diff --git a/src/ssl.c b/src/ssl.c index 824b7cff6..1d92114f4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -63251,112 +63251,24 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); return WOLFSSL_FAILURE; } + #ifndef NO_RSA { - word32 keyIdx = 0; - #ifdef WOLFSSL_SMALL_STACK - RsaKey *key = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); - if (key == NULL) - return WOLFSSL_FAILURE; - #else - RsaKey key[1]; - #endif - - if (wc_InitRsaKey(key, heap) != 0) { - ret = BAD_STATE_E; + const unsigned char* pt = pk; + if (wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, pkey, &pt, pkSz) != + NULL) { + ret = 0; } - else { - if ((ret = wc_RsaPrivateKeyDecode(pk, &keyIdx, key, pkSz)) - == 0) { - (*pkey)->type = EVP_PKEY_RSA; - (*pkey)->rsa = wolfSSL_RSA_new(); - (*pkey)->ownRsa = 1; /* we own RSA */ - if ((*pkey)->rsa == NULL) { - WOLFSSL_MSG("issue creating EVP RSA key"); - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - #endif - return WOLFSSL_FAILURE; - } - if (wolfSSL_RSA_LoadDer_ex((*pkey)->rsa, pk, pkSz, - WOLFSSL_RSA_LOAD_PRIVATE) != SSL_SUCCESS) { - WOLFSSL_MSG("issue loading RSA key"); - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - #endif - return WOLFSSL_FAILURE; - } - - WOLFSSL_MSG("Found PKCS12 RSA key"); - ret = 0; /* set in success state for upcoming ECC check */ - } - wc_FreeRsaKey(key); - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - #endif } #endif /* NO_RSA */ #ifdef HAVE_ECC - { - word32 keyIdx = 0; - #ifdef WOLFSSL_SMALL_STACK - ecc_key *key = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); - if (key == NULL) - return WOLFSSL_FAILURE; - #else - ecc_key key[1]; - #endif - - if (ret != 0) { /* if is in fail state check if ECC key */ - if (wc_ecc_init(key) != 0) { - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_ECC); - #endif - return WOLFSSL_FAILURE; - } - - if ((ret = wc_EccPrivateKeyDecode(pk, &keyIdx, key, pkSz)) - != 0) { - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - WOLFSSL_MSG("Bad PKCS12 key format"); - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_ECC); - #endif - return WOLFSSL_FAILURE; - } - (*pkey)->type = EVP_PKEY_EC; - (*pkey)->pkey_curve = key->dp->oidSum; - wc_ecc_free(key); - WOLFSSL_MSG("Found PKCS12 ECC key"); + if (ret != 0) { /* if is in fail state check if ECC key */ + const unsigned char* pt = pk; + if (wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, pkey, &pt, pkSz) != + NULL) { + ret = 0; } - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_ECC); - #endif } #else if (ret != 0) { /* if is in fail state and no ECC then fail */ @@ -63370,10 +63282,9 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, return WOLFSSL_FAILURE; } #endif /* HAVE_ECC */ - - (*pkey)->save_type = 0; - (*pkey)->pkey_sz = pkSz; - (*pkey)->pkey.ptr = (char*)pk; + if (pkey != NULL && *pkey != NULL) { + (*pkey)->save_type = 0; + } } (void)ret; diff --git a/tests/api.c b/tests/api.c index 54d114e65..5bbfbca5f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -8322,6 +8322,19 @@ static void test_wolfSSL_PKCS12(void) AssertNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); AssertIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)), WOLFSSL_SUCCESS); + + /* check use of pkey after parse */ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) +#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + AssertIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), WOLFSSL_SUCCESS); + SSL_CTX_free(ctx); +#endif + AssertNotNull(pkey); AssertNotNull(cert); AssertNotNull(ca);