diff --git a/tests/api.c b/tests/api.c index 75a803926..156d21e97 100644 --- a/tests/api.c +++ b/tests/api.c @@ -13613,7 +13613,7 @@ static void test_wolfSSL_ASN1_TIME_print() static void test_wolfSSL_private_keys(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) + !defined(NO_FILESYSTEM) WOLFSSL* ssl; WOLFSSL_CTX* ctx; EVP_PKEY* pkey = NULL; @@ -13623,6 +13623,7 @@ static void test_wolfSSL_private_keys(void) OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); +#ifndef NO_RSA AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); @@ -13662,12 +13663,41 @@ static void test_wolfSSL_private_keys(void) EVP_PKEY_free(pkey); SSL_free(ssl); /* frees x509 also since loaded into ssl */ SSL_CTX_free(ctx); +#endif /* end of RSA private key match tests */ + + +#ifdef HAVE_ECC + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, + WOLFSSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, + WOLFSSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + SSL_free(ssl); + + + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEccKeyFile, + WOLFSSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* end of ECC private key match tests */ + /* test existence of no-op macros in wolfssl/openssl/ssl.h */ CONF_modules_free(); ENGINE_cleanup(); CONF_modules_unload(); + (void)ssl; + (void)ctx; + (void)pkey; + printf(resultFmt, passed); #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ebbb0112..d79fbda85 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1803,22 +1803,37 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) #ifdef HAVE_ECC if (der->keyOID == ECDSAk) { - word32 keyIdx = 0; ecc_key key_pair; + byte privDer[MAX_ECC_BYTES]; + word32 privSz = MAX_ECC_BYTES; + word32 keyIdx = 0; if ((ret = wc_ecc_init(&key_pair)) < 0) return ret; + if ((ret = wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, keySz)) == 0) { WOLFSSL_MSG("Checking ECC key pair"); - keyIdx = 0; - if ((ret = wc_ecc_import_x963(der->publicKey, der->pubKeySize, - &key_pair)) == 0) { - /* public and private extracted successfuly no check if is + + if ((ret = wc_ecc_export_private_only(&key_pair, privDer, &privSz)) + == 0) { + wc_ecc_free(&key_pair); + ret = wc_ecc_init(&key_pair); + if (ret == 0) { + ret = wc_ecc_import_private_key((const byte*)privDer, + privSz, (const byte*)der->publicKey, + der->pubKeySize, &key_pair); + } + + /* public and private extracted successfuly now check if is * a pair and also do sanity checks on key. wc_ecc_check_key * checks that private * base generator equals pubkey */ - if ((ret = wc_ecc_check_key(&key_pair)) == 0) - ret = 1; + if (ret == 0) { + if ((ret = wc_ecc_check_key(&key_pair)) == 0) { + ret = 1; + } + } + ForceZero(privDer, privSz); } } wc_ecc_free(&key_pair);