Cleanup for DecodePrivateKey() functionality

* Create a new method DecodePrivateKey_ex() that gets the key to decode as parameters * Adapt DecodePrivateKey() and DecodeAltPrivateKey() to use this new method * Fix unblinding for TLS 1.3 Dual Algorithm Certificate alternative keys This removes a lot of nearly duplicate code and simplifies maintenance.
2026-01-27 04:22:19 +01:00 · 2026-01-07 13:39:48 +01:00
parent 80c1228a38
commit b8cb5bee87
3 changed files with 207 additions and 674 deletions
--- a/src/internal.c
+++ b/src/internal.c
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -9285,10 +9285,13 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)

                    /* Swap keys */
                    ssl->buffers.key     = ssl->buffers.altKey;
+                    ssl->buffers.weOwnKey = ssl->buffers.weOwnAltKey;
+
                #ifdef WOLFSSL_BLIND_PRIVATE_KEY
                    ssl->buffers.keyMask = ssl->buffers.altKeyMask;
+                    /* Unblind the alternative key before decoding */
+                    wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
                #endif
-                    ssl->buffers.weOwnKey = ssl->buffers.weOwnAltKey;
                }
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
                ret = DecodePrivateKey(ssl, &args->sigLen);
@@ -9356,7 +9359,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
                /* The native was already decoded. Now we need to do the
                 * alternative. Note that no swap was done because this case is
                 * both native and alternative, not just alternative. */
-                if (ssl->ctx->altPrivateKey == NULL) {
+                if (ssl->buffers.altKey == NULL) {
                    ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
                }

--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2189,9 +2189,9 @@ WOLFSSL_LOCAL WARN_UNUSED_RESULT DerBuffer *wolfssl_priv_der_unblind(
    const DerBuffer* key, const DerBuffer* mask);
 WOLFSSL_LOCAL void wolfssl_priv_der_unblind_free(DerBuffer* key);
 #endif
-WOLFSSL_LOCAL int  DecodePrivateKey(WOLFSSL *ssl, word32* length);
+WOLFSSL_LOCAL int  DecodePrivateKey(WOLFSSL *ssl, word32* sigLen);
 #ifdef WOLFSSL_DUAL_ALG_CERTS
-WOLFSSL_LOCAL int  DecodeAltPrivateKey(WOLFSSL *ssl, word32* length);
+WOLFSSL_LOCAL int  DecodeAltPrivateKey(WOLFSSL *ssl, word32* sigLen);
 #endif
 #if defined(WOLF_PRIVATE_KEY_ID) || defined(HAVE_PK_CALLBACKS)
 WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl);