xmlsec-openssl: check if key matches key cert when loading from memor…

…y or file; fix no-x509 build (#586)
lsh123 · Mar 6, 2023 · 045c12f · 045c12f
1 parent 440a6ab
commit 045c12f
Show file tree

Hide file tree

Showing 18 changed files with 221 additions and 73 deletions.
diff --git a/apps/crypto.c b/apps/crypto.c
@@ -20,6 +20,10 @@
 
 #include "crypto.h"
 
+#ifndef UNREFERENCED_PARAMETER
+#define UNREFERENCED_PARAMETER(param)   ((void)(param))
+#endif /* UNREFERENCED_PARAMETER */
+
 int
 xmlSecAppCryptoInit(const char* config) {
     if(xmlSecCryptoAppInit(config) < 0) {
@@ -78,8 +82,15 @@ xmlSecAppCryptoSimpleKeysMngrCertLoad(xmlSecKeysMngrPtr mngr, const char *filena
     xmlSecAssert2(filename != NULL, -1);
 
 #ifndef XMLSEC_NO_X509
+
     return(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, format, type));
+
 #else /* XMLSEC_NO_X509 */
+
+    UNREFERENCED_PARAMETER(format);
+    UNREFERENCED_PARAMETER(type);
+
+    fprintf(stderr, "Error: X509 support is disabled\n");
     return(-1);
 #endif /* XMLSEC_NO_X509 */
 }
@@ -91,8 +102,14 @@ xmlSecAppCryptoSimpleKeysMngrCrlLoad(xmlSecKeysMngrPtr mngr, const char *filenam
     xmlSecAssert2(filename != NULL, -1);
 
 #ifndef XMLSEC_NO_X509
+
     return(xmlSecCryptoAppKeysMngrCrlLoad(mngr, filename, format));
+
 #else /* XMLSEC_NO_X509 */
+
+    UNREFERENCED_PARAMETER(format);
+
+    fprintf(stderr, "Error: X509 support is disabled\n");
     return(-1);
 #endif /* XMLSEC_NO_X509 */
 }
@@ -219,6 +236,8 @@ xmlSecAppCryptoSimpleKeysMngrEngineKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
         }
     }
 #else /* XMLSEC_NO_X509 */
+    UNREFERENCED_PARAMETER(certFormat);
+
     if(certFiles[0] != '\0') {
         fprintf(stderr, "Error: X509 support is disabled\n");
         xmlSecKeyDestroy(key);
@@ -256,14 +275,14 @@ int
 xmlSecAppCryptoSimpleKeysMngrPkcs12KeyLoad(xmlSecKeysMngrPtr mngr, const char *filename, const char* pwd,
     const char *name, xmlSecKeyInfoCtxPtr keyInfoCtx, int verifyKey
 ) {
+#ifndef XMLSEC_NO_X509
     xmlSecKeyPtr key;
     int ret;
 
     xmlSecAssert2(mngr != NULL, -1);
     xmlSecAssert2(filename != NULL, -1);
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
-#ifndef XMLSEC_NO_X509
     key = xmlSecCryptoAppKeyLoadEx(filename, xmlSecKeyDataTypePrivate, xmlSecKeyDataFormatPkcs12, pwd,
                     xmlSecCryptoAppGetDefaultPwdCallback(), (void*)filename);
     if(key == NULL) {
@@ -306,6 +325,14 @@ xmlSecAppCryptoSimpleKeysMngrPkcs12KeyLoad(xmlSecKeysMngrPtr mngr, const char *f
 
     return(0);
 #else /* XMLSEC_NO_X509 */
+    xmlSecAssert2(mngr != NULL, -1);
+    xmlSecAssert2(filename != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    UNREFERENCED_PARAMETER(pwd);
+    UNREFERENCED_PARAMETER(name);
+    UNREFERENCED_PARAMETER(verifyKey);
+
     fprintf(stderr, "Error: X509 support is disabled\n");
     return(-1);
 #endif /* XMLSEC_NO_X509 */

diff --git a/include/xmlsec/keys.h b/include/xmlsec/keys.h
@@ -218,6 +218,9 @@ XMLSEC_EXPORT xmlSecKeyDataPtr  xmlSecKeyGetValue       (xmlSecKeyPtr key);
 XMLSEC_EXPORT int               xmlSecKeySetValue       (xmlSecKeyPtr key,
                                                          xmlSecKeyDataPtr value);
 
+XMLSEC_EXPORT xmlSecSize         xmlSecKeyGetSize       (xmlSecKeyPtr key);
+
+
 XMLSEC_EXPORT xmlSecKeyDataPtr  xmlSecKeyGetData        (xmlSecKeyPtr key,
                                                          xmlSecKeyDataId dataId);
 XMLSEC_EXPORT xmlSecKeyDataPtr  xmlSecKeyEnsureData     (xmlSecKeyPtr key,

diff --git a/include/xmlsec/openssl/evp.h b/include/xmlsec/openssl/evp.h
@@ -22,6 +22,14 @@
 extern "C" {
 #endif /* __cplusplus */
 
+
+/*********************************************************************************
+    *
+    * EVP_PKEY Util functions
+    *
+    ******************************************************************************/
+XMLSEC_CRYPTO_EXPORT EVP_PKEY* xmlSecOpenSSLKeyGetEvp                   (xmlSecKeyPtr key);
+
 XMLSEC_CRYPTO_EXPORT int                xmlSecOpenSSLEvpKeyDataAdoptEvp (xmlSecKeyDataPtr data,
                                                                          EVP_PKEY* pKey);
 XMLSEC_CRYPTO_EXPORT EVP_PKEY*          xmlSecOpenSSLEvpKeyDataGetEvp   (xmlSecKeyDataPtr data);

diff --git a/src/gnutls/app.c b/src/gnutls/app.c
@@ -36,6 +36,7 @@
 #include "../cast_helpers.h"
 #include "private.h"
 
+
 static xmlSecKeyPtr     xmlSecGnuTLSAppPemDerKeyLoadMemory      (const xmlSecByte * data,
                                                                  xmlSecSize dataSize,
                                                                  gnutls_x509_crt_fmt_t fmt);
@@ -47,9 +48,12 @@ static xmlSecKeyPtr     xmlSecGnuTLSAppPkcs8KeyLoadMemory       (const xmlSecByt
                                                                  void* pwdCallback,
                                                                  void* pwdCallbackCtx);
 
+#ifndef XMLSEC_NO_X509
 static xmlSecKeyPtr     xmlSecGnuTLSAppKeyFromCertLoadMemory    (const xmlSecByte* data,
                                                                  xmlSecSize dataSize,
                                                                  xmlSecKeyDataFormat format);
+#endif /* XMLSEC_NO_X509 */
+
 
 /**
  * xmlSecGnuTLSAppInit:
@@ -229,6 +233,7 @@ xmlSecGnuTLSAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize,  xmlSe
 }
 
 #ifndef XMLSEC_NO_X509
+
 /**
  * xmlSecGnuTLSAppKeyCertLoad:
  * @key:                the pointer to key.
@@ -240,8 +245,7 @@ xmlSecGnuTLSAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize,  xmlSe
  * Returns: 0 on success or a negative value otherwise.
  */
 int
-xmlSecGnuTLSAppKeyCertLoad(xmlSecKeyPtr key, const char* filename,
-                          xmlSecKeyDataFormat format) {
+xmlSecGnuTLSAppKeyCertLoad(xmlSecKeyPtr key, const char* filename, xmlSecKeyDataFormat format) {
     xmlSecBuffer buffer;
     int ret;
 
@@ -291,9 +295,9 @@ xmlSecGnuTLSAppKeyCertLoad(xmlSecKeyPtr key, const char* filename,
  * Returns: 0 on success or a negative value otherwise.
  */
 int
-xmlSecGnuTLSAppKeyCertLoadMemory(xmlSecKeyPtr key,
-    const xmlSecByte* data, xmlSecSize dataSize, xmlSecKeyDataFormat format)
-{
+xmlSecGnuTLSAppKeyCertLoadMemory(xmlSecKeyPtr key, const xmlSecByte* data, xmlSecSize dataSize,
+    xmlSecKeyDataFormat format
+) {
     gnutls_x509_crt_t cert = NULL;
     xmlSecKeyDataPtr x509Data;
     int ret;
@@ -381,10 +385,8 @@ xmlSecGnuTLSAppPkcs12Load(const char *filename,
  */
 xmlSecKeyPtr
 xmlSecGnuTLSAppPkcs12LoadMemory(const xmlSecByte* data, xmlSecSize dataSize,
-                                const char *pwd,
-                                void* pwdCallback ATTRIBUTE_UNUSED,
-                                void* pwdCallbackCtx ATTRIBUTE_UNUSED)
-{
+    const char *pwd, void* pwdCallback ATTRIBUTE_UNUSED, void* pwdCallbackCtx ATTRIBUTE_UNUSED
+) {
     xmlSecKeyPtr key = NULL;
     xmlSecKeyPtr res = NULL;
     xmlSecPtrList certsList;
@@ -518,6 +520,7 @@ xmlSecGnuTLSAppPkcs12LoadMemory(const xmlSecByte* data, xmlSecSize dataSize,
     xmlSecPtrListFinalize(&certsList);
     return(res);
 }
+#endif /* XMLSEC_NO_X509 */
 
 
 static gnutls_privkey_t
@@ -686,6 +689,7 @@ xmlSecGnuTLSAppPkcs8KeyLoadMemory(const xmlSecByte * data, xmlSecSize dataSize,
     return(key);
 }
 
+#ifndef XMLSEC_NO_X509
 static xmlSecKeyPtr
 xmlSecGnuTLSAppKeyFromCertLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecKeyDataFormat format)
 {

diff --git a/src/gnutls/crypto.c b/src/gnutls/crypto.c
@@ -333,11 +333,11 @@ xmlSecGnuTLSShutdown(void) {
  */
 int
 xmlSecGnuTLSKeysMngrInit(xmlSecKeysMngrPtr mngr) {
+#ifndef XMLSEC_NO_X509
     int ret;
 
     xmlSecAssert2(mngr != NULL, -1);
 
-#ifndef XMLSEC_NO_X509
     /* create x509 store if needed */
     if(xmlSecKeysMngrGetDataStore(mngr, xmlSecGnuTLSX509StoreId) == NULL) {
         xmlSecKeyDataStorePtr x509Store;
@@ -355,7 +355,12 @@ xmlSecGnuTLSKeysMngrInit(xmlSecKeysMngrPtr mngr) {
             return(-1);
         }
     }
+
+#else /* XMLSEC_NO_X509 */
+    xmlSecAssert2(mngr != NULL, -1);
+
 #endif /* XMLSEC_NO_X509 */
+
     return(0);
 }
 

diff --git a/src/gnutls/keysstore.c b/src/gnutls/keysstore.c
@@ -128,18 +128,17 @@ xmlSecGnuTLSKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name,
 }
 
 static xmlSecKeyPtr
-xmlSecGnuTLSKeysStoreFindKeyFromX509Data(xmlSecKeyStorePtr store, xmlSecKeyX509DataValuePtr x509Data,
-    xmlSecKeyInfoCtxPtr keyInfoCtx
+xmlSecGnuTLSKeysStoreFindKeyFromX509Data(xmlSecKeyStorePtr store, xmlSecKeyX509DataValuePtr x509Data, xmlSecKeyInfoCtxPtr keyInfoCtx
 ) {
 #ifndef XMLSEC_NO_X509
     xmlSecKeyStorePtr* simplekeystore;
     xmlSecPtrListPtr keysList;
     xmlSecKeyPtr key, res;
 
     xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecGnuTLSKeysStoreId), NULL);
+    xmlSecAssert2(x509Data != NULL, NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
 
-
     simplekeystore = xmlSecGnuTLSKeysStoreGetCtx(store);
     xmlSecAssert2(((simplekeystore != NULL) && (*simplekeystore != NULL)), NULL);
 
@@ -164,6 +163,11 @@ xmlSecGnuTLSKeysStoreFindKeyFromX509Data(xmlSecKeyStorePtr store, xmlSecKeyX509D
 
     return(res);
 #else  /* XMLSEC_NO_X509 */
+    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecGnuTLSKeysStoreId), NULL);
+    xmlSecAssert2(x509Data != NULL, NULL);
+    xmlSecAssert2(keyInfoCtx != NULL, NULL);
+
+    xmlSecNotImplementedError("X509 support is disabled");
     return(NULL);
 #endif /* XMLSEC_NO_X509 */
 }

diff --git a/src/keys.c b/src/keys.c
@@ -404,7 +404,7 @@ xmlSecKeyReqMatchKey(xmlSecKeyReqPtr keyReq, xmlSecKeyPtr key) {
     xmlSecAssert2(xmlSecKeyIsValid(key), -1);
 
     if((keyReq->keyType != xmlSecKeyDataTypeUnknown) && ((xmlSecKeyGetType(key) & keyReq->keyType) == 0)) {
-         return(0);
+        return(0);
     }
     if((keyReq->keyUsage != xmlSecKeyDataUsageUnknown) && ((keyReq->keyUsage & key->usage) == 0)) {
         return(0);
@@ -824,6 +824,24 @@ xmlSecKeySetValue(xmlSecKeyPtr key, xmlSecKeyDataPtr value) {
     return(0);
 }
 
+/**
+ * xmlSecKeyGetSize:
+ * @key:                the pointer to key.
+ *
+ * Gets key size (see also #xmlSecKeyDataGetSize function).
+ *
+ * Returns: key size.
+ */
+xmlSecSize
+xmlSecKeyGetSize(xmlSecKeyPtr key) {
+    xmlSecAssert2(key != NULL, 0);
+
+    if(key->value == NULL) {
+        return(0);
+    }
+    return(xmlSecKeyDataGetSize(key->value));
+}
+
 /**
  * xmlSecKeyGetData:
  * @key:                the pointer to key.

diff --git a/src/nss/app.c b/src/nss/app.c
@@ -60,10 +60,14 @@ static PRBool xmlSecNssAppAscii2UCS2Conv                        (PRBool toUnicod
                                                                  unsigned int   maxOutBufLen,
                                                                  unsigned int  *outBufLen,
                                                                  PRBool         swapBytes);
+static xmlSecKeyPtr     xmlSecNssAppDerKeyLoadSECItem           (SECItem* secItem);
+
+
+#ifndef XMLSEC_NO_X509
 static SECItem *xmlSecNssAppNicknameCollisionCallback           (SECItem *old_nick,
                                                                  PRBool *cancel,
                                                                  void *wincx);
-static xmlSecKeyPtr     xmlSecNssAppDerKeyLoadSECItem           (SECItem* secItem);
+#endif /* XMLSEC_NO_X509 */
 
 /**
  * xmlSecNssAppInit:
@@ -233,12 +237,12 @@ xmlSecNssAppAscii2UCS2Conv(PRBool toUnicode,
                                     outBuf, maxOutBufLen, outBufLen));
 }
 
+#ifndef XMLSEC_NO_X509
 /* rename certificate if needed */
 static SECItem *
 xmlSecNssAppNicknameCollisionCallback(SECItem *old_nick ATTRIBUTE_UNUSED,
-                                      PRBool *cancel,
-                                      void *wincx ATTRIBUTE_UNUSED)
-{
+    PRBool *cancel, void *wincx ATTRIBUTE_UNUSED
+) {
     CERTCertificate *cert = (CERTCertificate *)wincx;
     char *nick = NULL;
     SECItem *ret_nick = NULL;
@@ -266,6 +270,7 @@ xmlSecNssAppNicknameCollisionCallback(SECItem *old_nick ATTRIBUTE_UNUSED,
     ret_nick->len = (unsigned int)PORT_Strlen(nick);
     return ret_nick;
 }
+#endif /* XMLSEC_NO_X509 */
 
 /**
  * xmlSecNssAppKeyLoad:
@@ -384,9 +389,8 @@ xmlSecNssAppKeyLoadMemory(const xmlSecByte* data, xmlSecSize dataSize, xmlSecKey
  */
 xmlSecKeyPtr
 xmlSecNssAppKeyLoadSECItem(SECItem* secItem, xmlSecKeyDataFormat format,
-                    const char *pwd,
-                    void* pwdCallback,
-                    void* pwdCallbackCtx) {
+    const char *pwd, void* pwdCallback, void* pwdCallbackCtx
+) {
     xmlSecKeyPtr key = NULL;
 
     xmlSecAssert2(secItem != NULL, NULL);

diff --git a/src/nss/crypto.c b/src/nss/crypto.c
@@ -373,11 +373,11 @@ xmlSecNssShutdown(void) {
  */
 int
 xmlSecNssKeysMngrInit(xmlSecKeysMngrPtr mngr) {
+#ifndef XMLSEC_NO_X509
     int ret;
 
     xmlSecAssert2(mngr != NULL, -1);
 
-#ifndef XMLSEC_NO_X509
     /* create x509 store if needed */
     if(xmlSecKeysMngrGetDataStore(mngr, xmlSecNssX509StoreId) == NULL) {
         xmlSecKeyDataStorePtr x509Store;
@@ -395,6 +395,10 @@ xmlSecNssKeysMngrInit(xmlSecKeysMngrPtr mngr) {
             return(-1);
         }
     }
+
+#else /* XMLSEC_NO_X509 */
+    xmlSecAssert2(mngr != NULL, -1);
+
 #endif /* XMLSEC_NO_X509 */
 
     return(0);

diff --git a/src/nss/keysstore.c b/src/nss/keysstore.c
@@ -191,8 +191,7 @@ xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) {
 }
 
 static xmlSecKeyPtr
-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name,
-                          xmlSecKeyInfoCtxPtr keyInfoCtx) {
+xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyStorePtr* ss;
     xmlSecKeyPtr key = NULL;
     xmlSecKeyPtr retval = NULL;
@@ -264,6 +263,7 @@ xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name,
             return (NULL);
         }
 
+#ifndef XMLSEC_NO_X509
         x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id);
         if(x509Data == NULL) {
             xmlSecInternalError("xmlSecKeyDataCreate", NULL);
@@ -276,6 +276,7 @@ xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name,
             goto done;
         }
         cert = NULL; /* owned by x509 data */
+#endif /* XMLSEC_NO_X509 */
 
         ret = xmlSecKeySetValue(key, data);
         if (ret < 0) {
@@ -355,6 +356,11 @@ xmlSecNssKeysStoreFindKeyFromX509Data(xmlSecKeyStorePtr store, xmlSecKeyX509Data
 
     return(res);
 #else  /* XMLSEC_NO_X509 */
+    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL);
+    xmlSecAssert2(x509Data != NULL, NULL);
+    xmlSecAssert2(keyInfoCtx != NULL, NULL);
+
+    xmlSecNotImplementedError("X509 support is disabled");
     return(NULL);
 #endif /* XMLSEC_NO_X509 */
 }