From: Timo Teräs <timo.teras@iki.fi>
Date: Fri, 28 Jul 2023 10:18:40 +0000 (+0300)
Subject: Fix support for engine/provider ECDSA keys
X-Git-Tag: v9.19.17~62^2~2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8de089e514337d10bf6a8f32c400038ea620c139;p=thirdparty%2Fbind9.git

Fix support for engine/provider ECDSA keys

Exporting private key of on-token keys is not possible. Fix code
to not fail in this case.
---

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index e064c7e7f54..2f9e1c51557 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -846,16 +846,14 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
 
 	keylen = opensslecdsa_key_alg_to_publickey_size(key->key_alg) / 2;
 	INSIST(keylen <= sizeof(buf));
-	if (!opensslecdsa_extract_private_key(key, buf, keylen)) {
-		DST_RET(DST_R_OPENSSLFAILURE);
-	}
 
 	i = 0;
-	priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
-	priv.elements[i].length = keylen;
-	priv.elements[i].data = buf;
-	i++;
-
+	if (opensslecdsa_extract_private_key(key, buf, keylen)) {
+		priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+		priv.elements[i].length = keylen;
+		priv.elements[i].data = buf;
+		i++;
+	}
 	if (key->engine != NULL) {
 		priv.elements[i].tag = TAG_ECDSA_ENGINE;
 		priv.elements[i].length = (unsigned short)strlen(key->engine) +
@@ -929,10 +927,6 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 
-	if (privkey_index < 0) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-
 	if (label != NULL) {
 		ret = opensslecdsa_fromlabel(key, engine, label, NULL);
 		if (ret != ISC_R_SUCCESS) {
@@ -947,6 +941,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(ISC_R_SUCCESS);
 	}
 
+	if (privkey_index < 0) {
+		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+	}
+
 	ret = opensslecdsa_create_pkey(
 		key->key_alg, true, priv.elements[privkey_index].data,
 		priv.elements[privkey_index].length, &pkey);