x509: pin/password callback support for openssl encrypted private keys

This attempts to use the registered pin callback when the password for
an encrypted openssl private key is not supplied.  This matches the
functionality for PKCS8 sealed keys above and is similar to what openssl
does in this situation.

Signed-off-by: Craig Gallek <cgallek@gmail.com>

1 files changed, 71 insertions, 0 deletions

diff --git a/tests/key-openssl.c b/tests/key-openssl.c
index d2c8a724bb..10c1514fb6 100644
--- a/tests/key-openssl.c
+++ b/tests/key-openssl.c
@@ -95,6 +95,20 @@ const char key2[] =
     "F3bDyqlxSOm7uxF/K3YzI44v8/D8GGnLBTpN+ANBdiY=\n"
     "-----END RSA PRIVATE KEY-----\n";
 
+static int good_pwd_cb(void* userdata, int attempt, const char* token_url,
+		       const char* token_label, unsigned int flags,
+		       char* pin, size_t pin_max) {
+	snprintf(pin, pin_max, "%s", "123456");
+	return 0;
+}
+
+static int bad_pwd_cb(void* userdata, int attempt, const char* token_url,
+		      const char* token_label, unsigned int flags,
+		      char* pin, size_t pin_max) {
+	snprintf(pin, pin_max, "%s", "bad");
+	return 0;
+}
+
 void doit(void)
 {
 	gnutls_x509_privkey_t pkey;
@@ -167,5 +181,62 @@ void doit(void)
 	}
 	gnutls_x509_privkey_deinit(pkey);
 
+	/*
+	 * Pin callback passwords will only be used if the password supplied to
+	 * gnutls_x509_privkey_import2 in NULL.  Consider possible combinations
+	 * of passwords supplied via the import function/pin callback:
+	 *  good/bad => success
+	 *  NULL/good => success
+	 *  NULL/bad  => failure
+	 */
+
+	/* import_openssl good / callback bad => success */
+	ret = gnutls_x509_privkey_init(&pkey);
+	if (ret < 0)
+		fail("gnutls_x509_privkey_init: %d\n", ret);
+
+	gnutls_x509_privkey_set_pin_function(pkey, bad_pwd_cb, NULL);
+	key.data = (void *) key1;
+	key.size = sizeof(key1);
+	ret = gnutls_x509_privkey_import2(pkey, &key, GNUTLS_X509_FMT_PEM,
+					  "123456", 0);
+	if (ret < 0) {
+		fail("gnutls_x509_privkey_import2 (good func/bad pin): %s\n",
+		     gnutls_strerror(ret));
+	}
+	gnutls_x509_privkey_deinit(pkey);
+
+	/* import_openssl NULL / callback good => success */
+	ret = gnutls_x509_privkey_init(&pkey);
+	if (ret < 0)
+		fail("gnutls_x509_privkey_init: %d\n", ret);
+
+	gnutls_x509_privkey_set_pin_function(pkey, good_pwd_cb, NULL);
+	key.data = (void *) key1;
+	key.size = sizeof(key1);
+	ret = gnutls_x509_privkey_import2(pkey, &key, GNUTLS_X509_FMT_PEM,
+					  NULL, 0);
+	if (ret < 0) {
+		fail("gnutls_x509_privkey_import2 (good pin): %s\n",
+		     gnutls_strerror(ret));
+	}
+	gnutls_x509_privkey_deinit(pkey);
+
+	/* import_openssl NULL / callback bad => success */
+	ret = gnutls_x509_privkey_init(&pkey);
+	if (ret < 0)
+		fail("gnutls_x509_privkey_init: %d\n", ret);
+
+	gnutls_x509_privkey_set_pin_function(pkey, bad_pwd_cb, NULL);
+	key.data = (void *) key1;
+	key.size = sizeof(key1);
+	ret = gnutls_x509_privkey_import2(pkey, &key, GNUTLS_X509_FMT_PEM,
+					  NULL, 0);
+	if (ret != GNUTLS_E_DECRYPTION_FAILED) {
+		fail("gnutls_x509_privkey_import2 (bad pin): %s\n",
+		     gnutls_strerror(ret));
+	}
+	gnutls_x509_privkey_deinit(pkey);
+
 	gnutls_global_deinit();
 }