Decouple the EVP and PEM code.

EVP_PKEY_asn1_find can already be private. EVP_PKEY_asn1_find_str is used only so the PEM code can get at legacy encoders. Since this is all legacy non-PKCS8 stuff, we can just explicitly list out the three cases in the two places that need it. If this changes, we can later add a table in crypto/pem mapping string to EVP_PKEY type. With this, EVP_PKEY_ASN1_METHOD is no longer exposed in the public API and nothing outside of EVP_PKEY reaches into it. Unexport all of that. Change-Id: Iab661014247dbdbc31e5e9887364176ec5ad2a6d Reviewed-on: https://boringssl-review.googlesource.com/6871 Reviewed-by: Adam Langley <agl@google.com>
2016-01-03 03:02:50 -08:00 · 2016-01-03 03:02:50 -08:00 · 8ebc0f55a0
commit 8ebc0f55a0
parent 3f4f7ee08f
5 changed files with 22 additions and 87 deletions
--- a/crypto/evp/evp.c
+++ b/crypto/evp/evp.c
@ -194,8 +194,10 @@ int EVP_PKEY_id(const EVP_PKEY *pkey) {
  return pkey->type;
 }

-/* TODO(fork): remove the first argument. */
-const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pengine, int nid) {
+/* evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
+ * should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
+ * unknown. */
+static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) {
  switch (nid) {
    case EVP_PKEY_RSA:
      return &rsa_asn1_meth;
@ -209,7 +211,7 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pengine, int nid) {
 }

 int EVP_PKEY_type(int nid) {
-  const EVP_PKEY_ASN1_METHOD *meth = EVP_PKEY_asn1_find(NULL, nid);
+  const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(nid);
  if (meth == NULL) {
    return NID_undef;
  }
@ -308,21 +310,6 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) {
  return key != NULL;
 }

-const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pengine,
-                                                   const char *name,
-                                                   size_t len) {
-  if (len == 3 && memcmp(name, "RSA", 3) == 0) {
-    return &rsa_asn1_meth;
-  }
-  if (len == 2 && memcmp(name, "EC", 2) == 0) {
-    return &ec_asn1_meth;
-  }
-  if (len == 3 && memcmp(name, "DSA", 3) == 0) {
-    return &dsa_asn1_meth;
-  }
-  return NULL;
-}
-
 int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) {
  const EVP_PKEY_ASN1_METHOD *ameth;

@ -330,7 +317,7 @@ int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) {
    free_it(pkey);
  }

-  ameth = EVP_PKEY_asn1_find(NULL, type);
+  ameth = evp_pkey_asn1_find(type);
  if (ameth == NULL) {
    OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
    ERR_add_error_dataf("algorithm %d (%s)", type, OBJ_nid2sn(type));
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@ -71,13 +71,10 @@
 #include <openssl/rand.h>
 #include <openssl/x509.h>

-#include "../evp/internal.h"
-
 #define MIN_LENGTH      4

 static int load_iv(char **fromp, unsigned char *to, int num);
 static int check_pem(const char *nm, const char *name);
-int pem_check_suffix(const char *pem_str, const char *suffix);

 void PEM_proc_type(char *buf, int type)
 {
@ -144,23 +141,11 @@ static int check_pem(const char *nm, const char *name)
    /* Make PEM_STRING_EVP_PKEY match any private key */

    if (!strcmp(name, PEM_STRING_EVP_PKEY)) {
-        int slen;
-        const EVP_PKEY_ASN1_METHOD *ameth;
-        if (!strcmp(nm, PEM_STRING_PKCS8))
-            return 1;
-        if (!strcmp(nm, PEM_STRING_PKCS8INF))
-            return 1;
-        slen = pem_check_suffix(nm, "PRIVATE KEY");
-        if (slen > 0) {
-            /*
-             * NB: ENGINE implementations wont contain a deprecated old
-             * private key decode function so don't look for them.
-             */
-            ameth = EVP_PKEY_asn1_find_str(NULL, nm, slen);
-            if (ameth && ameth->old_priv_decode)
-                return 1;
-        }
-        return 0;
+        return !strcmp(nm, PEM_STRING_PKCS8) ||
+               !strcmp(nm, PEM_STRING_PKCS8INF) ||
+               !strcmp(nm, PEM_STRING_RSA) ||
+               !strcmp(nm, PEM_STRING_EC) ||
+               !strcmp(nm, PEM_STRING_DSA);
    }

    /* Permit older strings */
@ -779,28 +764,6 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
    return (0);
 }

-/*
- * Check pem string and return prefix length. If for example the pem_str ==
- * "RSA PRIVATE KEY" and suffix = "PRIVATE KEY" the return value is 3 for the
- * string "RSA".
- */
-
-int pem_check_suffix(const char *pem_str, const char *suffix)
-{
-    int pem_len = strlen(pem_str);
-    int suffix_len = strlen(suffix);
-    const char *p;
-    if (suffix_len + 1 >= pem_len)
-        return 0;
-    p = pem_str + pem_len - suffix_len;
-    if (strcmp(p, suffix))
-        return 0;
-    p--;
-    if (*p != ' ')
-        return 0;
-    return p - pem_str;
-}
-
 int PEM_def_callback(char *buf, int size, int rwflag, void *userdata)
 {
    if (!buf || !userdata) {
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@ -69,10 +69,6 @@
 #include <openssl/rand.h>
 #include <openssl/x509.h>

-#include "../evp/internal.h"
-
-int pem_check_suffix(const char *pem_str, const char *suffix);
-
 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
                                  void *u)
 {
@ -80,7 +76,6 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
    const unsigned char *p = NULL;
    unsigned char *data = NULL;
    long len;
-    int slen;
    EVP_PKEY *ret = NULL;

    if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u))
@ -128,12 +123,15 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
            *x = ret;
        }
        PKCS8_PRIV_KEY_INFO_free(p8inf);
-    } else if ((slen = pem_check_suffix(nm, "PRIVATE KEY")) > 0) {
-        const EVP_PKEY_ASN1_METHOD *ameth;
-        ameth = EVP_PKEY_asn1_find_str(NULL, nm, slen);
-        if (!ameth || !ameth->old_priv_decode)
-            goto p8err;
-        ret = d2i_PrivateKey(ameth->pkey_id, x, &p, len);
+    } else if (strcmp(nm, PEM_STRING_RSA) == 0) {
+        /* TODO(davidben): d2i_PrivateKey parses PKCS#8 along with the
+         * standalone format. This and the cases below probably should not
+         * accept PKCS#8. */
+        ret = d2i_PrivateKey(EVP_PKEY_RSA, x, &p, len);
+    } else if (strcmp(nm, PEM_STRING_EC) == 0) {
+        ret = d2i_PrivateKey(EVP_PKEY_EC, x, &p, len);
+    } else if (strcmp(nm, PEM_STRING_DSA) == 0) {
+        ret = d2i_PrivateKey(EVP_PKEY_DSA, x, &p, len);
    }
 p8err:
    if (ret == NULL)
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@ -720,21 +720,7 @@ OPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp,
                                            long len);


-/* Private functions */
-
-/* EVP_PKEY_asn1_find returns the ASN.1 method table for the given |nid|, which
- * should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
- * unknown. */
-OPENSSL_EXPORT const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pengine,
-                                                              int nid);
-
-/* EVP_PKEY_asn1_find_str returns an |EVP_PKEY_ASN1_METHOD| by matching values
- * of the |len| bytes at |name|. For example, if name equals "EC" then it will
- * return an ECC method. The |pengine| argument is ignored.
- *
- * TODO(fork): move to PEM? */
-OPENSSL_EXPORT const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(
-    ENGINE **pengine, const char *name, size_t len);
+/* Private structures. */

 struct evp_pkey_st {
  CRYPTO_refcount_t references;
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@ -120,6 +120,7 @@ extern "C" {
 #define PEM_STRING_RSA_PUBLIC	"RSA PUBLIC KEY"
 #define PEM_STRING_DSA		"DSA PRIVATE KEY"
 #define PEM_STRING_DSA_PUBLIC	"DSA PUBLIC KEY"
+#define PEM_STRING_EC "EC PRIVATE KEY"
 #define PEM_STRING_PKCS7	"PKCS7"
 #define PEM_STRING_PKCS7_SIGNED	"PKCS #7 SIGNED DATA"
 #define PEM_STRING_PKCS8	"ENCRYPTED PRIVATE KEY"