From b1f619343d39cf5266ab91b9de4b4c6ee50c3d41 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 3 Aug 2018 22:26:47 +0200
Subject: Corrected the importing of ECDSA public keys

This seems to be a regression since EdDSA support. The call to
_gnutls_x509_get_pk_algorithm() in public key import was unnecessary
and in fact it was overriding the available curve with a curve associated
with the OID. As the ECDSA OID doesn't include the curve, that had the
result of deleting the already read curve.

Resolves #538

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/pubkey.c                               |  8 ---
 tests/cert-tests/Makefile.am               |  6 +-
 tests/cert-tests/certtool-ecdsa            | 89 ++++++++++++++++++++++++++++++
 tests/cert-tests/data/cert-ecc256-full.pem | 68 +++++++++++++++++++++++
 tests/cert-tests/data/pubkey-ecc256.pem    | 23 ++++++++
 5 files changed, 183 insertions(+), 11 deletions(-)
 create mode 100755 tests/cert-tests/certtool-ecdsa
 create mode 100644 tests/cert-tests/data/cert-ecc256-full.pem
 create mode 100644 tests/cert-tests/data/pubkey-ecc256.pem

diff --git a/lib/pubkey.c b/lib/pubkey.c
index 162ceaa4a0..8fc42b95a5 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1072,7 +1072,6 @@ gnutls_pubkey_import(gnutls_pubkey_t key,
 	int result = 0, need_free = 0;
 	gnutls_datum_t _data;
 	ASN1_TYPE spk;
-	gnutls_ecc_curve_t curve;
 
 	if (key == NULL) {
 		gnutls_assert();
@@ -1119,14 +1118,7 @@ gnutls_pubkey_import(gnutls_pubkey_t key,
 		goto cleanup;
 	}
 
-	/* this has already been called by get_asn_mpis() thus it cannot
-	 * fail.
-	 */
-	key->params.algo = _gnutls_x509_get_pk_algorithm(spk, "", &curve, NULL);
-
-	key->params.curve = curve;
 	key->bits = pubkey_to_bits(&key->params);
-
 	result = 0;
 
       cleanup:
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 52090d427c..7da9e898f4 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -24,7 +24,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/bmpstring.pem data/template-utf8.pem templates/template-utf8.tmpl \
 	templates/template-dn.tmpl data/template-dn.pem data/complex-cert.pem \
 	data/template-overflow.pem templates/template-overflow.tmpl data/template-overflow2.pem \
-	templates/template-overflow2.tmpl data/template-crq.pem \
+	templates/template-overflow2.tmpl data/template-crq.pem data/cert-ecc256-full.pem \
 	templates/template-date.tmpl data/template-date.pem templates/template-dn-err.tmpl \
 	templates/template-nc.tmpl data/template-nc.pem data/xmpp-othername.pem \
 	suppressions.valgrind data/csr-invalid.der data/invalid-sig2.pem data/invalid-sig3.pem \
@@ -43,7 +43,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/template-krb5name.pem data/template-krb5name-full.pem data/template-test-ecc.key \
 	data/template-rsa-sha3-256.pem data/template-rsa-sha3-512.pem data/template-rsa-sha3-224.pem \
 	data/template-rsa-sha3-384.pem data/long-oids.pem \
-	data/name-constraints-ip2.pem data/chain-md5.pem \
+	data/name-constraints-ip2.pem data/chain-md5.pem data/pubkey-ecc256.pem \
 	templates/template-dates-after2038.tmpl data/template-dates-after2038.pem \
 	data/gost-cert.pem data/gost-cert-nogost.pem data/gost94-cert.pem \
 	templates/template-tlsfeature.tmpl data/userid.pem data/cert-with-crl.p12 \
@@ -100,7 +100,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
 	pkcs7-constraints2 certtool-long-oids pkcs7-cat cert-sanity cert-critical \
 	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \
-	smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa \
+	smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \
 	key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \
 	pkcs8-eddsa
 
diff --git a/tests/cert-tests/certtool-ecdsa b/tests/cert-tests/certtool-ecdsa
new file mode 100755
index 0000000000..2cb1aac134
--- /dev/null
+++ b/tests/cert-tests/certtool-ecdsa
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2018 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+KEYFILE=ecdsa-privkey.$$.tmp
+TMPFILE=ecdsa.$$.tmp
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	exit 77
+fi
+
+
+${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/cert-ecc256-full.pem" --outfile "${TMPFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "There was an issue parsing the certificate"
+	exit 1
+fi
+
+$DIFF -I 'Not After:' ${TMPFILE} "${srcdir}/data/cert-ecc256-full.pem"
+if test $? != 0;then
+	echo "Error in parsing ECDSA cert"
+	exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" --pubkey-info --infile "${srcdir}/data/pubkey-ecc256.pem" --outfile "${TMPFILE}"
+rc=$?
+if test "${rc}" != "0"; then
+	echo "Could not read an ECDSA public key"
+	exit 1
+fi
+
+$DIFF ${TMPFILE} "${srcdir}/data/pubkey-ecc256.pem"
+if test $? != 0;then
+	echo "Error in parsing ECDSA public key"
+	exit 1
+fi
+
+
+# Create an ECDSA
+${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \
+        --ecdsa --outfile "$KEYFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not generate an ECDSA key"
+	exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$KEYFILE" >/dev/null
+rc=$?
+if test "${rc}" != "0"; then
+	echo "Could not read generated an ECDSA key"
+	exit 1
+fi
+
+rm -f "${TMPFILE}" "${KEYFILE}"
+
+exit 0
diff --git a/tests/cert-tests/data/cert-ecc256-full.pem b/tests/cert-tests/data/cert-ecc256-full.pem
new file mode 100644
index 0000000000..ab16d166d6
--- /dev/null
+++ b/tests/cert-tests/data/cert-ecc256-full.pem
@@ -0,0 +1,68 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 07
+	Issuer: CN=GnuTLS certificate authority,ST=Leuven,OU=GnuTLS certificate authority,O=GnuTLS,C=BE
+	Validity:
+		Not Before: Sat Sep 01 09:22:36 UTC 2012
+		Not After: Sat Oct 05 09:22:36 UTC 2019
+	Subject: EMAIL=none@none.org,pseudonym=jackal,title=Dr.,UID=clauper,CN=Cindy Lauper,ST=Attiki,OU=sleeping dept.,O=Koko inc.,C=GR
+	Subject Public Key Algorithm: EC/ECDSA
+	Algorithm Security Level: High (256 bits)
+		Curve:	SECP256R1
+		X:
+			3c:15:6f:1d:48:3e:64:59:13:2c:6d:04:1a:38:0d:30
+			5c:e4:3f:55:cb:d9:17:15:46:72:71:92:c1:f8:c6:33
+		Y:
+			3d:04:2e:c8:c1:0f:c0:50:04:7b:9f:c9:48:b5:40:fa
+			6f:93:82:59:61:5e:72:57:cb:83:06:bd:cc:82:94:c1
+	Extensions:
+		Basic Constraints (critical):
+			Certificate Authority (CA): FALSE
+		Subject Alternative Name (not critical):
+			DNSname: www.none.org
+			DNSname: www.morethanone.org
+			DNSname: localhost
+			IPAddress: 192.168.1.1
+		Key Purpose (not critical):
+			TLS WWW Server.
+		Key Usage (critical):
+			Digital signature.
+		Subject Key Identifier (not critical):
+			acfa4767c61b41791257f7ac05c150e28ed00e5b
+		Authority Key Identifier (not critical):
+			f0b481fe9812bfb528b9644003cbcc1f664e2803
+	Signature Algorithm: ECDSA-SHA256
+	Signature:
+		30:45:02:20:28:2a:e0:24:c8:9e:44:50:d4:36:85:a0
+		8f:30:9a:ed:8a:3f:ce:38:e4:d5:91:5c:aa:2e:6a:0d
+		96:25:21:73:02:21:00:c7:82:b1:6a:86:49:35:57:c1
+		05:27:38:6c:0f:57:4f:3f:f6:3a:7a:60:01:9b:ad:52
+		88:4d:35:bf:ed:99:11
+Other Information:
+	Fingerprint:
+		sha1:8c6802792736a5ce00e75b2095626aa13ca0c0c0
+		sha256:222ddff7f65043153f439d4e2b74b87f9e366d96a1506b5ad3e8e0f1bb95da9e
+	Public Key ID:
+		sha1:acfa4767c61b41791257f7ac05c150e28ed00e5b
+		sha256:5978dd1d2d23e992075dc359d5dd14f7ef79748af97f2b7809c9ebfd6016c433
+	Public Key PIN:
+		pin-sha256:WXjdHS0j6ZIHXcNZ1d0U9+95dIr5fyt4Ccnr/WAWxDM=
+
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAoagAwIBAgIBBzAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwIhgPMjAxMjA5MDEwOTIyMzZaGA8yMDE5MTAwNTA5MjIzNlow
+gbgxCzAJBgNVBAYTAkdSMRIwEAYDVQQKEwlLb2tvIGluYy4xFzAVBgNVBAsTDnNs
+ZWVwaW5nIGRlcHQuMQ8wDQYDVQQIEwZBdHRpa2kxFTATBgNVBAMTDENpbmR5IExh
+dXBlcjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNVBAwTA0RyLjEPMA0G
+A1UEQRMGamFja2FsMRwwGgYJKoZIhvcNAQkBFg1ub25lQG5vbmUub3JnMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEPBVvHUg+ZFkTLG0EGjgNMFzkP1XL2RcVRnJx
+ksH4xjM9BC7IwQ/AUAR7n8lItUD6b5OCWWFeclfLgwa9zIKUwaOBtjCBszAMBgNV
+HRMBAf8EAjAAMD0GA1UdEQQ2MDSCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFu
+b25lLm9yZ4IJbG9jYWxob3N0hwTAqAEBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G
+A1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFKz6R2fGG0F5Elf3rAXBUOKO0A5bMB8G
+A1UdIwQYMBaAFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqGSM49BAMCA0gAMEUC
+ICgq4CTInkRQ1DaFoI8wmu2KP8445NWRXKouag2WJSFzAiEAx4KxaoZJNVfBBSc4
+bA9XTz/2OnpgAZutUohNNb/tmRE=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pubkey-ecc256.pem b/tests/cert-tests/data/pubkey-ecc256.pem
new file mode 100644
index 0000000000..6e0020d479
--- /dev/null
+++ b/tests/cert-tests/data/pubkey-ecc256.pem
@@ -0,0 +1,23 @@
+Public Key Information:
+	Public Key Algorithm: EC/ECDSA
+	Algorithm Security Level: High (256 bits)
+		Curve:	SECP256R1
+		X:
+			3c:15:6f:1d:48:3e:64:59:13:2c:6d:04:1a:38:0d:30
+			5c:e4:3f:55:cb:d9:17:15:46:72:71:92:c1:f8:c6:33
+		Y:
+			3d:04:2e:c8:c1:0f:c0:50:04:7b:9f:c9:48:b5:40:fa
+			6f:93:82:59:61:5e:72:57:cb:83:06:bd:cc:82:94:c1
+
+Public Key ID:
+	sha1:acfa4767c61b41791257f7ac05c150e28ed00e5b
+	sha256:5978dd1d2d23e992075dc359d5dd14f7ef79748af97f2b7809c9ebfd6016c433
+Public Key PIN:
+	pin-sha256:WXjdHS0j6ZIHXcNZ1d0U9+95dIr5fyt4Ccnr/WAWxDM=
+
+
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPBVvHUg+ZFkTLG0EGjgNMFzkP1XL
+2RcVRnJxksH4xjM9BC7IwQ/AUAR7n8lItUD6b5OCWWFeclfLgwa9zIKUwQ==
+-----END PUBLIC KEY-----
+
-- 
cgit v1.2.1