1/* 2 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include "e_os.h" 11#include <string.h> 12 13#include <openssl/core.h> 14#include <openssl/core_names.h> 15#include <openssl/core_object.h> 16#include <openssl/err.h> 17#include <openssl/pkcs12.h> 18#include <openssl/provider.h> 19#include <openssl/decoder.h> 20#include <openssl/store.h> 21#include "internal/provider.h" 22#include "internal/passphrase.h" 23#include "crypto/evp.h" 24#include "crypto/x509.h" 25#include "store_local.h" 26 27#ifndef OSSL_OBJECT_PKCS12 28/* 29 * The object abstraction doesn't know PKCS#12, but we want to indicate 30 * it anyway, so we create our own. Since the public macros use positive 31 * numbers, negative ones should be fine. They must never slip out from 32 * this translation unit anyway. 33 */ 34# define OSSL_OBJECT_PKCS12 -1 35#endif 36 37/* 38 * ossl_store_handle_load_result() is initially written to be a companion 39 * to our 'file:' scheme provider implementation, but has been made generic 40 * to serve others as well. 41 * 42 * This result handler takes any object abstraction (see provider-object(7)) 43 * and does the best it can with it. If the object is passed by value (not 44 * by reference), the contents are currently expected to be DER encoded. 45 * If an object type is specified, that will be respected; otherwise, this 46 * handler will guess the contents, by trying the following in order: 47 * 48 * 1. Decode it into an EVP_PKEY, using OSSL_DECODER. 49 * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX. 50 * 3. Decode it into an X.509 CRL, using d2i_X509_CRL. 51 * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*). 52 * 53 * For the 'file:' scheme implementation, this is division of labor. Since 54 * the libcrypto <-> provider interface currently doesn't support certain 55 * structures as first class objects, they must be unpacked from DER here 56 * rather than in the provider. The current exception is asymmetric keys, 57 * which can reside within the provider boundary, most of all thanks to 58 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by 59 * reference. 60 */ 61 62struct extracted_param_data_st { 63 int object_type; 64 const char *data_type; 65 const char *data_structure; 66 const char *utf8_data; 67 const void *octet_data; 68 size_t octet_data_size; 69 const void *ref; 70 size_t ref_size; 71 const char *desc; 72}; 73 74static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **); 75static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **, 76 OSSL_STORE_CTX *, const OSSL_PROVIDER *, 77 OSSL_LIB_CTX *, const char *); 78static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **, 79 OSSL_LIB_CTX *, const char *); 80static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **, 81 OSSL_LIB_CTX *, const char *); 82static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, 83 OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *); 84 85int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) 86{ 87 struct ossl_load_result_data_st *cbdata = arg; 88 OSSL_STORE_INFO **v = &cbdata->v; 89 OSSL_STORE_CTX *ctx = cbdata->ctx; 90 const OSSL_PROVIDER *provider = 91 OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader); 92 OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider); 93 const char *propq = ctx->properties; 94 const OSSL_PARAM *p; 95 struct extracted_param_data_st helper_data; 96 97 memset(&helper_data, 0, sizeof(helper_data)); 98 helper_data.object_type = OSSL_OBJECT_UNKNOWN; 99 100 if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL 101 && !OSSL_PARAM_get_int(p, &helper_data.object_type)) 102 return 0; 103 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); 104 if (p != NULL 105 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type)) 106 return 0; 107 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA); 108 if (p != NULL 109 && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data, 110 &helper_data.octet_data_size) 111 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data)) 112 return 0; 113 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_STRUCTURE); 114 if (p != NULL 115 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_structure)) 116 return 0; 117 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); 118 if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref, 119 &helper_data.ref_size)) 120 return 0; 121 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC); 122 if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc)) 123 return 0; 124 125 /* 126 * The helper functions return 0 on actual errors, otherwise 1, even if 127 * they didn't fill out |*v|. 128 */ 129 ERR_set_mark(); 130 if (*v == NULL && !try_name(&helper_data, v)) 131 goto err; 132 ERR_pop_to_mark(); 133 ERR_set_mark(); 134 if (*v == NULL && !try_key(&helper_data, v, ctx, provider, libctx, propq)) 135 goto err; 136 ERR_pop_to_mark(); 137 ERR_set_mark(); 138 if (*v == NULL && !try_cert(&helper_data, v, libctx, propq)) 139 goto err; 140 ERR_pop_to_mark(); 141 ERR_set_mark(); 142 if (*v == NULL && !try_crl(&helper_data, v, libctx, propq)) 143 goto err; 144 ERR_pop_to_mark(); 145 ERR_set_mark(); 146 if (*v == NULL && !try_pkcs12(&helper_data, v, ctx, libctx, propq)) 147 goto err; 148 ERR_pop_to_mark(); 149 150 if (*v == NULL) 151 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_UNSUPPORTED); 152 153 return (*v != NULL); 154 err: 155 ERR_clear_last_mark(); 156 return 0; 157} 158 159static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v) 160{ 161 if (data->object_type == OSSL_OBJECT_NAME) { 162 char *newname = NULL, *newdesc = NULL; 163 164 if (data->utf8_data == NULL) 165 return 0; 166 if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL 167 || (data->desc != NULL 168 && (newdesc = OPENSSL_strdup(data->desc)) == NULL) 169 || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) { 170 OPENSSL_free(newname); 171 OPENSSL_free(newdesc); 172 return 0; 173 } 174 OSSL_STORE_INFO_set0_NAME_description(*v, newdesc); 175 } 176 return 1; 177} 178 179/* 180 * For the rest of the object types, the provider code may not know what 181 * type of data it gave us, so we may need to figure that out on our own. 182 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and 183 * only return 0 on error if the object type is known. 184 */ 185 186static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data, 187 OSSL_STORE_CTX *ctx, 188 const OSSL_PROVIDER *provider, 189 OSSL_LIB_CTX *libctx, const char *propq) 190{ 191 EVP_PKEY *pk = NULL; 192 EVP_KEYMGMT *keymgmt = NULL; 193 void *keydata = NULL; 194 int try_fallback = 2; 195 196 /* If we have an object reference, we must have a data type */ 197 if (data->data_type == NULL) 198 return 0; 199 200 keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq); 201 ERR_set_mark(); 202 while (keymgmt != NULL && keydata == NULL && try_fallback-- > 0) { 203 /* 204 * There are two possible cases 205 * 206 * 1. The keymgmt is from the same provider as the loader, 207 * so we can use evp_keymgmt_load() 208 * 2. The keymgmt is from another provider, then we must 209 * do the export/import dance. 210 */ 211 if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { 212 /* no point trying fallback here */ 213 try_fallback = 0; 214 keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size); 215 } else { 216 struct evp_keymgmt_util_try_import_data_st import_data; 217 OSSL_FUNC_store_export_object_fn *export_object = 218 ctx->fetched_loader->p_export_object; 219 220 import_data.keymgmt = keymgmt; 221 import_data.keydata = NULL; 222 import_data.selection = OSSL_KEYMGMT_SELECT_ALL; 223 224 if (export_object != NULL) { 225 /* 226 * No need to check for errors here, the value of 227 * |import_data.keydata| is as much an indicator. 228 */ 229 (void)export_object(ctx->loader_ctx, 230 data->ref, data->ref_size, 231 &evp_keymgmt_util_try_import, 232 &import_data); 233 } 234 235 keydata = import_data.keydata; 236 } 237 238 if (keydata == NULL && try_fallback > 0) { 239 EVP_KEYMGMT_free(keymgmt); 240 keymgmt = evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *)provider, 241 data->data_type, propq); 242 if (keymgmt != NULL) { 243 ERR_pop_to_mark(); 244 ERR_set_mark(); 245 } 246 } 247 } 248 if (keydata != NULL) { 249 ERR_pop_to_mark(); 250 pk = evp_keymgmt_util_make_pkey(keymgmt, keydata); 251 } else { 252 ERR_clear_last_mark(); 253 } 254 EVP_KEYMGMT_free(keymgmt); 255 256 return pk; 257} 258 259static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, 260 OSSL_STORE_CTX *ctx, 261 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, 262 OSSL_LIB_CTX *libctx, const char *propq) 263{ 264 EVP_PKEY *pk = NULL; 265 OSSL_DECODER_CTX *decoderctx = NULL; 266 const unsigned char *pdata = data->octet_data; 267 size_t pdatalen = data->octet_data_size; 268 int selection = 0; 269 270 switch (ctx->expected_type) { 271 case 0: 272 break; 273 case OSSL_STORE_INFO_PARAMS: 274 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; 275 break; 276 case OSSL_STORE_INFO_PUBKEY: 277 selection = 278 OSSL_KEYMGMT_SELECT_PUBLIC_KEY 279 | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; 280 break; 281 case OSSL_STORE_INFO_PKEY: 282 selection = OSSL_KEYMGMT_SELECT_ALL; 283 break; 284 default: 285 return NULL; 286 } 287 288 decoderctx = 289 OSSL_DECODER_CTX_new_for_pkey(&pk, NULL, data->data_structure, 290 data->data_type, selection, libctx, 291 propq); 292 (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); 293 294 /* No error if this couldn't be decoded */ 295 (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen); 296 297 OSSL_DECODER_CTX_free(decoderctx); 298 299 return pk; 300} 301 302typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *); 303 304static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, 305 store_info_new_fn **store_info_new, 306 OSSL_STORE_CTX *ctx, 307 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, 308 OSSL_LIB_CTX *libctx, const char *propq) 309{ 310 EVP_PKEY *pk = NULL; 311 const unsigned char *der = data->octet_data, *derp; 312 long der_len = (long)data->octet_data_size; 313 314 /* Try PUBKEY first, that's a real easy target */ 315 if (ctx->expected_type == 0 316 || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) { 317 derp = der; 318 pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq); 319 320 if (pk != NULL) 321 *store_info_new = OSSL_STORE_INFO_new_PUBKEY; 322 } 323 324 /* Try private keys next */ 325 if (pk == NULL 326 && (ctx->expected_type == 0 327 || ctx->expected_type == OSSL_STORE_INFO_PKEY)) { 328 unsigned char *new_der = NULL; 329 X509_SIG *p8 = NULL; 330 PKCS8_PRIV_KEY_INFO *p8info = NULL; 331 332 /* See if it's an encrypted PKCS#8 and decrypt it. */ 333 derp = der; 334 p8 = d2i_X509_SIG(NULL, &derp, der_len); 335 336 if (p8 != NULL) { 337 char pbuf[PEM_BUFSIZE]; 338 size_t plen = 0; 339 340 if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) { 341 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ); 342 } else { 343 const X509_ALGOR *alg = NULL; 344 const ASN1_OCTET_STRING *oct = NULL; 345 int len = 0; 346 347 X509_SIG_get0(p8, &alg, &oct); 348 349 /* 350 * No need to check the returned value, |new_der| 351 * will be NULL on error anyway. 352 */ 353 PKCS12_pbe_crypt(alg, pbuf, plen, 354 oct->data, oct->length, 355 &new_der, &len, 0); 356 der_len = len; 357 der = new_der; 358 } 359 X509_SIG_free(p8); 360 } 361 362 /* 363 * If the encrypted PKCS#8 couldn't be decrypted, 364 * |der| is NULL 365 */ 366 if (der != NULL) { 367 /* Try to unpack an unencrypted PKCS#8, that's easy */ 368 derp = der; 369 p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len); 370 371 if (p8info != NULL) { 372 pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq); 373 PKCS8_PRIV_KEY_INFO_free(p8info); 374 } 375 } 376 377 if (pk != NULL) 378 *store_info_new = OSSL_STORE_INFO_new_PKEY; 379 380 OPENSSL_free(new_der); 381 } 382 383 return pk; 384} 385 386static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, 387 OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider, 388 OSSL_LIB_CTX *libctx, const char *propq) 389{ 390 store_info_new_fn *store_info_new = NULL; 391 392 if (data->object_type == OSSL_OBJECT_UNKNOWN 393 || data->object_type == OSSL_OBJECT_PKEY) { 394 EVP_PKEY *pk = NULL; 395 396 /* Prefer key by reference than key by value */ 397 if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) { 398 pk = try_key_ref(data, ctx, provider, libctx, propq); 399 400 /* 401 * If for some reason we couldn't get a key, it's an error. 402 * It indicates that while decoders could make a key reference, 403 * the keymgmt somehow couldn't handle it, or doesn't have a 404 * OSSL_FUNC_keymgmt_load function. 405 */ 406 if (pk == NULL) 407 return 0; 408 } else if (data->octet_data != NULL) { 409 OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec; 410 void *cbarg = &ctx->pwdata; 411 412 pk = try_key_value(data, ctx, cb, cbarg, libctx, propq); 413 414 /* 415 * Desperate last maneuver, in case the decoders don't support 416 * the data we have, then we try on our own to at least get an 417 * engine provided legacy key. 418 * This is the same as der2key_decode() does, but in a limited 419 * way and within the walls of libcrypto. 420 */ 421 if (pk == NULL) 422 pk = try_key_value_legacy(data, &store_info_new, ctx, 423 cb, cbarg, libctx, propq); 424 } 425 426 if (pk != NULL) { 427 data->object_type = OSSL_OBJECT_PKEY; 428 429 if (store_info_new == NULL) { 430 /* 431 * We determined the object type for OSSL_STORE_INFO, which 432 * makes an explicit difference between an EVP_PKEY with just 433 * (domain) parameters and an EVP_PKEY with actual key 434 * material. 435 * The logic is that an EVP_PKEY with actual key material 436 * always has the public half. 437 */ 438 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) 439 store_info_new = OSSL_STORE_INFO_new_PKEY; 440 else if (evp_keymgmt_util_has(pk, 441 OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) 442 store_info_new = OSSL_STORE_INFO_new_PUBKEY; 443 else 444 store_info_new = OSSL_STORE_INFO_new_PARAMS; 445 } 446 *v = store_info_new(pk); 447 } 448 449 if (*v == NULL) 450 EVP_PKEY_free(pk); 451 } 452 453 return 1; 454} 455 456static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, 457 OSSL_LIB_CTX *libctx, const char *propq) 458{ 459 if (data->object_type == OSSL_OBJECT_UNKNOWN 460 || data->object_type == OSSL_OBJECT_CERT) { 461 /* 462 * In most cases, we can try to interpret the serialized 463 * data as a trusted cert (X509 + X509_AUX) and fall back 464 * to reading it as a normal cert (just X509), but if 465 * |data_type| (the PEM name) specifically declares it as a 466 * trusted cert, then no fallback should be engaged. 467 * |ignore_trusted| tells if the fallback can be used (1) 468 * or not (0). 469 */ 470 int ignore_trusted = 1; 471 X509 *cert = X509_new_ex(libctx, propq); 472 473 if (cert == NULL) 474 return 0; 475 476 /* If we have a data type, it should be a PEM name */ 477 if (data->data_type != NULL 478 && (OPENSSL_strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) 479 ignore_trusted = 0; 480 481 if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data, 482 data->octet_data_size) == NULL 483 && (!ignore_trusted 484 || d2i_X509(&cert, (const unsigned char **)&data->octet_data, 485 data->octet_data_size) == NULL)) { 486 X509_free(cert); 487 cert = NULL; 488 } 489 490 if (cert != NULL) { 491 /* We determined the object type */ 492 data->object_type = OSSL_OBJECT_CERT; 493 *v = OSSL_STORE_INFO_new_CERT(cert); 494 if (*v == NULL) 495 X509_free(cert); 496 } 497 } 498 499 return 1; 500} 501 502static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, 503 OSSL_LIB_CTX *libctx, const char *propq) 504{ 505 if (data->object_type == OSSL_OBJECT_UNKNOWN 506 || data->object_type == OSSL_OBJECT_CRL) { 507 X509_CRL *crl; 508 509 crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data, 510 data->octet_data_size); 511 512 if (crl != NULL) 513 /* We determined the object type */ 514 data->object_type = OSSL_OBJECT_CRL; 515 516 if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) { 517 X509_CRL_free(crl); 518 crl = NULL; 519 } 520 521 if (crl != NULL) 522 *v = OSSL_STORE_INFO_new_CRL(crl); 523 if (*v == NULL) 524 X509_CRL_free(crl); 525 } 526 527 return 1; 528} 529 530static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, 531 OSSL_STORE_CTX *ctx, 532 OSSL_LIB_CTX *libctx, const char *propq) 533{ 534 int ok = 1; 535 536 /* There is no specific object type for PKCS12 */ 537 if (data->object_type == OSSL_OBJECT_UNKNOWN) { 538 /* Initial parsing */ 539 PKCS12 *p12; 540 541 p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data, 542 data->octet_data_size); 543 544 if (p12 != NULL) { 545 char *pass = NULL; 546 char tpass[PEM_BUFSIZE + 1]; 547 size_t tpass_len; 548 EVP_PKEY *pkey = NULL; 549 X509 *cert = NULL; 550 STACK_OF(X509) *chain = NULL; 551 552 data->object_type = OSSL_OBJECT_PKCS12; 553 554 ok = 0; /* Assume decryption or parse error */ 555 556 if (!PKCS12_mac_present(p12) 557 || PKCS12_verify_mac(p12, NULL, 0)) { 558 pass = NULL; 559 } else if (PKCS12_verify_mac(p12, "", 0)) { 560 pass = ""; 561 } else { 562 static char prompt_info[] = "PKCS12 import pass phrase"; 563 OSSL_PARAM pw_params[] = { 564 OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, 565 prompt_info, 566 sizeof(prompt_info) - 1), 567 OSSL_PARAM_END 568 }; 569 570 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1, 571 &tpass_len, 572 pw_params, 0, &ctx->pwdata)) { 573 ERR_raise(ERR_LIB_OSSL_STORE, 574 OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); 575 goto p12_end; 576 } 577 pass = tpass; 578 /* 579 * ossl_pw_get_passphrase() does not NUL terminate but 580 * we must do it for PKCS12_parse() 581 */ 582 pass[tpass_len] = '\0'; 583 if (!PKCS12_verify_mac(p12, pass, tpass_len)) { 584 ERR_raise_data(ERR_LIB_OSSL_STORE, 585 OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, 586 tpass_len == 0 ? "empty password" : 587 "maybe wrong password"); 588 goto p12_end; 589 } 590 } 591 592 if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) { 593 STACK_OF(OSSL_STORE_INFO) *infos = NULL; 594 OSSL_STORE_INFO *osi_pkey = NULL; 595 OSSL_STORE_INFO *osi_cert = NULL; 596 OSSL_STORE_INFO *osi_ca = NULL; 597 598 ok = 1; /* Parsing went through correctly! */ 599 600 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) { 601 if (pkey != NULL) { 602 if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL 603 /* clearing pkey here avoids case distinctions */ 604 && (pkey = NULL) == NULL 605 && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0) 606 osi_pkey = NULL; 607 else 608 ok = 0; 609 } 610 if (ok && cert != NULL) { 611 if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL 612 /* clearing cert here avoids case distinctions */ 613 && (cert = NULL) == NULL 614 && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0) 615 osi_cert = NULL; 616 else 617 ok = 0; 618 } 619 while (ok && sk_X509_num(chain) > 0) { 620 X509 *ca = sk_X509_value(chain, 0); 621 622 if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL 623 && sk_X509_shift(chain) != NULL 624 && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0) 625 osi_ca = NULL; 626 else 627 ok = 0; 628 } 629 } 630 EVP_PKEY_free(pkey); 631 X509_free(cert); 632 sk_X509_pop_free(chain, X509_free); 633 OSSL_STORE_INFO_free(osi_pkey); 634 OSSL_STORE_INFO_free(osi_cert); 635 OSSL_STORE_INFO_free(osi_ca); 636 if (!ok) { 637 sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free); 638 infos = NULL; 639 } 640 ctx->cached_info = infos; 641 } 642 p12_end: 643 OPENSSL_cleanse(tpass, sizeof(tpass)); 644 PKCS12_free(p12); 645 } 646 *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); 647 } 648 649 return ok; 650} 651