fix external key handling

diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
index e10f9f4808d35666b49f4f4e47673eea877a5c82..d3cbb4fab87f63596facf61d772775be43a4b048 100644 (file)
--- a/lib/dns/opensslgost_link.c
+++ b/lib/dns/opensslgost_link.c
@@ -398,6 +398,11 @@ opensslgost_tofile(const dst_key_t *key, const char *directory) {
        if (key->keydata.pkey == NULL)
                return (DST_R_NULLKEY);
 
+       if (key->external) {
+               priv.nelements = 0;
+               return (dst__privstruct_writefile(key, &priv, directory));
+       }
+
        pkey = key->keydata.pkey;
        eckey = EVP_PKEY_get0(pkey);
        if (eckey == NULL)

diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index c0c4c4abcc2f3491bdcd8a4a44f174a040f518d0..f277a5551db5019bdc7df041efc70e7cd5e5821f 100644 (file)
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -928,6 +928,12 @@ pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
            (pub_key == NULL) || (priv_key ==NULL))
                return (DST_R_NULLKEY);
 
+       if (key->external) {
+               priv.nelements = 0;
+               result = dst__privstruct_writefile(key, &priv, directory);
+               goto fail;
+       }
+
        priv.elements[cnt].tag = TAG_DSA_PRIME;
        priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
        memcpy(bufs[cnt], prime->pValue, prime->ulValueLen);
@@ -977,6 +983,9 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        if (ret != ISC_R_SUCCESS)
                return (ret);
 
+       if (key->external && priv.nelements != 0)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+
        dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
        if (dsa == NULL)
                DST_RET(ISC_R_NOMEMORY);

diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
index 61d69c62c87b24d28e35808651372135e11fa591..572e47e6ec5ad9f43a9d923c0c617184831525f6 100644 (file)
--- a/lib/dns/pkcs11ecdsa_link.c
+++ b/lib/dns/pkcs11ecdsa_link.c
@@ -755,6 +755,12 @@ pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
        if (key->keydata.pkey == NULL)
                return (DST_R_NULLKEY);
 
+       if (key->external) {
+               priv.nelements = 0;
+               result = dst__privstruct_writefile(key, &priv, directory);
+               goto fail;
+       }
+
        ec = key->keydata.pkey;
        attr = pk11_attribute_bytype(ec, CKA_VALUE);
        if (attr != NULL) {
@@ -924,6 +930,9 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        if (ret != ISC_R_SUCCESS)
                return (ret);
 
+       if (key->external && priv.nelements != 0)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+
        for (i = 0; i < priv.nelements; i++) {
                switch (priv.elements[i].tag) {
                case TAG_ECDSA_ENGINE:

diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c
index d7d429d69733b6b81bdf082a3e0abb48b6b64087..81585336eaac8d8e0ae7bae7c0905414c7800220 100644 (file)
--- a/lib/dns/pkcs11gost_link.c
+++ b/lib/dns/pkcs11gost_link.c
@@ -720,6 +720,12 @@ pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
        if (key->keydata.pkey == NULL)
                return (DST_R_NULLKEY);
 
+       if (key->external) {
+               priv.nelements = 0;
+               result = dst__privstruct_writefile(key, &priv, directory);
+               goto fail;
+       }
+
        gost = key->keydata.pkey;
        attr = pk11_attribute_bytype(gost, CKA_VALUE2);
        if (attr != NULL) {
@@ -759,6 +765,9 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        if (ret != ISC_R_SUCCESS)
                return (ret);
 
+       if (key->external && priv.nelements != 0)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+
        if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
                dst__privstruct_free(&priv, mctx);
                memset(&priv, 0, sizeof(priv));