pkcs8: Parse the decrypted PKCS#8 structure via regular builders

This allows other plugins to parse such structures directly.  The pkcs8
plugin is called recursively again if necessary.

diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index 1d7a48fb2638e603c842dadc46611a8d2877ffa2..9916def198d9ec5ac97426bfe60f6d4aa80b3c25 100644 (file)
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -124,7 +124,8 @@ end:
  * Try to decrypt the given blob with multiple passwords using the given
  * pkcs5 object.
  */
-static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
+static private_key_t *decrypt_private_key(key_type_t type, pkcs5_t *pkcs5,
+                                                                                 chunk_t blob)
 {
        enumerator_t *enumerator;
        shared_key_t *shared;
@@ -140,7 +141,15 @@ static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
                {
                        continue;
                }
-               private_key = parse_private_key(decrypted);
+               /* do a quick check to validate whether the password was correct */
+               if (!is_asn1(decrypted))
+               {
+                       chunk_clear(&decrypted);
+                       continue;
+               }
+               private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+                                                                                type, BUILD_BLOB_ASN1_DER,
+                                                                                decrypted, BUILD_END);
                if (private_key)
                {
                        chunk_clear(&decrypted);
@@ -169,7 +178,7 @@ static const asn1Object_t encryptedPKIObjects[] = {
  * Load an encrypted private key from an ASN.1 encoded blob
  * Schemes per PKCS#5 (RFC 2898)
  */
-static private_key_t *parse_encrypted_private_key(chunk_t blob)
+static private_key_t *parse_encrypted_private_key(key_type_t type, chunk_t blob)
 {
        asn1_parser_t *parser;
        chunk_t object;
@@ -195,7 +204,7 @@ static private_key_t *parse_encrypted_private_key(chunk_t blob)
                        }
                        case EPKINFO_ENCRYPTED_DATA:
                        {
-                               key = decrypt_private_key(pkcs5, object);
+                               key = decrypt_private_key(type, pkcs5, object);
                                break;
                        }
                }
@@ -230,7 +239,7 @@ private_key_t *pkcs8_private_key_load(key_type_t type, va_list args)
                break;
        }
        /* we don't know whether it is encrypted or not, try both ways */
-       key = parse_encrypted_private_key(blob);
+       key = parse_encrypted_private_key(type, blob);
        if (!key)
        {
                key = parse_private_key(blob);