From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 9 Aug 2018 06:45:48 +0000 (+0200)
Subject: pkcs1: Accept EC private keys without public key but make sure of an OID
X-Git-Tag: 5.7.0rc1~4^2~18
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ba7e74291e1650714b724e37cd43640f9cb65610;p=thirdparty%2Fstrongswan.git

pkcs1: Accept EC private keys without public key but make sure of an OID
---

diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 967e501d19..c934f0b1d4 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -271,7 +271,8 @@ end:
  * }
  *
  * While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
- * parameters MUST be included and publicKey SHOULD be.
+ * parameters MUST be included (an errata clarifies this, so this is only the
+ * case for plain private keys, not encoded in PKCS#8) and publicKey SHOULD be.
  */
 static bool is_ec_private_key(chunk_t blob)
 {
@@ -281,7 +282,8 @@ static bool is_ec_private_key(chunk_t blob)
 		   asn1_parse_integer_uint64(data) == 1 &&
 		   asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING &&
 		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 &&
-		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1;
+		   asn1_unwrap(&data, &data) == ASN1_OID &&
+		   (!blob.len || (asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1));
 }
 
 /**