gnutls_x509_privkey_import() will fallback to gnutls_x509_privkey_import_pkcs8() without a password, if it is unable to decode the key.

4 files changed, 27 insertions, 26 deletions

diff --git a/NEWS b/NEWS
index 0af5b2c53a..141ddf501a 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,10 @@ with strange OIDs.
 
 ** gnutls-cli: Allow verification using V1 CAs.
 
+** libgnutls: gnutls_x509_privkey_import() will fallback to
+gnutls_x509_privkey_import_pkcs8() without a password, if it
+is unable to decode the key.
+
 ** libgnutls: Correctly deinitialize crypto API functions to prevent
 a memory leak. Reported by Mads Kiilerich.
 
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index d93406a422..5dd01efea8 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -544,14 +544,6 @@ _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey,
     }
 
   ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
-
-#ifdef ENABLE_PKI
-  /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
-  if (ret < 0)
-    ret = gnutls_x509_privkey_import_pkcs8 (tmpkey, raw_key, type,
-					    NULL, GNUTLS_PKCS_PLAIN);
-#endif
-
   if (ret < 0)
     {
       gnutls_assert ();
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index f49380478b..bc1c31e3c6 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -357,7 +357,8 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key,
       /* Try the first header */
       result =
 	_gnutls_fbase64_decode (PEM_KEY_RSA, data->data, data->size, &out);
-      key->pk_algorithm = GNUTLS_PK_RSA;
+
+      if (result >= 0) key->pk_algorithm = GNUTLS_PK_RSA;
 
       if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
 	{
@@ -365,15 +366,16 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key,
 	  result =
 	    _gnutls_fbase64_decode (PEM_KEY_DSA, data->data, data->size,
 				    &out);
-	  key->pk_algorithm = GNUTLS_PK_DSA;
-
 	  if (result <= 0)
 	    {
 	      if (result == 0)
 		result = GNUTLS_E_INTERNAL_ERROR;
 	      gnutls_assert ();
-	      return result;
+	      
+	      goto failover;
 	    }
+
+	  key->pk_algorithm = GNUTLS_PK_DSA;
 	}
 
       _data.data = out;
@@ -415,7 +417,7 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key,
     {
       gnutls_assert ();
       result = GNUTLS_E_ASN1_DER_ERROR;
-      goto cleanup;
+      goto failover;
     }
 
   if (need_free)
@@ -426,10 +428,20 @@ gnutls_x509_privkey_import (gnutls_x509_privkey_t key,
 
   return 0;
 
-cleanup:
-  key->pk_algorithm = GNUTLS_PK_UNKNOWN;
+failover:
+  /* Try PKCS #8 */
+#ifdef ENABLE_PKI
+  if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
+    {
+       _gnutls_debug_log("Falling back to PKCS #8 key decoding\n");
+       result = gnutls_x509_privkey_import_pkcs8 (key, data, format,
+                       NULL, GNUTLS_PKCS_PLAIN);
+    }
+#endif
+
   if (need_free)
     _gnutls_free_datum (&_data);
+
   return result;
 }
 
diff --git a/src/certtool.c b/src/certtool.c
index 4ffc721273..8d6efd29e5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1539,20 +1539,13 @@ privkey_info (void)
   /* If we failed to import the certificate previously try PKCS #8 */
   if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
     {
-      /* first try to import the key without asking any password */
+      if (info.pass)
+        pass = info.pass;
+      else
+        pass = get_pass ();
       ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
-					      info.incert_format,
-					      NULL, GNUTLS_PKCS_PLAIN);
-      if (ret < 0)
-	{
-	  if (info.pass)
-	    pass = info.pass;
-	  else
-	    pass = get_pass ();
-	  ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
 						  info.incert_format,
 						  pass, 0);
-	}
     }
   if (ret < 0)
     error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));