feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

wolfSSL_X509_set_pubkey fix

Browse Source 
wolfSSL_X509_set_pubkey should always regenerate the key to make sure that it does not contain the private key
This commit is contained in:
Juliusz Sosinowicz
2021-03-10 14:26:46 +01:00
parent ce62a24325
commit c5c80b67d2
1 changed files with 78 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
src/ssl.c
View File

@@ -53738,37 +53738,67 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)
int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey)
{ {
byte* p = NULL; byte* p = NULL;
int derSz;
WOLFSSL_ENTER("wolfSSL_X509_set_pubkey"); WOLFSSL_ENTER("wolfSSL_X509_set_pubkey");
if (cert == NULL || pkey == NULL) if (cert == NULL || pkey == NULL)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
if (pkey->type == EVP_PKEY_RSA /* Regenerate since pkey->pkey.ptr may contain private key */
#ifndef NO_DSA switch (pkey->type) {
|| pkey->type == EVP_PKEY_DSA #if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA)
#endif /* !NO_DSA */ case EVP_PKEY_RSA:
) { {
p = (byte*)XMALLOC(pkey->pkey_sz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); RsaKey* rsa;
if (pkey->rsa == NULL || pkey->rsa->internal == NULL)
return WOLFSSL_FAILURE;
rsa = (RsaKey*)pkey->rsa->internal;
derSz = wc_RsaPublicKeyDerSize(rsa, 1);
if (derSz <= 0)
return WOLFSSL_FAILURE;
p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
if (p == NULL) if (p == NULL)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
if (cert->pubKey.buffer != NULL) if ((derSz = wc_RsaKeyToPublicDer(rsa, p, derSz)) <= 0) {
XFREE(cert->pubKey.buffer, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
cert->pubKey.buffer = p; return WOLFSSL_FAILURE;
XMEMCPY(cert->pubKey.buffer, pkey->pkey.ptr, pkey->pkey_sz); }
cert->pubKey.length = pkey->pkey_sz;
#ifndef NO_DSA
if (pkey->type == EVP_PKEY_DSA)
cert->pubKeyOID = DSAk;
else
#endif /* !NO_DSA */
cert->pubKeyOID = RSAk; cert->pubKeyOID = RSAk;
} }
break;
#endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */
#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \
defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA)
case EVP_PKEY_DSA:
{
DsaKey* dsa;
if (pkey->dsa == NULL || pkey->dsa->internal == NULL)
return WOLFSSL_FAILURE;
dsa = (DsaKey*)pkey->dsa->internal;
/* size of pub, priv, p, q, g + ASN.1 additional information */
derSz = 5 * mp_unsigned_bin_size(&dsa->g) + MAX_ALGO_SZ;
p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
if (p == NULL)
return WOLFSSL_FAILURE;
if ((derSz = wc_DsaKeyToPublicDer(dsa, p, derSz)) <= 0) {
XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
return WOLFSSL_FAILURE;
}
cert->pubKeyOID = RSAk;
}
break;
#endif /* !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) && !NO_DSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
else if (pkey->type == EVP_PKEY_EC) { case EVP_PKEY_EC:
/* Generate since pkey->pkey.ptr may contain private key */ {
ecc_key* ecc; ecc_key* ecc;
int derSz;
if (pkey->ecc == NULL || pkey->ecc->internal == NULL) if (pkey->ecc == NULL || pkey->ecc->internal == NULL)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
@@ -53786,13 +53816,15 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey)
XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
cert->pubKey.buffer = p;
cert->pubKey.length = derSz;
cert->pubKeyOID = ECDSAk; cert->pubKeyOID = ECDSAk;
} }
#endif /* HAVE_ECC */ break;
else #endif
default:
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
}
cert->pubKey.buffer = p;
cert->pubKey.length = derSz;
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }