[openssl] master update
Richard Levitte
levitte at openssl.org
Fri Aug 28 18:49:12 UTC 2020
The branch master has been updated
via bddfea0271d0596961a43283b36ff49923329a92 (commit)
via 87d91d223b869855c11f51b54541ba8139d30d8e (commit)
from b6ef3c7089e887427cde8c550e28211dc0c22dd1 (commit)
- Log -----------------------------------------------------------------
commit bddfea0271d0596961a43283b36ff49923329a92
Author: Richard Levitte <levitte at openssl.org>
Date: Thu Aug 27 16:05:53 2020 +0200
TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()
- test/endecode_test.c
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)
commit 87d91d223b869855c11f51b54541ba8139d30d8e
Author: Richard Levitte <levitte at openssl.org>
Date: Thu Aug 27 07:18:55 2020 +0200
Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.
To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 1 +
crypto/pem/pem_err.c | 4 ++-
crypto/pem/pem_pkey.c | 5 ++++
include/openssl/pemerr.h | 1 +
test/endecode_test.c | 66 +++++++++++++++++++++++++++++++++++++++---------
5 files changed, 64 insertions(+), 13 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index b530098d2f..43114dc545 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2768,6 +2768,7 @@ PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv
PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher
PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption
PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components
+PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type
PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure
PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data
PKCS12_R_DECODE_ERROR:101:decode error
diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c
index 014aade185..132b15cb37 100644
--- a/crypto/pem/pem_err.c
+++ b/crypto/pem/pem_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -52,6 +52,8 @@ static const ERR_STRING_DATA PEM_str_reasons[] = {
"unsupported encryption"},
{ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS),
"unsupported key components"},
+ {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
+ "unsupported public key type"},
{0, NULL}
};
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index e355afe5f9..8aee82ea80 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -166,6 +166,11 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,
pem_password_cb *cb, void *u)
{
char pem_str[80];
+
+ if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) {
+ ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+ return 0;
+ }
BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str);
return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
pem_str, bp, x, enc, kstr, klen, cb, u);
diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h
index e3450e5eed..a8ad9f2c87 100644
--- a/include/openssl/pemerr.h
+++ b/include/openssl/pemerr.h
@@ -102,5 +102,6 @@ int ERR_load_PEM_strings(void);
# define PEM_R_UNSUPPORTED_CIPHER 113
# define PEM_R_UNSUPPORTED_ENCRYPTION 114
# define PEM_R_UNSUPPORTED_KEY_COMPONENTS 126
+# define PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE 110
#endif
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 0a2f5d0b40..5b1e06946f 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -684,11 +684,6 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
{ \
return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
} \
- static int test_unprotected_##KEYTYPE##_via_legacy_PEM(void) \
- { \
- return test_unprotected_via_legacy_PEM(KEYTYPEstr, \
- legacy_key_##KEYTYPE); \
- } \
static int test_protected_##KEYTYPE##_via_DER(void) \
{ \
return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE); \
@@ -697,11 +692,6 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
{ \
return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \
} \
- static int test_protected_##KEYTYPE##_via_legacy_PEM(void) \
- { \
- return test_protected_via_legacy_PEM(KEYTYPEstr, \
- legacy_key_##KEYTYPE); \
- } \
static int test_public_##KEYTYPE##_via_DER(void) \
{ \
return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE); \
@@ -714,13 +704,27 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
#define ADD_TEST_SUITE(KEYTYPE) \
ADD_TEST(test_unprotected_##KEYTYPE##_via_DER); \
ADD_TEST(test_unprotected_##KEYTYPE##_via_PEM); \
- ADD_TEST(test_unprotected_##KEYTYPE##_via_legacy_PEM); \
ADD_TEST(test_protected_##KEYTYPE##_via_DER); \
ADD_TEST(test_protected_##KEYTYPE##_via_PEM); \
- ADD_TEST(test_protected_##KEYTYPE##_via_legacy_PEM); \
ADD_TEST(test_public_##KEYTYPE##_via_DER); \
ADD_TEST(test_public_##KEYTYPE##_via_PEM)
+#define IMPLEMENT_TEST_SUITE_LEGACY(KEYTYPE, KEYTYPEstr) \
+ static int test_unprotected_##KEYTYPE##_via_legacy_PEM(void) \
+ { \
+ return test_unprotected_via_legacy_PEM(KEYTYPEstr, \
+ legacy_key_##KEYTYPE); \
+ } \
+ static int test_protected_##KEYTYPE##_via_legacy_PEM(void) \
+ { \
+ return test_protected_via_legacy_PEM(KEYTYPEstr, \
+ legacy_key_##KEYTYPE); \
+ }
+
+#define ADD_TEST_SUITE_LEGACY(KEYTYPE) \
+ ADD_TEST(test_unprotected_##KEYTYPE##_via_legacy_PEM); \
+ ADD_TEST(test_protected_##KEYTYPE##_via_legacy_PEM)
+
#ifndef OPENSSL_NO_DSA
# define IMPLEMENT_TEST_SUITE_MSBLOB(KEYTYPE, KEYTYPEstr) \
static int test_unprotected_##KEYTYPE##_via_MSBLOB(void) \
@@ -758,10 +762,15 @@ DOMAIN_KEYS(DH);
IMPLEMENT_TEST_SUITE(DH, "DH")
DOMAIN_KEYS(DHX);
IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH")
+/*
+ * DH has no support for PEM_write_bio_PrivateKey_traditional(),
+ * so no legacy tests.
+ */
#endif
#ifndef OPENSSL_NO_DSA
DOMAIN_KEYS(DSA);
IMPLEMENT_TEST_SUITE(DSA, "DSA")
+IMPLEMENT_TEST_SUITE_LEGACY(DSA, "DSA")
IMPLEMENT_TEST_SUITE_MSBLOB(DSA, "DSA")
# ifndef OPENSSL_NO_RC4
IMPLEMENT_TEST_SUITE_PVK(DSA, "DSA")
@@ -770,15 +779,20 @@ IMPLEMENT_TEST_SUITE_PVK(DSA, "DSA")
#ifndef OPENSSL_NO_EC
DOMAIN_KEYS(EC);
IMPLEMENT_TEST_SUITE(EC, "EC")
+IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC")
+IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
DOMAIN_KEYS(ECExplicitPrime2G);
IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")
+IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC")
+IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
DOMAIN_KEYS(ECExplicitTri2G);
IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC")
+IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
# endif
KEYS(ED25519);
IMPLEMENT_TEST_SUITE(ED25519, "ED25519")
@@ -788,11 +802,20 @@ KEYS(X25519);
IMPLEMENT_TEST_SUITE(X25519, "X25519")
KEYS(X448);
IMPLEMENT_TEST_SUITE(X448, "X448")
+/*
+ * ED25519, ED448, X25519 and X448 have no support for
+ * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
+ */
#endif
KEYS(RSA);
IMPLEMENT_TEST_SUITE(RSA, "RSA")
+IMPLEMENT_TEST_SUITE_LEGACY(RSA, "RSA")
KEYS(RSA_PSS);
IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS")
+/*
+ * RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(),
+ * so no legacy tests.
+ */
#ifndef OPENSSL_NO_DSA
IMPLEMENT_TEST_SUITE_MSBLOB(RSA, "RSA")
# ifndef OPENSSL_NO_RC4
@@ -1062,9 +1085,14 @@ int setup_tests(void)
#ifndef OPENSSL_NO_DH
ADD_TEST_SUITE(DH);
ADD_TEST_SUITE(DHX);
+ /*
+ * DH has no support for PEM_write_bio_PrivateKey_traditional(),
+ * so no legacy tests.
+ */
#endif
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
+ ADD_TEST_SUITE_LEGACY(DSA);
ADD_TEST_SUITE_MSBLOB(DSA);
# ifndef OPENSSL_NO_RC4
ADD_TEST_SUITE_PVK(DSA);
@@ -1072,19 +1100,33 @@ int setup_tests(void)
#endif
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
+ ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
+ ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE(ECExplicitPrime2G);
+ ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
+ ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
ADD_TEST_SUITE(ECExplicitTri2G);
+ ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
ADD_TEST_SUITE(ED25519);
ADD_TEST_SUITE(ED448);
ADD_TEST_SUITE(X25519);
ADD_TEST_SUITE(X448);
+ /*
+ * ED25519, ED448, X25519 and X448 have no support for
+ * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
+ */
#endif
ADD_TEST_SUITE(RSA);
+ ADD_TEST_SUITE_LEGACY(RSA);
ADD_TEST_SUITE(RSA_PSS);
+ /*
+ * RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(),
+ * so no legacy tests.
+ */
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE_MSBLOB(RSA);
# ifndef OPENSSL_NO_RC4
More information about the openssl-commits
mailing list