certtool: ensure that PKCS#8 file does not contain key description

Resolves: #840

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index 2a29f50649df0c627022a4f0f675d821a6286e6b..64ef7e006ad4f5778b5c18786bf8c5bde552e742 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,9 @@ See the end for copying conditions.
    modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
    RFC 7836.
 
+** certtool: when outputting an encrypted private key do not insert the textual description
+   of it. This fixes a regression since 3.6.5 (#840).
+
 ** API and ABI modifications:
 gnutls_aead_cipher_encryptv2: Added
 gnutls_aead_cipher_decryptv2: Added

diff --git a/src/certtool-common.c b/src/certtool-common.c
index 66b81e5508bde70e10fd9b0c38092144b0eed0f9..3fafa5977cba38fdbf4e0073a8afd3e7d86d4d62 100644 (file)
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1382,13 +1382,13 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
 
        /* Only print private key parameters when an unencrypted
         * format is used */
-       if (cinfo->outtext)
-               privkey_info_int(outfile, cinfo, key);
-
        switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key));
 
        if (!cinfo->pkcs8) {
 
+               if (cinfo->outtext)
+                       privkey_info_int(outfile, cinfo, key);
+
                size = lbuffer_size;
                ret = gnutls_x509_privkey_export(key, cinfo->outcert_format,
                                                 lbuffer, &size);
@@ -1404,6 +1404,9 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
                pass = get_password(cinfo, &flags, 0);
                flags |= cipher_to_flags(cinfo->pkcs_cipher);
 
+               if (cinfo->outtext && (flags & GNUTLS_PKCS_PLAIN))
+                       privkey_info_int(outfile, cinfo, key);
+
                size = lbuffer_size;
                ret =
                    gnutls_x509_privkey_export_pkcs8(key, cinfo->outcert_format,

diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool
index 37cea545f26c5c2ffb494eafb7f32200950666a4..e60463467863696316b504daacdabece4cf3c504 100755 (executable)
--- a/tests/cert-tests/certtool
+++ b/tests/cert-tests/certtool
@@ -47,6 +47,13 @@ if test -n "${SETSID}";then
                exit 1
        fi
 
+       grep 'modulus:' ${TMPFILE1}
+       if test $? = 0;then
+               cat ${TMPFILE1}
+               echo "PKCS#8 file contains text modulus"
+               exit 1
+       fi
+
        #check whether password is being honoured
        #some CI runners need GNUTLS_PIN (GNUTLS_PIN=${PASS})
        ${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF

diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss
index 617591377d4a73e578a08251d07e264f74a660bd..aed79ff2e26b204f5cf859a11cd15f96807161f8 100755 (executable)
--- a/tests/cert-tests/certtool-rsa-pss
+++ b/tests/cert-tests/certtool-rsa-pss
@@ -35,6 +35,24 @@ if ! test -z "${VALGRIND}"; then
        VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
 fi
 
+# Create an RSA-PSS private key, restricted to the use with RSA-PSS
+${VALGRIND} "${CERTTOOL}" --generate-privkey \
+        --key-type rsa-pss --outfile "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+       echo "Could not generate an RSA-PSS key"
+       exit 1
+fi
+
+# check whether description is present
+grep 'modulus:' ${OUTFILE}
+if test $? != 0;then
+       cat ${OUTFILE}
+       echo "PKCS#8 file does not contain modulus text"
+       exit 1
+fi
+
 for i in sha256 sha384 sha512;do
 if test "${GNUTLS_FORCE_FIPS_MODE}" = 1 && test "$i" != sha384;then
        continue