From 2b2c5c9f55a483f624b22b541ffae6c3bb1a6b52 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 3 Apr 2017 09:35:31 +0200
Subject: gnutls_pkcs8_info: return the encryption algorithm OID on failure

When failing to import a structure due to an unsupported encryption
algorithm OID, return the unsupported OID instead of the generic
PBES2 OID.

Resolves: #193

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/x509/pkcs7-crypt.c   | 9 ++++-----
 lib/x509/pkcs7_int.h     | 1 +
 lib/x509/privkey_pkcs8.c | 9 ++++++++-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
index 45233acd8a..1f6298d36c 100644
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -791,22 +791,21 @@ read_pbes2_enc_params(ASN1_TYPE pasn,
 	int params_start, params_end;
 	int params_len, len, result;
 	ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY;
-	char oid[MAX_OID_SIZE];
 	const struct pkcs_cipher_schema_st *p;
 
 	memset(params, 0, sizeof(*params));
 
 	/* Check the encryption algorithm
 	 */
-	len = sizeof(oid);
-	result = asn1_read_value(pasn, "encryptionScheme.algorithm", oid, &len);
+	len = sizeof(params->pbes2_oid);
+	result = asn1_read_value(pasn, "encryptionScheme.algorithm", params->pbes2_oid, &len);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
 		return _gnutls_asn2err(result);
 	}
-	_gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid);
+	_gnutls_hard_log("encryptionScheme.algorithm: %s\n", params->pbes2_oid);
 
-	if ((result = pbes2_cipher_oid_to_algo(oid, &params->cipher)) < 0) {
+	if ((result = pbes2_cipher_oid_to_algo(params->pbes2_oid, &params->cipher)) < 0) {
 		gnutls_assert();
 		return result;
 	}
diff --git a/lib/x509/pkcs7_int.h b/lib/x509/pkcs7_int.h
index b0f7e456e1..9d3ea24e31 100644
--- a/lib/x509/pkcs7_int.h
+++ b/lib/x509/pkcs7_int.h
@@ -66,6 +66,7 @@ struct pbe_enc_params {
 	gnutls_cipher_algorithm_t cipher;
 	uint8_t iv[MAX_CIPHER_BLOCK_SIZE];
 	int iv_size;
+	char pbes2_oid[MAX_OID_SIZE]; /* when reading params, the OID is stored for info purposes */
 };
 
 int
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index f009258777..0f1863d160 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -774,12 +774,14 @@ int pkcs8_key_info(const gnutls_datum_t * raw_key,
 		   char **oid)
 {
 	int result, len;
-	char enc_oid[MAX_OID_SIZE];
+	char enc_oid[MAX_OID_SIZE*2];
 	int params_start, params_end, params_len;
 	struct pbe_enc_params enc_params;
 	schema_id schema;
 	ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY;
 
+	memset(&enc_params, 0, sizeof(enc_params));
+
 	result = check_for_decrypted(raw_key);
 	if (result == 0)
 		return GNUTLS_E_INVALID_REQUEST;
@@ -845,6 +847,11 @@ int pkcs8_key_info(const gnutls_datum_t * raw_key,
 
 	if (result < 0) {
 		gnutls_assert();
+		if (oid && enc_params.pbes2_oid[0] != 0) {
+			snprintf(enc_oid, sizeof(enc_oid), "%s/%s", *oid, enc_params.pbes2_oid);
+			gnutls_free(*oid);
+			*oid = gnutls_strdup(enc_oid);
+		}
 		goto error;
 	}
 
-- 
cgit v1.2.1