hx509: Pass PKCS#8 keys to lower layers

OpenSSL's d2i_ECPrivateKey() is deprecated, so we have to use d2i_PrivateKey(), but d2i_PrivateKey() wants the whole PKCS#8 blob so it can know what kind of key it is. So we need to let the hx509 EC layer get that blob. The internal APIs need some refactoring, so for now we use a hack where we try to parse the private key with and without the PKCS#8 wrapper.
2022-11-19 23:43:27 -06:00
parent 2ddea96ba2
commit cce8ae9927
2 changed files with 34 additions and 28 deletions
--- a/lib/hx509/collector.c
+++ b/lib/hx509/collector.c
@@ -147,6 +147,16 @@ _hx509_collector_private_key_add(hx509_context context,
 				       key_data->data, key_data->length,
 				       HX509_KEY_FORMAT_DER,
 				       &key->private_key);
+        if (ret && localKeyId) {
+            int ret2;
+
+            ret2 = hx509_parse_private_key(context, alg,
+                                           localKeyId->data, localKeyId->length,
+                                           HX509_KEY_FORMAT_PKCS8,
+                                           &key->private_key);
+            if (ret2 == 0)
+                ret = 0;
+        }
 	if (ret)
 	    goto out;
    }
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -1304,34 +1304,6 @@ hx509_parse_private_key(hx509_context context,

    *private_key = NULL;

-    if (format == HX509_KEY_FORMAT_PKCS8) {
-        PKCS8PrivateKeyInfo ki;
-        hx509_private_key key;
-
-        ret = decode_PKCS8PrivateKeyInfo(data, len, &ki, NULL);
-        if (ret) {
-	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
-				   "Failed to parse PKCS#8-encoded private "
-                                   "key");
-	    return HX509_PARSING_KEY_FAILED;
-        }
-
-        /* Re-enter to parse DER-encoded key from PKCS#8 envelope */
-        ret = hx509_parse_private_key(context, &ki.privateKeyAlgorithm,
-                                      ki.privateKey.data, ki.privateKey.length,
-                                      HX509_KEY_FORMAT_DER, &key);
-        free_PKCS8PrivateKeyInfo(&ki);
-        if (ret) {
-	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
-				   "Failed to parse RSA key from PKCS#8 "
-                                   "envelope");
-	    return HX509_PARSING_KEY_FAILED;
-        }
-
-        *private_key = key;
-        return ret;
-    }
-
    ops = hx509_find_private_alg(&keyai->algorithm);
    if (ops == NULL) {
 	hx509_clear_error_string(context);
@@ -1348,6 +1320,30 @@ hx509_parse_private_key(hx509_context context,
    if (ret)
 	hx509_private_key_free(private_key);

+    if (ret && format == HX509_KEY_FORMAT_PKCS8) {
+        PKCS8PrivateKeyInfo ki;
+        hx509_private_key key;
+
+        /* Re-enter to try parsing the DER-encoded key from PKCS#8 envelope */
+        ret = decode_PKCS8PrivateKeyInfo(data, len, &ki, NULL);
+        if (ret) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Failed to parse PKCS#8-encoded private "
+                                   "key");
+	    return HX509_PARSING_KEY_FAILED;
+        }
+        ret = hx509_parse_private_key(context, &ki.privateKeyAlgorithm,
+                                      ki.privateKey.data, ki.privateKey.length,
+                                      HX509_KEY_FORMAT_DER, &key);
+        free_PKCS8PrivateKeyInfo(&ki);
+        if (ret) {
+            hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+                                   "Failed to parse RSA key from PKCS#8 "
+                                   "envelope");
+            return HX509_PARSING_KEY_FAILED;
+        }
+        *private_key = key;
+    }
    return ret;
 }