From: Tobias Brunner Date: Wed, 18 Oct 2023 15:15:44 +0000 (+0200) Subject: pkcs8: Add support for unprotected PKCS#8 containers X-Git-Tag: 5.9.12rc1~7^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc704cf20644e3fd0d5bae2b2d6de89ad140fa91;p=thirdparty%2Fstrongswan.git pkcs8: Add support for unprotected PKCS#8 containers --- diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index 6f8499409f..defaac19d4 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -121,6 +121,32 @@ end: return key; } +/** + * Try to decrypt the given blob using the given password and pkcs5 object. + */ +static private_key_t *decrypt_private_key_pw(key_type_t type, pkcs5_t *pkcs5, + chunk_t blob, chunk_t password) +{ + private_key_t *private_key; + chunk_t decrypted; + + if (!pkcs5->decrypt(pkcs5, password, blob, &decrypted)) + { + return NULL; + } + /* do a quick check to validate whether the password was correct */ + if (!is_asn1(decrypted)) + { + chunk_clear(&decrypted); + return NULL; + } + private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + type, BUILD_BLOB_ASN1_DER, + decrypted, BUILD_END); + chunk_clear(&decrypted); + return private_key; +} + /** * Try to decrypt the given blob with multiple passwords using the given * pkcs5 object. @@ -130,36 +156,26 @@ static private_key_t *decrypt_private_key(key_type_t type, pkcs5_t *pkcs5, { enumerator_t *enumerator; shared_key_t *shared; - private_key_t *private_key = NULL; + private_key_t *private_key; + + private_key = decrypt_private_key_pw(type, pkcs5, blob, chunk_empty); + if (private_key) + { + return private_key; + } enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PRIVATE_KEY_PASS, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { - chunk_t decrypted; - - if (!pkcs5->decrypt(pkcs5, shared->get_key(shared), blob, &decrypted)) - { - continue; - } - /* do a quick check to validate whether the password was correct */ - if (!is_asn1(decrypted)) - { - chunk_clear(&decrypted); - continue; - } - private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - type, BUILD_BLOB_ASN1_DER, - decrypted, BUILD_END); + private_key = decrypt_private_key_pw(type, pkcs5, blob, + shared->get_key(shared)); if (private_key) { - chunk_clear(&decrypted); break; } - chunk_free(&decrypted); } enumerator->destroy(enumerator); - return private_key; }