Fix for backwards compatibility for i2d_PrivateKey.

src/ssl.c

@@ -8101,17 +8101,21 @@ static int wolfSSL_EVP_PKEY_get_der(const WOLFSSL_EVP_PKEY* key, unsigned char**
 {
     unsigned char* pt;
     int sz;
+    word16 pkcs8HeaderSz = 0;
 
     if (!key || !key->pkey_sz)
         return WOLFSSL_FATAL_ERROR;
 
-    sz = key->pkey_sz;
+    /* return the key without PKCS8 for compatibility */
+    if (key->pkey_sz < key->pkcs8HeaderSz)
+        pkcs8HeaderSz = key->pkcs8HeaderSz;
+    sz = key->pkey_sz - pkcs8HeaderSz;
     if (der) {
         pt = (unsigned char*)key->pkey.ptr;
         if (*der) {
             /* since this function signature has no size value passed in it is
              * assumed that the user has allocated a large enough buffer */
-            XMEMCPY(*der, pt, sz);
+            XMEMCPY(*der, pt + pkcs8HeaderSz, sz);
             *der += sz;
         }
         else {
@@ -8119,7 +8123,7 @@ static int wolfSSL_EVP_PKEY_get_der(const WOLFSSL_EVP_PKEY* key, unsigned char**
             if (*der == NULL) {
                 return WOLFSSL_FATAL_ERROR;
             }
-            XMEMCPY(*der, pt, sz);
+            XMEMCPY(*der, pt + pkcs8HeaderSz, sz);
         }
     }
     return sz;
@@ -8146,7 +8150,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out,
 {
     int ret;
     word32 idx = 0, algId;
-    byte hasPkcs8Header = 0;
+    word16 pkcs8HeaderSz = 0;
     WOLFSSL_EVP_PKEY* local;
 
     WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey");
@@ -8161,7 +8165,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out,
     if ((ret = ToTraditionalInline_ex((const byte*)(*in), &idx, (word32)inSz,
                                                                  &algId)) > 0) {
         WOLFSSL_MSG("Found PKCS8 header");
-        hasPkcs8Header = 1;
+        pkcs8HeaderSz = (word16)idx;
 
         if ((type == EVP_PKEY_RSA && algId != RSAk) ||
             (type == EVP_PKEY_EC && algId != ECDSAk) ||
@@ -8191,7 +8195,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out,
 
     local->type     = type;
     local->pkey_sz  = (int)inSz;
-    local->hasPkcs8Header = hasPkcs8Header;
+    local->pkcs8HeaderSz = pkcs8HeaderSz;
     local->pkey.ptr = (char*)XMALLOC(inSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
     if (local->pkey.ptr == NULL) {
         wolfSSL_EVP_PKEY_free(local);
@@ -21829,7 +21833,7 @@ WOLFSSL_EC_KEY *wolfSSL_EC_KEY_dup(const WOLFSSL_EC_KEY *src)
 
     dup->pub_key->inSet = src->pub_key->inSet;
     dup->pub_key->exSet = src->pub_key->exSet;
-    dup->hasPkcs8Header = src->hasPkcs8Header;
+    dup->pkcs8HeaderSz = src->pkcs8HeaderSz;
 
     /* Copy private key */
     if (src->priv_key->internal == NULL || dup->priv_key->internal == NULL) {
@@ -39602,14 +39606,14 @@ int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
         return WOLFSSL_FATAL_ERROR;
     }
 
-    rsa->hasPkcs8Header = 0;
+    rsa->pkcs8HeaderSz = 0;
 #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
     /* Check if input buffer has PKCS8 header. In the case that it does not
      * have a PKCS8 header then do not error out. */
     if ((ret = ToTraditionalInline_ex((const byte*)derBuf, &idx, (word32)derSz,
                                                                  &algId)) > 0) {
         WOLFSSL_MSG("Found PKCS8 header");
-        rsa->hasPkcs8Header = 1;
+        rsa->pkcs8HeaderSz = (word16)idx;
     }
     else {
         if (ret != ASN_PARSE_E) {
@@ -40149,14 +40153,14 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf,
         return WOLFSSL_FATAL_ERROR;
     }
 
-    key->hasPkcs8Header = 0;
+    key->pkcs8HeaderSz = 0;
 #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
     /* Check if input buffer has PKCS8 header. In the case that it does not
      * have a PKCS8 header then do not error out. */
     if ((ret = ToTraditionalInline_ex((const byte*)derBuf, &idx, (word32)derSz,
                                                                  &algId)) > 0) {
         WOLFSSL_MSG("Found PKCS8 header");
-        key->hasPkcs8Header = 1;
+        key->pkcs8HeaderSz = (word16)idx;
     }
     else {
         if (ret != ASN_PARSE_E) {

wolfcrypt/src/evp.c

@@ -6117,7 +6117,7 @@ int wolfSSL_EVP_PKEY_set1_RSA(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_RSA *key)
     pkey->rsa    = key;
     pkey->ownRsa = 1; /* pkey does not own RSA but needs to call free on it */
     pkey->type   = EVP_PKEY_RSA;
-    pkey->hasPkcs8Header = key->hasPkcs8Header;
+    pkey->pkcs8HeaderSz = key->pkcs8HeaderSz;
     if (key->inSet == 0) {
         if (SetRsaInternal(key) != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("SetRsaInternal failed");
@@ -6135,7 +6135,7 @@ int wolfSSL_EVP_PKEY_set1_RSA(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_RSA *key)
         if (ret > 0) {
             derSz = ret;
         #ifdef HAVE_PKCS8
-            if (key->hasPkcs8Header) {
+            if (key->pkcs8HeaderSz) {
                 ret = wc_CreatePKCS8Key(NULL, (word32*)&pkcs8Sz, NULL, derSz,
                     RSAk, NULL, 0);
                 if (ret == LENGTH_ONLY_E) ret = 0;
@@ -6161,7 +6161,7 @@ int wolfSSL_EVP_PKEY_set1_RSA(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_RSA *key)
             if (ret > 0) {
                 derSz = ret;
             #ifdef HAVE_PKCS8
-                if (key->hasPkcs8Header) {
+                if (key->pkcs8HeaderSz) {
                     byte* keyBuf = derBuf;
                     int keySz = derSz;
                     derSz = pkcs8Sz;
@@ -6557,7 +6557,7 @@ static int ECC_populate_EVP_PKEY(EVP_PKEY* pkey, WOLFSSL_EC_KEY *key)
         return WOLFSSL_FAILURE;
 
     ecc = (ecc_key*)key->internal;
-    if (key->hasPkcs8Header) {
+    if (key->pkcs8HeaderSz) {
         /* when key has pkcs8 header the pkey should too */
         if (wc_EccKeyToPKCS8(ecc, NULL, (word32*)&derSz) == LENGTH_ONLY_E) {
             byte* derBuf = (byte*)XMALLOC(derSz, pkey->heap, DYNAMIC_TYPE_OPENSSL);
@@ -6568,7 +6568,7 @@ static int ECC_populate_EVP_PKEY(EVP_PKEY* pkey, WOLFSSL_EC_KEY *key)
                     }
                     pkey->pkey_sz = (int)derSz;
                     pkey->pkey.ptr = (char*)derBuf;
-                    pkey->hasPkcs8Header = 1;
+                    pkey->pkcs8HeaderSz = key->pkcs8HeaderSz;
                     return WOLFSSL_SUCCESS;
                 }
                 else {

wolfssl/openssl/ec.h

@@ -119,11 +119,11 @@ struct WOLFSSL_EC_KEY {
     void*          internal;     /* our ECC Key */
     char           form;         /* Either POINT_CONVERSION_UNCOMPRESSED or
                                   * POINT_CONVERSION_COMPRESSED */
+    word16 pkcs8HeaderSz;
 
     /* option bits */
     byte inSet:1;        /* internal set from external ? */
     byte exSet:1;        /* external set from internal ? */
-    byte hasPkcs8Header:1;
 };
 
 struct WOLFSSL_EC_BUILTIN_CURVE {

wolfssl/openssl/rsa.h

@@ -87,12 +87,12 @@ typedef struct WOLFSSL_RSA {
     wolfSSL_Mutex    refMutex;                       /* ref count mutex */
     int              refCount;                       /* reference count */
 #endif
+    word16 pkcs8HeaderSz;
 
     /* bits */
     byte inSet:1;     /* internal set from external ? */
     byte exSet:1;     /* external set from internal ? */
     byte ownRng:1;    /* flag for if the rng should be free'd */
-    byte hasPkcs8Header:1;
 } WOLFSSL_RSA;
 #endif
 

wolfssl/ssl.h

@@ -370,13 +370,13 @@ struct WOLFSSL_EVP_PKEY {
 #ifdef HAVE_ECC
     int pkey_curve;
 #endif
+    word16 pkcs8HeaderSz;
 
     /* option bits */
     byte ownDh:1;  /* if struct owns DH  and should free it */
     byte ownEcc:1; /* if struct owns ECC and should free it */
     byte ownDsa:1; /* if struct owns DSA and should free it */
     byte ownRsa:1; /* if struct owns RSA and should free it */
-    byte hasPkcs8Header:1;
 };
 typedef struct WOLFSSL_EVP_PKEY WOLFSSL_PKCS8_PRIV_KEY_INFO;
 #ifndef WOLFSSL_EVP_TYPE_DEFINED /* guard on redeclaration */