From 4d6e33b1ddcee4396342541fbd65f7e865f1e96f Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Wed, 1 Apr 2020 21:31:06 -0500
Subject: [PATCH 1/3] Fix wc_KeyPemToDer with PKCS1 and empty key

---
 tests/api.c         | 21 +++++++++++++++++++++
 wolfcrypt/src/asn.c | 28 ++++++++++++++++++----------
 2 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index 6130a329f..501d44b2f 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -25671,6 +25671,27 @@ static void test_wolfSSL_RSA(void)
     AssertNull(RSA_generate_key(4097, 3, NULL, NULL)); /* RSA_MAX_SIZE + 1 */
     AssertNull(RSA_generate_key(2048, 0, NULL, NULL));
 
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
+    {
+        byte buff[FOURK_BUF];
+        byte der[FOURK_BUF];
+        const char PrivKeyPemFile[] = "certs/client-keyEnc.pem";
+
+        XFILE f;
+        int bytes;
+
+        /* test loading encrypted RSA private pem w/o password */
+        f = XFOPEN(PrivKeyPemFile, "rb");
+        AssertTrue((f != XBADFILE));
+        bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
+        XFCLOSE(f);
+        memset(der, 0, sizeof(der));
+        /* test that error value is returned with no password */
+        AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), ""), 0);
+    }
+#endif
+
     printf(resultFmt, passed);
 #endif
 }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d6e58946e..0a8fcdc49 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10562,20 +10562,28 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
             }
             /* decrypt the key */
             else {
-                ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
-                    (byte*)password, passwordSz, WC_MD5);
+                int length;
+                word32 inOutIdx = 0;
+                if ((passwordSz == 0) &&
+                    (GetSequence(der->buffer, &inOutIdx, &length,
+                            der->length) < 0)) {
+                    ret = ASN_PARSE_E;
+                }
+                else {
+                    ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                        (byte*)password, passwordSz, WC_MD5);
 
 #ifndef NO_WOLFSSL_SKIP_TRAILING_PAD
-            #ifndef NO_DES3
-                if (info->cipherType == WC_CIPHER_DES3) {
-                    padVal = der->buffer[der->length-1];
-                    if (padVal <= DES_BLOCK_SIZE) {
-                        der->length -= padVal;
+                #ifndef NO_DES3
+                    if (info->cipherType == WC_CIPHER_DES3) {
+                        padVal = der->buffer[der->length-1];
+                        if (padVal <= DES_BLOCK_SIZE) {
+                            der->length -= padVal;
+                        }
                     }
-                }
-            #endif /* !NO_DES3 */
+                #endif /* !NO_DES3 */
 #endif /* !NO_WOLFSSL_SKIP_TRAILING_PAD */
-
+                }
             }
 #ifdef OPENSSL_EXTRA
             if (ret) {

From c3e0575914653d880b67b4ffa9e32c69be9a7803 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Thu, 9 Apr 2020 12:52:32 -0500
Subject: [PATCH 2/3] Fix from review

---
 tests/api.c         | 4 ++--
 wolfcrypt/src/asn.c | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index 501d44b2f..4891c26fc 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -20052,7 +20052,7 @@ static void test_wc_PemToDer(void)
 
     printf(testingFmt, "wc_PemToDer()");
 
-    memset(&info, 0, sizeof(info));
+    XMEMSET(&info, 0, sizeof(info));
 
     ret = load_file(ca_cert, &cert_buf, &cert_sz);
     if (ret == 0) {
@@ -25686,7 +25686,7 @@ static void test_wolfSSL_RSA(void)
         AssertTrue((f != XBADFILE));
         bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
         XFCLOSE(f);
-        memset(der, 0, sizeof(der));
+        XMEMSET(der, 0, sizeof(der));
         /* test that error value is returned with no password */
         AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), ""), 0);
     }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 0a8fcdc49..d6e9b7768 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10562,11 +10562,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
             }
             /* decrypt the key */
             else {
-                int length;
-                word32 inOutIdx = 0;
-                if ((passwordSz == 0) &&
-                    (GetSequence(der->buffer, &inOutIdx, &length,
-                            der->length) < 0)) {
+                if (passwordSz == 0) {
+                    /* The key is encrypted but does not have a password */
                     ret = ASN_PARSE_E;
                 }
                 else {

From 8644fdca7d40c3ff25237f477265ac64574055ed Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Fri, 10 Apr 2020 08:29:31 -0500
Subject: [PATCH 3/3] Update from review

---
 wolfcrypt/src/asn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d6e9b7768..6a1f954d0 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10564,7 +10564,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
             else {
                 if (passwordSz == 0) {
                     /* The key is encrypted but does not have a password */
-                    ret = ASN_PARSE_E;
+                    WOLFSSL_MSG("No password for encrypted key");
+                    ret = NO_PASSWORD;
                 }
                 else {
                     ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,