diff options
| author | Richard Levitte <levitte@openssl.org> | 2021-05-27 12:34:03 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-06-09 17:00:10 +0200 |
| commit | 6a2b8ff392a304bbb106528653397b864acc53fa (patch) | |
| tree | 75bd836ad9cec6eec65f270fd4db4b893f73b939 /providers/decoders.inc | |
| parent | 25-test_verify.t: Add test case: accept trusted self-signed EE cert with key ... (diff) | |
| download | openssl-6a2b8ff392a304bbb106528653397b864acc53fa.tar.xz openssl-6a2b8ff392a304bbb106528653397b864acc53fa.zip | |
Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.
The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
Diffstat (limited to 'providers/decoders.inc')
| -rw-r--r-- | providers/decoders.inc | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/providers/decoders.inc b/providers/decoders.inc index a92abe03e2..02b2b32c3f 100644 --- a/providers/decoders.inc +++ b/providers/decoders.inc @@ -15,7 +15,8 @@ #define DECODER_STRUCTURE_type_specific_params "type-specific" #define DECODER_STRUCTURE_type_specific "type-specific" #define DECODER_STRUCTURE_type_specific_no_pub "type-specific" -#define DECODER_STRUCTURE_PKCS8 "pkcs8" +#define DECODER_STRUCTURE_EncryptedPrivateKeyInfo "EncryptedPrivateKeyInfo" +#define DECODER_STRUCTURE_PrivateKeyInfo "PrivateKeyInfo" #define DECODER_STRUCTURE_SubjectPublicKeyInfo "SubjectPublicKeyInfo" #define DECODER_STRUCTURE_DH "dh" #define DECODER_STRUCTURE_DHX "dhx" @@ -35,17 +36,17 @@ (ossl_##_structure##_##_input##_to_##_output##_decoder_functions) } #ifndef OPENSSL_NO_DH -DECODER_w_structure("DH", der, PKCS8, dh, yes), +DECODER_w_structure("DH", der, PrivateKeyInfo, dh, yes), DECODER_w_structure("DH", der, SubjectPublicKeyInfo, dh, yes), DECODER_w_structure("DH", der, type_specific_params, dh, yes), DECODER_w_structure("DH", der, DH, dh, yes), -DECODER_w_structure("DHX", der, PKCS8, dhx, yes), +DECODER_w_structure("DHX", der, PrivateKeyInfo, dhx, yes), DECODER_w_structure("DHX", der, SubjectPublicKeyInfo, dhx, yes), DECODER_w_structure("DHX", der, type_specific_params, dhx, yes), DECODER_w_structure("DHX", der, DHX, dhx, yes), #endif #ifndef OPENSSL_NO_DSA -DECODER_w_structure("DSA", der, PKCS8, dsa, yes), +DECODER_w_structure("DSA", der, PrivateKeyInfo, dsa, yes), DECODER_w_structure("DSA", der, SubjectPublicKeyInfo, dsa, yes), DECODER_w_structure("DSA", der, type_specific, dsa, yes), DECODER_w_structure("DSA", der, DSA, dsa, yes), @@ -53,30 +54,36 @@ DECODER("DSA", msblob, dsa, yes), DECODER("DSA", pvk, dsa, yes), #endif #ifndef OPENSSL_NO_EC -DECODER_w_structure("EC", der, PKCS8, ec, yes), +DECODER_w_structure("EC", der, PrivateKeyInfo, ec, yes), DECODER_w_structure("EC", der, SubjectPublicKeyInfo, ec, yes), DECODER_w_structure("EC", der, type_specific_no_pub, ec, yes), DECODER_w_structure("EC", der, EC, ec, yes), -DECODER_w_structure("ED25519", der, PKCS8, ed25519, yes), +DECODER_w_structure("ED25519", der, PrivateKeyInfo, ed25519, yes), DECODER_w_structure("ED25519", der, SubjectPublicKeyInfo, ed25519, yes), -DECODER_w_structure("ED448", der, PKCS8, ed448, yes), +DECODER_w_structure("ED448", der, PrivateKeyInfo, ed448, yes), DECODER_w_structure("ED448", der, SubjectPublicKeyInfo, ed448, yes), -DECODER_w_structure("X25519", der, PKCS8, x25519, yes), +DECODER_w_structure("X25519", der, PrivateKeyInfo, x25519, yes), DECODER_w_structure("X25519", der, SubjectPublicKeyInfo, x25519, yes), -DECODER_w_structure("X448", der, PKCS8, x448, yes), +DECODER_w_structure("X448", der, PrivateKeyInfo, x448, yes), DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes), # ifndef OPENSSL_NO_SM2 -DECODER_w_structure("SM2", der, PKCS8, sm2, yes), +DECODER_w_structure("SM2", der, PrivateKeyInfo, sm2, yes), DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, yes), # endif #endif -DECODER_w_structure("RSA", der, PKCS8, rsa, yes), +DECODER_w_structure("RSA", der, PrivateKeyInfo, rsa, yes), DECODER_w_structure("RSA", der, SubjectPublicKeyInfo, rsa, yes), DECODER_w_structure("RSA", der, type_specific_keypair, rsa, yes), DECODER_w_structure("RSA", der, RSA, rsa, yes), -DECODER_w_structure("RSA-PSS", der, PKCS8, rsapss, yes), +DECODER_w_structure("RSA-PSS", der, PrivateKeyInfo, rsapss, yes), DECODER_w_structure("RSA-PSS", der, SubjectPublicKeyInfo, rsapss, yes), DECODER("RSA", msblob, rsa, yes), DECODER("RSA", pvk, rsa, yes), DECODER("DER", pem, der, yes), +/* + * A decoder that recognises PKCS#8 EncryptedPrivateKeyInfo structure + * and decrypts it, passing on the unencrypted PrivateKeyInfo in DER + * form to the next decoder. + */ +DECODER_w_structure("DER", der, EncryptedPrivateKeyInfo, der, yes), |