From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 28 Sep 2019 10:42:12 +0000 (+0200)
Subject: certtool: ensure that PKCS#8 file does not contain key description
X-Git-Tag: gnutls_3_6_10~2^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a3ec822a005bc6446fda8cd263dfc2c0d66cfc8a;p=thirdparty%2Fgnutls.git

certtool: ensure that PKCS#8 file does not contain key description

Resolves: #840

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---

diff --git a/NEWS b/NEWS
index 2a29f50649..64ef7e006a 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,9 @@ See the end for copying conditions.
    modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
    RFC 7836.
 
+** certtool: when outputting an encrypted private key do not insert the textual description
+   of it. This fixes a regression since 3.6.5 (#840).
+
 ** API and ABI modifications:
 gnutls_aead_cipher_encryptv2: Added
 gnutls_aead_cipher_decryptv2: Added
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 66b81e5508..3fafa5977c 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1382,13 +1382,13 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
 
 	/* Only print private key parameters when an unencrypted
 	 * format is used */
-	if (cinfo->outtext)
-		privkey_info_int(outfile, cinfo, key);
-
 	switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key));
 
 	if (!cinfo->pkcs8) {
 
+		if (cinfo->outtext)
+			privkey_info_int(outfile, cinfo, key);
+
 		size = lbuffer_size;
 		ret = gnutls_x509_privkey_export(key, cinfo->outcert_format,
 						 lbuffer, &size);
@@ -1404,6 +1404,9 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
 		pass = get_password(cinfo, &flags, 0);
 		flags |= cipher_to_flags(cinfo->pkcs_cipher);
 
+		if (cinfo->outtext && (flags & GNUTLS_PKCS_PLAIN))
+			privkey_info_int(outfile, cinfo, key);
+
 		size = lbuffer_size;
 		ret =
 		    gnutls_x509_privkey_export_pkcs8(key, cinfo->outcert_format,
diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool
index 37cea545f2..e604634678 100755
--- a/tests/cert-tests/certtool
+++ b/tests/cert-tests/certtool
@@ -47,6 +47,13 @@ if test -n "${SETSID}";then
 		exit 1
 	fi
 
+	grep 'modulus:' ${TMPFILE1}
+	if test $? = 0;then
+		cat ${TMPFILE1}
+		echo "PKCS#8 file contains text modulus"
+		exit 1
+	fi
+
 	#check whether password is being honoured
 	#some CI runners need GNUTLS_PIN (GNUTLS_PIN=${PASS})
 	${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss
index 617591377d..aed79ff2e2 100755
--- a/tests/cert-tests/certtool-rsa-pss
+++ b/tests/cert-tests/certtool-rsa-pss
@@ -35,6 +35,24 @@ if ! test -z "${VALGRIND}"; then
 	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
 fi
 
+# Create an RSA-PSS private key, restricted to the use with RSA-PSS
+${VALGRIND} "${CERTTOOL}" --generate-privkey \
+        --key-type rsa-pss --outfile "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not generate an RSA-PSS key"
+	exit 1
+fi
+
+# check whether description is present
+grep 'modulus:' ${OUTFILE}
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "PKCS#8 file does not contain modulus text"
+	exit 1
+fi
+
 for i in sha256 sha384 sha512;do
 if test "${GNUTLS_FORCE_FIPS_MODE}" = 1 && test "$i" != sha384;then
 	continue