feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes for PKCS8 w/wo encryption as DER/ASN.1. Fixes for building with --disable-oldnames. Fix to enable the PKCS8 enc test without openssl comat. Added additional PKCS8 tests.

Browse Source
This commit is contained in:
David Garske
2019-08-19 11:18:51 -07:00
parent 3e1c103c78
commit 644e7a8f45
4 changed files with 168 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
certs/ecc-privkeyPkcs8.der Normal file
View File

Binary file not shown.

1
certs/include.am
View File

@ -13,6 +13,7 @@ EXTRA_DIST += \
certs/client-relative-uri.pem \ certs/client-relative-uri.pem \
certs/ecc-key.pem \ certs/ecc-key.pem \
certs/ecc-privkey.pem \ certs/ecc-privkey.pem \
certs/ecc-privkeyPkcs8.der \
certs/ecc-privkeyPkcs8.pem \ certs/ecc-privkeyPkcs8.pem \
certs/ecc-keyPkcs8Enc.pem \ certs/ecc-keyPkcs8Enc.pem \
certs/ecc-keyPkcs8Enc.der \ certs/ecc-keyPkcs8Enc.der \

62
src/ssl.c
View File

@ -4704,6 +4704,10 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
int devId = wolfSSL_CTX_GetDevId(ctx, ssl); int devId = wolfSSL_CTX_GetDevId(ctx, ssl);
word32 idx = 0; word32 idx = 0;
int keySz = 0; int keySz = 0;
#if (defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)) || \
defined(HAVE_PKCS8)
word32 algId = 0;
#endif
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
EncryptedInfo* info = NULL; EncryptedInfo* info = NULL;
#else #else
@ -4734,7 +4738,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif #endif
XMEMSET(info, 0, sizeof(EncryptedInfo)); XMEMSET(info, 0, sizeof(EncryptedInfo));
#ifdef WOLFSSL_ENCRYPTED_KEYS #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
if (ctx) { if (ctx) {
info->passwd_cb = ctx->passwd_cb; info->passwd_cb = ctx->passwd_cb;
info->passwd_userdata = ctx->passwd_userdata; info->passwd_userdata = ctx->passwd_userdata;
@ -4771,7 +4775,6 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#ifdef HAVE_PKCS8 #ifdef HAVE_PKCS8
/* if private key try and remove PKCS8 header */ /* if private key try and remove PKCS8 header */
if (type == PRIVATEKEY_TYPE) { if (type == PRIVATEKEY_TYPE) {
word32 algId = 0;
if ((ret = ToTraditional_ex(der->buffer, der->length, &algId)) > 0) { if ((ret = ToTraditional_ex(der->buffer, der->length, &algId)) > 0) {
/* Found PKCS8 header */ /* Found PKCS8 header */
/* ToTraditional_ex moves buff and returns adjusted length */ /* ToTraditional_ex moves buff and returns adjusted length */
@ -4799,46 +4802,48 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
} }
#ifdef WOLFSSL_ENCRYPTED_KEYS #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
/* for WOLFSSL_FILETYPE_PEM, PemToDer manage the decryption if required */ /* for WOLFSSL_FILETYPE_PEM, PemToDer manages the decryption */
if (ret >= 0 && info->set && format != WOLFSSL_FILETYPE_PEM) { /* If private key type PKCS8 header wasn't already removed (algoId == 0) */
/* decrypt */ if (ret >= 0 && format != WOLFSSL_FILETYPE_PEM && info->passwd_cb &&
type == PRIVATEKEY_TYPE && algId == 0)
{
int passwordSz = NAME_SZ; int passwordSz = NAME_SZ;
#ifdef WOLFSSL_SMALL_STACK #ifndef WOLFSSL_SMALL_STACK
char* password = NULL;
#else
char password[NAME_SZ]; char password[NAME_SZ];
#endif #else
char* password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING);
if (password == NULL) {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING); XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);
if (password == NULL)
ret = MEMORY_E;
else
#endif #endif
if (info->passwd_cb == NULL) { FreeDer(&der);
WOLFSSL_MSG("No password callback set"); return MEMORY_E;
ret = NO_PASSWORD;
} }
else { #endif
/* get password */
ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ, ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
info->passwd_userdata); info->passwd_userdata);
if (ret >= 0) { if (ret >= 0) {
passwordSz = ret; passwordSz = ret;
/* decrypt the key */ /* PKCS8 decrypt */
ret = wc_BufferKeyDecrypt(info, der->buffer, der->length, ret = ToTraditionalEnc(der->buffer, der->length,
(byte*)password, passwordSz, WC_MD5); password, passwordSz, &algId);
if (ret >= 0) {
der->length = ret;
}
printf("ToTraditionalEnc ret %d\n", ret);
ret = 0; /* ignore failures and try parsing directly unencrypted */
ForceZero(password, passwordSz); ForceZero(password, passwordSz);
} }
}
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(password, heap, DYNAMIC_TYPE_STRING); XFREE(password, heap, DYNAMIC_TYPE_STRING);
#endif #endif
} }
#endif /* WOLFSSL_ENCRYPTED_KEYS */ #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);
@ -4924,6 +4929,15 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
if (type == PRIVATEKEY_TYPE && format != WOLFSSL_FILETYPE_RAW) { if (type == PRIVATEKEY_TYPE && format != WOLFSSL_FILETYPE_RAW) {
#if defined(WOLFSSL_ENCRYPTED_KEYS) || defined(HAVE_PKCS8)
/* attempt to detect key type */
if (algId == RSAk)
rsaKey = 1;
else if (algId == ECDSAk)
eccKey = 1;
else if (algId == ED25519k)
ed25519Key = 1;
#endif
#ifndef NO_RSA #ifndef NO_RSA
if (!eccKey && !ed25519Key) { if (!eccKey && !ed25519Key) {
/* make sure RSA key can be used */ /* make sure RSA key can be used */

153
tests/api.c
View File

@ -4389,9 +4389,13 @@ static void test_wolfSSL_PKCS12(void)
} }
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \
!defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && \
!defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) !defined(NO_PWDBASED) && !defined(NO_RSA)
#define TEST_PKCS8_ENC
#endif
#ifdef TEST_PKCS8_ENC
/* for PKCS8 test case */ /* for PKCS8 test case */
static WC_INLINE int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata) static WC_INLINE int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata)
{ {
@ -4406,15 +4410,14 @@ static WC_INLINE int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userd
case 1: /* flag set for specific WOLFSSL_CTX structure, note userdata case 1: /* flag set for specific WOLFSSL_CTX structure, note userdata
* can be anything the user wishes to be passed to the callback * can be anything the user wishes to be passed to the callback
* associated with the WOLFSSL_CTX */ * associated with the WOLFSSL_CTX */
strncpy(passwd, "yassl123", sz); XSTRNCPY(passwd, "yassl123", sz);
return 8; return 8;
default: default:
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
} }
#endif #endif /* TEST_PKCS8_ENC */
/* Testing functions dealing with PKCS8 */ /* Testing functions dealing with PKCS8 */
static void test_wolfSSL_PKCS8(void) static void test_wolfSSL_PKCS8(void)
@ -4422,7 +4425,9 @@ static void test_wolfSSL_PKCS8(void)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8)
byte buffer[FOURK_BUF]; byte buffer[FOURK_BUF];
byte der[FOURK_BUF]; byte der[FOURK_BUF];
const char eccPkcs8PrivKeyFile[] = "./certs/ecc-privkeyPkcs8.pem"; const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem";
const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der";
const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem";
const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der"; const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der";
XFILE f; XFILE f;
int bytes; int bytes;
@ -4432,12 +4437,14 @@ static void test_wolfSSL_PKCS8(void)
ecc_key key; ecc_key key;
word32 x = 0; word32 x = 0;
#endif #endif
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ #ifdef TEST_PKCS8_ENC
defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && \ const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem";
!defined(NO_PWDBASED) && !defined(NO_RSA) const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der";
#define TEST_PKCS8_ENC #ifdef HAVE_ECC
const char serverKeyPkcs8EncFile[] = "./certs/server-keyPkcs8Enc.pem"; const char eccPkcs8EncPrivKeyPemFile[] = "./certs/ecc-keyPkcs8Enc.pem";
int flag = 1; const char eccPkcs8EncPrivKeyDerFile[] = "./certs/ecc-keyPkcs8Enc.der";
#endif
int flag;
#endif #endif
printf(testingFmt, "wolfSSL_PKCS8()"); printf(testingFmt, "wolfSSL_PKCS8()");
@ -4457,28 +4464,85 @@ static void test_wolfSSL_PKCS8(void)
#endif #endif
#ifdef TEST_PKCS8_ENC #ifdef TEST_PKCS8_ENC
f = XFOPEN(serverKeyPkcs8EncFile, "rb"); wolfSSL_CTX_set_default_passwd_cb(ctx, PKCS8TestCallBack);
wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag);
/* test loading PEM PKCS8 encrypted file */
f = XFOPEN(serverKeyPkcs8EncPemFile, "rb");
AssertTrue((f != XBADFILE)); AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f); XFCLOSE(f);
flag = 1; /* used by password callback as return code */
wolfSSL_CTX_set_default_passwd_cb(ctx, &PKCS8TestCallBack);
wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
SSL_FILETYPE_PEM), SSL_SUCCESS); WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* this next case should fail if setting the user flag to a value other /* this next case should fail because of password callback return code */
* than 1 due to the password callback functions return value */ flag = 0; /* used by password callback as return code */
flag = 0;
wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag);
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
SSL_FILETYPE_PEM), SSL_SUCCESS); WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */
AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, FOURK_BUF, "yassl123"), 0); AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
"yassl123"), 0);
/* test that error value is returned with a bad password */ /* test that error value is returned with a bad password */
AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, FOURK_BUF, "bad"), 0); AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
"bad"), 0);
/* test loading PEM PKCS8 encrypted file */
f = XFOPEN(serverKeyPkcs8EncDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#ifdef HAVE_ECC
/* test loading PEM PKCS8 encrypted ECC Key file */
f = XFOPEN(eccPkcs8EncPrivKeyPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */
AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
"yassl123"), 0);
/* test that error value is returned with a bad password */
AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
"bad"), 0);
/* test loading DER PKCS8 encrypted ECC Key file */
f = XFOPEN(eccPkcs8EncPrivKeyDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* leave flag as "okay" */
flag = 1;
#endif
#endif /* TEST_PKCS8_ENC */ #endif /* TEST_PKCS8_ENC */
@ -4488,20 +4552,31 @@ static void test_wolfSSL_PKCS8(void)
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f); XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
SSL_FILETYPE_ASN1), SSL_SUCCESS); WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx); /* test loading PEM PKCS8 private key file (not encrypted) */
f = XFOPEN(serverKeyPkcs8PemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* Test PKCS8 PEM ECC key no crypt */ /* Test PKCS8 PEM ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyFile, "rb"); f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb");
AssertTrue((f != XBADFILE)); AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f); XFCLOSE(f);
/* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */
#ifdef HAVE_ECC #ifdef HAVE_ECC
AssertIntGT((bytes = wc_KeyPemToDer(buffer, bytes, der, FOURK_BUF, NULL)), 0); /* Test PKCS8 PEM ECC key no crypt */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format */
AssertIntGT((bytes = wc_KeyPemToDer(buffer, bytes, der,
(word32)sizeof(der), NULL)), 0);
ret = wc_ecc_init(&key); ret = wc_ecc_init(&key);
if (ret == 0) { if (ret == 0) {
ret = wc_EccPrivateKeyDecode(der, &x, &key, bytes); ret = wc_EccPrivateKeyDecode(der, &x, &key, bytes);
@ -4509,10 +4584,24 @@ static void test_wolfSSL_PKCS8(void)
} }
AssertIntEQ(ret, 0); AssertIntEQ(ret, 0);
#else #else
AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der, FOURK_BUF, NULL)), AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der,
ASN_NO_PEM_HEADER); (word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER);
#endif #endif
#ifdef HAVE_ECC
/* Test PKCS8 DER ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
XFCLOSE(f);
/* Test using a PKCS8 ECC PEM */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
wolfSSL_CTX_free(ctx);
printf(resultFmt, passed); printf(resultFmt, passed);
#endif /* !NO_FILESYSTEM && !NO_ASN && HAVE_PKCS8 */ #endif /* !NO_FILESYSTEM && !NO_ASN && HAVE_PKCS8 */
} }