wolfSSL_X509_set_pubkey fix

wolfSSL_X509_set_pubkey should always regenerate the key to make sure that it does not contain the private key
2025-08-01 19:54:40 +02:00 · 2021-03-10 14:26:46 +01:00
parent ce62a24325
commit c5c80b67d2
1 changed files with 78 additions and 46 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -53738,61 +53738,93 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)
 int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey)
 {
    byte* p = NULL;
    int derSz;
    WOLFSSL_ENTER("wolfSSL_X509_set_pubkey");
    if (cert == NULL || pkey == NULL)
        return WOLFSSL_FAILURE;
-    if (pkey->type == EVP_PKEY_RSA
+    /* Regenerate since pkey->pkey.ptr may contain private key */
-#ifndef NO_DSA
+    switch (pkey->type) {
-            || pkey->type == EVP_PKEY_DSA
+#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA)
-#endif /* !NO_DSA */
+    case EVP_PKEY_RSA:
-            ) {
+        {
-        p = (byte*)XMALLOC(pkey->pkey_sz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+            RsaKey* rsa;
        if (p == NULL)
            return WOLFSSL_FAILURE;
-        if (cert->pubKey.buffer != NULL)
+            if (pkey->rsa == NULL || pkey->rsa->internal == NULL)
-            XFREE(cert->pubKey.buffer, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                return WOLFSSL_FAILURE;
-        cert->pubKey.buffer = p;
+
-        XMEMCPY(cert->pubKey.buffer, pkey->pkey.ptr, pkey->pkey_sz);
+            rsa = (RsaKey*)pkey->rsa->internal;
-        cert->pubKey.length = pkey->pkey_sz;
+            derSz = wc_RsaPublicKeyDerSize(rsa, 1);
-#ifndef NO_DSA
+            if (derSz <= 0)
-        if (pkey->type == EVP_PKEY_DSA)
+                return WOLFSSL_FAILURE;
-            cert->pubKeyOID = DSAk;
+
-        else
+            p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-#endif /* !NO_DSA */
+            if (p == NULL)
                return WOLFSSL_FAILURE;
            if ((derSz = wc_RsaKeyToPublicDer(rsa, p, derSz)) <= 0) {
                XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
                return WOLFSSL_FAILURE;
            }
            cert->pubKeyOID = RSAk;
    }
 #ifdef HAVE_ECC
    else if (pkey->type == EVP_PKEY_EC) {
        /* Generate since pkey->pkey.ptr may contain private key */
        ecc_key* ecc;
        int derSz;
        if (pkey->ecc == NULL || pkey->ecc->internal == NULL)
            return WOLFSSL_FAILURE;
        ecc = (ecc_key*)pkey->ecc->internal;
        derSz = wc_EccPublicKeyDerSize(ecc, 1);
        if (derSz <= 0)
            return WOLFSSL_FAILURE;
        p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
        if (p == NULL)
            return WOLFSSL_FAILURE;
        if ((derSz = wc_EccPublicKeyToDer(ecc, p, derSz, 1)) <= 0) {
            XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
            return WOLFSSL_FAILURE;
        }
-        cert->pubKey.buffer = p;
+        break;
-        cert->pubKey.length = derSz;
+#endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */
-        cert->pubKeyOID = ECDSAk;
+#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \
-    }
+        defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA)
-#endif /* HAVE_ECC */
+    case EVP_PKEY_DSA:
-    else
+        {
            DsaKey* dsa;
            if (pkey->dsa == NULL || pkey->dsa->internal == NULL)
                return WOLFSSL_FAILURE;
            dsa = (DsaKey*)pkey->dsa->internal;
            /* size of pub, priv, p, q, g + ASN.1 additional information */
            derSz = 5 * mp_unsigned_bin_size(&dsa->g) + MAX_ALGO_SZ;
            p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
            if (p == NULL)
                return WOLFSSL_FAILURE;
            if ((derSz = wc_DsaKeyToPublicDer(dsa, p, derSz)) <= 0) {
                XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
                return WOLFSSL_FAILURE;
            }
            cert->pubKeyOID = RSAk;
        }
        break;
 #endif /* !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) && !NO_DSA */
 #ifdef HAVE_ECC
    case EVP_PKEY_EC:
        {
            ecc_key* ecc;
            if (pkey->ecc == NULL || pkey->ecc->internal == NULL)
                return WOLFSSL_FAILURE;
            ecc = (ecc_key*)pkey->ecc->internal;
            derSz = wc_EccPublicKeyDerSize(ecc, 1);
            if (derSz <= 0)
                return WOLFSSL_FAILURE;
            p = (byte*)XMALLOC(derSz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
            if (p == NULL)
                return WOLFSSL_FAILURE;
            if ((derSz = wc_EccPublicKeyToDer(ecc, p, derSz, 1)) <= 0) {
                XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
                return WOLFSSL_FAILURE;
            }
            cert->pubKeyOID = ECDSAk;
        }
        break;
 #endif
    default:
        return WOLFSSL_FAILURE;
    }
    cert->pubKey.buffer = p;
    cert->pubKey.length = derSz;
    return WOLFSSL_SUCCESS;
 }