x509: call the fixup functions after loading private keys

That way we can better report errors which relate to illegal
parameters being detected.

diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 9cd57aa524b741df90485d949d3e4100b702bf39..a3dc9ac7b635245333e2ea6806a99d8f327871be 100644 (file)
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2003-2012 Free Software Foundation, Inc.
- * Copyright (C) 2012-2015 Nikos Mavrogiannopoulos
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2012-2016 Nikos Mavrogiannopoulos
+ * Copyright (C) 2015-2016 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -222,13 +223,6 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
        }
        pkey->params.params_nr++;
 
-       result =
-           _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_IMPORT, &pkey->params);
-       if (result < 0) {
-               gnutls_assert();
-               goto error;
-       }
-
        pkey->params.params_nr = RSA_PRIVATE_PARAMS;
 
        tmp_size = sizeof(tmp);
@@ -643,10 +637,16 @@ gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
        if (key->key == NULL) {
                gnutls_assert();
                result = GNUTLS_E_ASN1_DER_ERROR;
-       } else {
-               result = 0;
+               goto cleanup;
        }
 
+       result =
+           _gnutls_pk_fixup(key->pk_algorithm, GNUTLS_IMPORT, &key->params);
+       if (result < 0) {
+               gnutls_assert();
+       }
+
+ cleanup:
        if (need_free)
                _gnutls_free_datum(&_data);
 
@@ -727,6 +727,7 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
                            const char *password, unsigned int flags)
 {
        int ret = 0;
+       int saved_ret = GNUTLS_E_PARSING_ERROR;
        char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
        unsigned head_enc = 1;
 
@@ -770,6 +771,7 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 
                if (ret < 0) {
                        gnutls_assert();
+                       saved_ret = ret;
                        /* fall through to PKCS #8 decoding */
                }
        }
@@ -794,6 +796,9 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
                                                     password, flags);
                }
 
+               if (saved_ret == GNUTLS_E_PARSING_ERROR)
+                       saved_ret = ret;
+
                if (ret < 0) {
                        if (ret == GNUTLS_E_DECRYPTION_FAILED)
                                goto cleanup;
@@ -822,6 +827,9 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
        ret = 0;
 
       cleanup:
+       if (ret == GNUTLS_E_PARSING_ERROR)
+               ret = saved_ret;
+
        return ret;
 }
 
@@ -1060,6 +1068,13 @@ gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key,
                goto cleanup;
        }
 
+       ret =
+           _gnutls_pk_fixup(GNUTLS_PK_DSA, GNUTLS_IMPORT, &key->params);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
        ret =
            _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &key->key,
                                        &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
@@ -1138,6 +1153,13 @@ gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key,
        }
        key->params.params_nr++;
 
+       ret =
+           _gnutls_pk_fixup(GNUTLS_PK_EC, GNUTLS_IMPORT, &key->params);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
        key->pk_algorithm = GNUTLS_PK_EC;
        key->params.algo = key->pk_algorithm;
 

diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index ca438656b40dd27571f2ce8b24f2faf9273cf5a0..f84d913e87ba4194490a2fd3a22ed4178e74add2 100644 (file)
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -34,6 +34,7 @@
 #include <algorithms.h>
 #include <num.h>
 #include <random.h>
+#include <pk.h>
 #include <nettle/pbkdf2.h>
 
 static int _decode_pkcs8_ecc_key(ASN1_TYPE pkcs8_asn,
@@ -1507,12 +1508,18 @@ gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key,
                goto cleanup;
        }
 
+       result =
+           _gnutls_pk_fixup(key->pk_algorithm, GNUTLS_IMPORT, &key->params);
+       if (result < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
        if (need_free)
                _gnutls_free_datum(&_data);
 
        /* The key has now been decoded.
         */
-
        return 0;
 
       cleanup: