Ignore EC parameters when parsing private keys

darakian · cbroglie · commit 87a2fe707208 · 2020-02-13T10:11:07.000-08:00
diff --git a/helpers/helpers.go b/helpers/helpers.go
@@ -18,7 +18,7 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/google/certificate-transparency-go"
+	ct "github.com/google/certificate-transparency-go"
 	cttls "github.com/google/certificate-transparency-go/tls"
 	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"golang.org/x/crypto/ocsp"
@@ -378,7 +378,15 @@ func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.
 
 // GetKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes.
 func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) {
-	keyDER, _ := pem.Decode(in)
+	// Ignore any EC PARAMETERS blocks when looking for a key (openssl includes
+	// them by default).
+	var keyDER *pem.Block
+	for {
+		keyDER, in = pem.Decode(in)
+		if keyDER == nil || keyDER.Type != "EC PARAMETERS" {
+			break
+		}
+	}
 	if keyDER != nil {
 		if procType, ok := keyDER.Headers["Proc-Type"]; ok {
 			if strings.Contains(procType, "ENCRYPTED") {
diff --git a/helpers/helpers_test.go b/helpers/helpers_test.go
@@ -32,6 +32,7 @@ const (
 	testPrivateRSAKey            = "testdata/priv_rsa_key.pem"
 	testPrivateECDSAKey          = "testdata/private_ecdsa_key.pem"
 	testPrivateEd25519Key        = "testdata/private_ed25519_key.pem"
+	testPrivateOpenSSLECKey      = "testdata/openssl_secp384.pem"
 	testUnsupportedECDSAKey      = "testdata/secp256k1-key.pem"
 	testMessedUpPrivateKey       = "testdata/messed_up_priv_key.pem"
 	testEncryptedPrivateKey      = "testdata/enc_priv_key.pem"
@@ -374,11 +375,22 @@ func TestParsePrivateKeyPEM(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
 	_, err = ParsePrivateKeyPEM(testEd25519PEM)
 	if err != nil {
 		t.Fatal(err)
 	}
 
+	testOpenSSLECKey, err := ioutil.ReadFile(testPrivateOpenSSLECKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = ParsePrivateKeyPEM(testOpenSSLECKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	// error cases
 	errCases := []string{
 		testMessedUpPrivateKey,  // a few lines deleted
diff --git a/helpers/testdata/openssl_secp384.pem b/helpers/testdata/openssl_secp384.pem
@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCn5safCQ6/JAUEbf1/BvOBvP9XHfcsEvQooEd0g0v4akMNmH53nXKQ
+qvsZBUP14X6gBwYFK4EEACKhZANiAAR1q1+sGy8Pmgdco9LEB10gJkIO0lBid8aK
+0xmtEL7U1RTQnNyraswwI0hxHwzwSHHKojD8Msdy5uOngxKnGrUBTuMubezfGbWz
+ULOFvrTemUIlNmSsWMcrzEBEnZxvOqY=
+-----END EC PRIVATE KEY-----
