Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.1.1] Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8 #12729

Conversation

@levitte
Copy link
Member

@levitte levitte commented Aug 27, 2020

PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.

To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.


This is a backport of #12728 to 1.1.1

PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER.  However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers.  If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that.  If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.

To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added.  If it is NULL, an error is returned.
@t8m
t8m approved these changes Aug 27, 2020
Copy link
Member

@t8m t8m left a comment

LGTM

@t8m t8m self-requested a review Aug 27, 2020
crypto/pem/pem_pkey.c Outdated Show resolved Hide resolved
Copy link
Member

@t8m t8m left a comment

Needs replacement of ERR_raise

@t8m
t8m approved these changes Aug 27, 2020
@openssl-machine
Copy link

@openssl-machine openssl-machine commented Aug 28, 2020

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request Aug 28, 2020
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER.  However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers.  If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that.  If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.

To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added.  If it is NULL, an error is returned.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #12729)
@levitte
Copy link
Member Author

@levitte levitte commented Aug 28, 2020

Merged

56456c3 Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8

@levitte levitte closed this Aug 28, 2020
@levitte levitte deleted the levitte:fix-PEM_write_bio_PrivateKey_traditional-1-111 branch Aug 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants