEY_ASN1_METHOD> +object, and associates the given B<id>, B<flags>, B<pem_str> and +B<info>. +B<id> is a NID, B<pem_str> is the PEM type string, B<info> is a +descriptive string. +The following B<flags> are supported: + + ASN1_PKEY_SIGPARAM_NULL + +If B<ASN1_PKEY_SIGPARAM_NULL> is set, then the signature algorithm +parameters are given the type B<V_ASN1_NULL> by default, otherwise +they will be given the type B<V_ASN1_UNDEF> (i.e. the parameter is +omitted). +See L<X509_ALGOR_set0(3)> for more information. + +EVP_PKEY_asn1_copy() copies an B<EVP_PKEY_ASN1_METHOD> object from +B<src> to B<dst>. +This function is not thread safe, it's recommended to only use this +when initializing the application. + +EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed +by B<ameth>. + +EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of +methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is +already there. +This function is not thread safe, it's recommended to only use this +when initializing the application. + +EVP_PKEY_asn1_add_alias() creates an alias with the NID B<to> for the +B<EVP_PKEY_ASN1_METHOD> with NID B<from> unless another +B<EVP_PKEY_ASN1_METHOD> with the same NID is already added. +This function is not thread safe, it's recommended to only use this +when initializing the application. + +EVP_PKEY_asn1_set_public(), EVP_PKEY_asn1_set_private(), +EVP_PKEY_asn1_set_param(), EVP_PKEY_asn1_set_free(), +EVP_PKEY_asn1_set_ctrl(), EVP_PKEY_asn1_set_item(), +EVP_PKEY_asn1_set_siginf(), EVP_PKEY_asn1_set_check(), and +EVP_PKEY_asn1_set_security_bits() set the diverse methods of the given +B<EVP_PKEY_ASN1_METHOD> object. + +EVP_PKEY_get0_asn1() finds the B<EVP_PKEY_ASN1_METHOD> associated +with the key B<pkey>. + +=head1 RETURN VALUES + +EVP_PKEY_asn1_new() returns NULL on error, or a pointer to an +B<EVP_PKEY_ASN1_METHOD> object otherwise. + +EVP_PKEY_asn1_add0() and EVP_PKEY_asn1_add_alias() return 0 on error, +or 1 on success. + +EVP_PKEY_get0_asn1() returns NULL on error, or a pointer to a constant +B<EVP_PKEY_ASN1_METHOD> object otherwise. + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/EVP_PKEY_asn1_get_count.pod b/doc/man3/EVP_PKEY_asn1_get_count.pod new file mode 100644 index 0000000..9ad2dae --- /dev/null +++ b/doc/man3/EVP_PKEY_asn1_get_count.pod @@ -0,0 +1,80 @@ +=pod + +=head1 NAME + +EVP_PKEY_asn1_find, +EVP_PKEY_asn1_find_str, +EVP_PKEY_asn1_get_count, +EVP_PKEY_asn1_get0, +EVP_PKEY_asn1_get0_info +- enumerate public key ASN.1 methods + +=head1 SYNOPSIS + + #include <openssl/evp.h> + + int EVP_PKEY_asn1_get_count(void); + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx); + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type); + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, + const char *str, int len); + int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id, + int *ppkey_flags, const char **pinfo, + const char **ppem_str, + const EVP_PKEY_ASN1_METHOD *ameth); + +=head1 DESCRIPTION + +EVP_PKEY_asn1_count() returns a count of the number of public key +ASN.1 methods available: it includes standard methods and any methods +added by the application. + +EVP_PKEY_asn1_get0() returns the public key ASN.1 method B<idx>. +The value of B<idx> must be between zero and EVP_PKEY_asn1_get_count() +- 1. + +EVP_PKEY_asn1_find() looks up the B<EVP_PKEY_ASN1_METHOD> with NID +B<type>. +If B<pe> isn't B<NULL>, then it will look up an engine implementing a +B<EVP_PKEY_ASN1_METHOD> for the NID B<type> and return that instead, +and also set B<*pe> to point at the engine that implements it. + +EVP_PKEY_asn1_find_str() looks up the B<EVP_PKEY_ASN1_METHOD> with PEM +type string B<str>. +Just like EVP_PKEY_asn1_find(), if B<pe> isn't B<NULL>, then it will +look up an engine implementing a B<EVP_PKEY_ASN1_METHOD> for the NID +B<type> and return that instead, and also set B<*pe> to point at the +engine that implements it. + +EVP_PKEY_asn1_get0_info() returns the public key ID, base public key +ID (both NIDs), any flags, the method description and PEM type string +associated with the public key ASN.1 method B<*ameth>. + +EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and +EVP_PKEY_asn1_find_str() are not thread safe, but as long as all +B<EVP_PKEY_ASN1_METHOD> objects are added before the application gets +threaded, using them is safe. See L<EVP_PKEY_asn1_add0(3)>. + +=head1 RETURN VALUES + +EVP_PKEY_asn1_count() returns the number of available public key methods. + +EVP_PKEY_asn1_get0() return a public key method or B<NULL> if B<idx> is +out of range. + +EVP_PKEY_asn1_get0_info() returns 0 on failure, 1 on success. + +=head1 SEE ALSO + +L<EVP_PKEY_asn1_new(3)>, L<EVP_PKEY_asn1_add0(3)> + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits