- Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding

- Parsing PEM private keys encrypted with DES and AES are now supported (Fixes ticket #5) - Added tests for encrypted keyfiles
2025-12-24 00:06:32 +01:00 · 2011-02-12 14:30:57 +00:00 · 2011-02-12 14:30:57 +00:00 · 96743fc5f5
commit 96743fc5f5
parent f17ed288ad
15 changed files with 812 additions and 352 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -151,6 +151,7 @@
 *
 * Module:  library/aes.c
 * Caller:  library/ssl_tls.c
+ *          library/pem.c
 *
 * This module enables the following ciphersuites:
 *      SSL_RSA_AES_128_SHA
@ -370,6 +371,18 @@
 */
 #define POLARSSL_PADLOCK_C

+/**
+ * \def POLARSSL_PEM_C
+ *
+ * Enable PEM decoding
+ *
+ * Module:  library/pem.c
+ * Caller:  library/x509parse.c
+ *
+ * This modules adds support for decoding PEM files.
+ */
+#define POLARSSL_PEM_C
+
 /**
 * \def POLARSSL_RSA_C
 *
--- a/include/polarssl/pem.h
+++ b/include/polarssl/pem.h
@ -0,0 +1,98 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright (C) 2006-2010, Brainspark B.V.
+ *
+ *  This file is part of PolarSSL (http://www.polarssl.org)
+ *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ *  All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef POLARSSL_PEM_H
+#define POLARSSL_PEM_H
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+#define POLARSSL_ERR_PEM_NO_HEADER_PRESENT                 -0x0500  /**< No PEM header found. */
+#define POLARSSL_ERR_PEM_INVALID_DATA                      -0x0520  /**< PEM string is not as expected. */
+#define POLARSSL_ERR_PEM_MALLOC_FAILED                     -0x0540  /**< Failed to allocate memory. */
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV                    -0x0560  /**< RSA IV is not in hex-format. */
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG                   -0x0580  /**< Unsupported key encryption algorithm. */
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED                 -0x05A0  /**< Private key password can't be empty. */
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH                 -0x05C0  /**< Given private key password does not allow for correct decryption. */
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE               -0x05E0  /**< Unavailable feature, e.g. hashing/encryption combination. */
+/* \} name */
+
+/**
+ * \brief       PEM context structure
+ */
+typedef struct
+{
+    unsigned char *buf;     /*!< buffer for decoded data             */
+    int buflen;             /*!< length of the buffer                */
+    unsigned char *info;    /*!< buffer for extra header information */
+}
+pem_context;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void pem_init( pem_context *ctx );
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used
+ *
+ * \return          0 on success, ior a specific PEM error code
+ */
+int pem_read_buffer( pem_context *ctx, char *header, char *footer,
+                     const unsigned char *data,
+                     const unsigned char *pwd,
+                     int pwdlen, int *use_len );
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void pem_free( pem_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@ -69,13 +69,8 @@
 #define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG              -0x01C0  /**< Public key algorithm is unsupported (only RSA is supported). */
 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x01E0  /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x0200  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
-#define POLARSSL_ERR_X509_KEY_INVALID_PEM                  -0x0220  /**< PEM key string is not as expected. */
 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x0240  /**< Unsupported RSA key version */
 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x0260  /**< Invalid RSA key tag or value. */
-#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV               -0x0280  /**< RSA IV is not in hex-format. */
-#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG              -0x02A0  /**< Unsupported key encryption algorithm. */
-#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED            -0x02C0  /**< Private key password can't be empty. */
-#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH            -0x02E0  /**< Given private key password does not allow for correct decryption. */
 #define POLARSSL_ERR_X509_POINT_ERROR                      -0x0300  /**< Not used. */
 #define POLARSSL_ERR_X509_VALUE_TO_LENGTH                  -0x0320  /**< Not used. */
 /* \} name */
@ -485,7 +480,7 @@ extern "C" {
 * \param buf      buffer holding the certificate data
 * \param buflen   size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen );

@ -497,7 +492,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen );
 * \param chain    points to the start of the chain
 * \param path     filename to read the certificates from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crtfile( x509_cert *chain, const char *path );

@ -510,7 +505,7 @@ int x509parse_crtfile( x509_cert *chain, const char *path );
 * \param buf      buffer holding the CRL data
 * \param buflen   size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen );

@ -522,7 +517,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen );
 * \param chain    points to the start of the chain
 * \param path     filename to read the CRLs from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crlfile( x509_crl *chain, const char *path );

@ -536,7 +531,7 @@ int x509parse_crlfile( x509_crl *chain, const char *path );
 * \param pwd      password for decryption (optional)
 * \param pwdlen   size of the password
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_key( rsa_context *rsa,
                   const unsigned char *key, int keylen,
@ -550,7 +545,7 @@ int x509parse_key( rsa_context *rsa,
 * \param path     filename to read the private key from
 * \param password password to decrypt the file (can be NULL)
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_keyfile( rsa_context *rsa, const char *path,
                       const char *password );
@ -563,7 +558,7 @@ int x509parse_keyfile( rsa_context *rsa, const char *path,
 * \param dhmin    input buffer
 * \param dhminlen size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen );

@ -574,7 +569,7 @@ int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen );
 * \param dhm      DHM context to be initialized
 * \param path     filename to read the DHM Parameters from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_dhmfile( dhm_context *dhm, const char *path );