x509: call the fixup functions after loading private keys

That way we can better report errors which relate to illegal
parameters being detected.

2 files changed, 41 insertions, 12 deletions

diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 9cd57aa524..a3dc9ac7b6 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2003-2012 Free Software Foundation, Inc.
- * Copyright (C) 2012-2015 Nikos Mavrogiannopoulos
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2012-2016 Nikos Mavrogiannopoulos
+ * Copyright (C) 2015-2016 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -222,13 +223,6 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
 	}
 	pkey->params.params_nr++;
 
-	result =
-	    _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_IMPORT, &pkey->params);
-	if (result < 0) {
-		gnutls_assert();
-		goto error;
-	}
-
 	pkey->params.params_nr = RSA_PRIVATE_PARAMS;
 
 	tmp_size = sizeof(tmp);
@@ -643,10 +637,16 @@ gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
 	if (key->key == NULL) {
 		gnutls_assert();
 		result = GNUTLS_E_ASN1_DER_ERROR;
-	} else {
-		result = 0;
+		goto cleanup;
 	}
 
+	result =
+	    _gnutls_pk_fixup(key->pk_algorithm, GNUTLS_IMPORT, &key->params);
+	if (result < 0) {
+		gnutls_assert();
+	}
+
+ cleanup:
 	if (need_free)
 		_gnutls_free_datum(&_data);
 
@@ -727,6 +727,7 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 			    const char *password, unsigned int flags)
 {
 	int ret = 0;
+	int saved_ret = GNUTLS_E_PARSING_ERROR;
 	char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
 	unsigned head_enc = 1;
 
@@ -770,6 +771,7 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 
 		if (ret < 0) {
 			gnutls_assert();
+			saved_ret = ret;
 			/* fall through to PKCS #8 decoding */
 		}
 	}
@@ -794,6 +796,9 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 						     password, flags);
 		}
 
+		if (saved_ret == GNUTLS_E_PARSING_ERROR)
+			saved_ret = ret;
+
 		if (ret < 0) {
 			if (ret == GNUTLS_E_DECRYPTION_FAILED)
 				goto cleanup;
@@ -822,6 +827,9 @@ gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 	ret = 0;
 
       cleanup:
+	if (ret == GNUTLS_E_PARSING_ERROR)
+		ret = saved_ret;
+
 	return ret;
 }
 
@@ -1061,6 +1069,13 @@ gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key,
 	}
 
 	ret =
+	    _gnutls_pk_fixup(GNUTLS_PK_DSA, GNUTLS_IMPORT, &key->params);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
+	ret =
 	    _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &key->key,
 					&key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
 	if (ret < 0) {
@@ -1138,6 +1153,13 @@ gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key,
 	}
 	key->params.params_nr++;
 
+	ret =
+	    _gnutls_pk_fixup(GNUTLS_PK_EC, GNUTLS_IMPORT, &key->params);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
 	key->pk_algorithm = GNUTLS_PK_EC;
 	key->params.algo = key->pk_algorithm;
 
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index ca438656b4..f84d913e87 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -34,6 +34,7 @@
 #include <algorithms.h>
 #include <num.h>
 #include <random.h>
+#include <pk.h>
 #include <nettle/pbkdf2.h>
 
 static int _decode_pkcs8_ecc_key(ASN1_TYPE pkcs8_asn,
@@ -1507,12 +1508,18 @@ gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key,
 		goto cleanup;
 	}
 
+	result =
+	    _gnutls_pk_fixup(key->pk_algorithm, GNUTLS_IMPORT, &key->params);
+	if (result < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
 	if (need_free)
 		_gnutls_free_datum(&_data);
 
 	/* The key has now been decoded.
 	 */
-
 	return 0;
 
       cleanup: