diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-07-24 16:18:20 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-07-24 16:25:09 +0200 |
commit | 79e34700083ea05129a2528d53dda161a04e3d27 (patch) | |
tree | 67b664c5722bfba899d76714642c63303a09e581 | |
parent | ca71c7f33407faeaca6d89a96c9d3466b37234d9 (diff) | |
download | gnutls-79e34700083ea05129a2528d53dda161a04e3d27.tar.gz |
gnutls_x509_privkey_import() will fallback to gnutls_x509_privkey_import_pkcs8() without a password, if it is unable to decode the key.
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 8 | ||||
-rw-r--r-- | lib/x509/privkey.c | 26 | ||||
-rw-r--r-- | src/certtool.c | 15 |
4 files changed, 27 insertions, 26 deletions
@@ -10,6 +10,10 @@ with strange OIDs. ** gnutls-cli: Allow verification using V1 CAs. +** libgnutls: gnutls_x509_privkey_import() will fallback to +gnutls_x509_privkey_import_pkcs8() without a password, if it +is unable to decode the key. + ** libgnutls: Correctly deinitialize crypto API functions to prevent a memory leak. Reported by Mads Kiilerich. diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index d93406a422..5dd01efea8 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -544,14 +544,6 @@ _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey, } ret = gnutls_x509_privkey_import (tmpkey, raw_key, type); - -#ifdef ENABLE_PKI - /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */ - if (ret < 0) - ret = gnutls_x509_privkey_import_pkcs8 (tmpkey, raw_key, type, - NULL, GNUTLS_PKCS_PLAIN); -#endif - if (ret < 0) { gnutls_assert (); diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index f49380478b..bc1c31e3c6 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -357,7 +357,8 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key, /* Try the first header */ result = _gnutls_fbase64_decode (PEM_KEY_RSA, data->data, data->size, &out); - key->pk_algorithm = GNUTLS_PK_RSA; + + if (result >= 0) key->pk_algorithm = GNUTLS_PK_RSA; if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { @@ -365,15 +366,16 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key, result = _gnutls_fbase64_decode (PEM_KEY_DSA, data->data, data->size, &out); - key->pk_algorithm = GNUTLS_PK_DSA; - if (result <= 0) { if (result == 0) result = GNUTLS_E_INTERNAL_ERROR; gnutls_assert (); - return result; + + goto failover; } + + key->pk_algorithm = GNUTLS_PK_DSA; } _data.data = out; @@ -415,7 +417,7 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key, { gnutls_assert (); result = GNUTLS_E_ASN1_DER_ERROR; - goto cleanup; + goto failover; } if (need_free) @@ -426,10 +428,20 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key, return 0; -cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; +failover: + /* Try PKCS #8 */ +#ifdef ENABLE_PKI + if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) + { + _gnutls_debug_log("Falling back to PKCS #8 key decoding\n"); + result = gnutls_x509_privkey_import_pkcs8 (key, data, format, + NULL, GNUTLS_PKCS_PLAIN); + } +#endif + if (need_free) _gnutls_free_datum (&_data); + return result; } diff --git a/src/certtool.c b/src/certtool.c index 4ffc721273..8d6efd29e5 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1539,20 +1539,13 @@ privkey_info (void) /* If we failed to import the certificate previously try PKCS #8 */ if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { - /* first try to import the key without asking any password */ + if (info.pass) + pass = info.pass; + else + pass = get_pass (); ret = gnutls_x509_privkey_import_pkcs8 (key, &pem, - info.incert_format, - NULL, GNUTLS_PKCS_PLAIN); - if (ret < 0) - { - if (info.pass) - pass = info.pass; - else - pass = get_pass (); - ret = gnutls_x509_privkey_import_pkcs8 (key, &pem, info.incert_format, pass, 0); - } } if (ret < 0) error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret)); |