From 544fb1cf928a11e35bf45b1c9cd6aa0b778b1d8d Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 4 Mar 2022 08:21:42 +0100 Subject: [PATCH] pkcs8: Parse the decrypted PKCS#8 structure via regular builders This allows other plugins to parse such structures directly. The pkcs8 plugin is called recursively again if necessary. --- .../plugins/pkcs8/pkcs8_builder.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index 1d7a48fb26..9916def198 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -124,7 +124,8 @@ end: * Try to decrypt the given blob with multiple passwords using the given * pkcs5 object. */ -static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob) +static private_key_t *decrypt_private_key(key_type_t type, pkcs5_t *pkcs5, + chunk_t blob) { enumerator_t *enumerator; shared_key_t *shared; @@ -140,7 +141,15 @@ static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob) { continue; } - private_key = parse_private_key(decrypted); + /* do a quick check to validate whether the password was correct */ + if (!is_asn1(decrypted)) + { + chunk_clear(&decrypted); + continue; + } + private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + type, BUILD_BLOB_ASN1_DER, + decrypted, BUILD_END); if (private_key) { chunk_clear(&decrypted); @@ -169,7 +178,7 @@ static const asn1Object_t encryptedPKIObjects[] = { * Load an encrypted private key from an ASN.1 encoded blob * Schemes per PKCS#5 (RFC 2898) */ -static private_key_t *parse_encrypted_private_key(chunk_t blob) +static private_key_t *parse_encrypted_private_key(key_type_t type, chunk_t blob) { asn1_parser_t *parser; chunk_t object; @@ -195,7 +204,7 @@ static private_key_t *parse_encrypted_private_key(chunk_t blob) } case EPKINFO_ENCRYPTED_DATA: { - key = decrypt_private_key(pkcs5, object); + key = decrypt_private_key(type, pkcs5, object); break; } } @@ -230,7 +239,7 @@ private_key_t *pkcs8_private_key_load(key_type_t type, va_list args) break; } /* we don't know whether it is encrypted or not, try both ways */ - key = parse_encrypted_private_key(blob); + key = parse_encrypted_private_key(type, blob); if (!key) { key = parse_private_key(blob); -- 2.47.2