Merge pull request #9164 from dgarske/keytoder

Add support for enabling RSA private key to DER without keygen

Author: SparkiDev

.wolfssl_known_macro_extras

@@ -737,6 +737,7 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
+WOLFSSL_KEY_TO_DER
 WOLFSSL_KYBER_NO_DECAPSULATE
 WOLFSSL_KYBER_NO_ENCAPSULATE
 WOLFSSL_KYBER_NO_MAKE_KEY

tests/api.c

@@ -12963,18 +12963,16 @@ static int test_tls_bad_legacy_version(void)
 static int test_wolfSSL_X509_NAME_get_entry(void)
 {
     EXPECT_DECLS;
-#if !defined(NO_CERTS) && !defined(NO_RSA)
+#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
 #if defined(OPENSSL_ALL) || \
         (defined(OPENSSL_EXTRA) && \
             (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)))
     /* use openssl like name to test mapping */
     X509_NAME_ENTRY* ne = NULL;
     X509_NAME* name = NULL;
     X509* x509 = NULL;
-#ifndef NO_FILESYSTEM
     ASN1_STRING* asn = NULL;
     char* subCN = NULL;
-#endif
     int idx = 0;
     ASN1_OBJECT *object = NULL;
 #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \
@@ -12984,7 +12982,6 @@ static int test_wolfSSL_X509_NAME_get_entry(void)
 #endif
 #endif
 
-#ifndef NO_FILESYSTEM
     ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
         WOLFSSL_FILETYPE_PEM));
     ExpectNotNull(name = X509_get_subject_name(x509));
@@ -12995,7 +12992,6 @@ static int test_wolfSSL_X509_NAME_get_entry(void)
     ExpectNotNull(subCN = (char*)ASN1_STRING_data(asn));
     wolfSSL_FreeX509(x509);
     x509 = NULL;
-#endif
 
     ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
         WOLFSSL_FILETYPE_PEM));
@@ -13020,7 +13016,7 @@ static int test_wolfSSL_X509_NAME_get_entry(void)
     ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne));
     wolfSSL_FreeX509(x509);
 #endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (KEEP_PEER_CERT || SESSION_CERTS) */
-#endif /* !NO_CERTS && !NO_RSA */
+#endif /* !NO_CERTS && !NO_RSA && !NO_FILESYSTEM */
 
     return EXPECT_RESULT();
 }
@@ -16953,7 +16949,8 @@ static int test_wolfSSL_X509_check_private_key(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
-        defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY)
+        defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY) && \
+        !defined(NO_FILESYSTEM)
     X509*  x509 = NULL;
     EVP_PKEY* pkey = NULL;
     const byte* key;
@@ -19943,7 +19940,7 @@ static int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void)
 static int test_wolfSSL_X509_STORE_CTX_get_issuer(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     X509_STORE_CTX* ctx = NULL;
     X509_STORE* str = NULL;
     X509* x509Ca = NULL;
@@ -20612,7 +20609,7 @@ static int test_wolfSSL_X509_STORE_CTX_ex(void)
 }
 
 
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
 static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename,
         STACK_OF(X509)* chain)
 {
@@ -20751,7 +20748,7 @@ static int test_X509_STORE_untrusted_certs(const char** filenames, int ret,
 static int test_X509_STORE_untrusted(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     const char* untrusted1[] = {
         "./certs/intermediate/ca-int2-cert.pem",
         NULL
@@ -20934,7 +20931,8 @@ static int test_wolfSSL_get0_param(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \
-    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \
+    !defined(NO_FILESYSTEM)
     SSL_CTX* ctx = NULL;
     SSL*     ssl = NULL;
 
@@ -20989,7 +20987,8 @@ static int test_wolfSSL_set1_host(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \
-    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \
+    !defined(NO_FILESYSTEM)
     const char host[] = "www.test_wolfSSL_set1_host.com";
     const char emptyStr[] = "";
     SSL_CTX*   ctx = NULL;
@@ -21033,7 +21032,7 @@ static int test_wolfSSL_set1_host(void)
 static int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM)
     unsigned char buf[16] = {0};
     WOLFSSL_X509_VERIFY_PARAM* param = NULL;
 
@@ -21336,7 +21335,7 @@ static int test_wolfSSL_CTX_add_client_CA(void)
     EXPECT_DECLS;
 #if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) && \
     !defined(NO_RSA) && !defined(NO_CERTS) && \
-    !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
+    !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_FILESYSTEM)
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL_X509* x509 = NULL;
     WOLFSSL_X509* x509_a = NULL;
@@ -22062,7 +22061,8 @@ static int test_wolfSSL_CTX_set_srp_password(void)
 static int test_wolfSSL_X509_STORE(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \
+    !defined(NO_FILESYSTEM)
     X509_STORE *store = NULL;
 
 #ifdef HAVE_CRL
@@ -22130,7 +22130,7 @@ static int test_wolfSSL_X509_STORE(void)
 
 
 
-#ifndef WOLFCRYPT_ONLY
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM)
     {
     #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
         SSL_CTX* ctx = NULL;
@@ -22772,7 +22772,8 @@ static int test_wolfSSL_set1_curves_list(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_TLS) && \
-    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \
+    !defined(NO_FILESYSTEM)
     SSL*     ssl = NULL;
     SSL_CTX* ctx = NULL;
 
@@ -22930,7 +22931,8 @@ static int test_wolfSSL_set1_sigalgs_list(void)
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
     !defined(NO_TLS) && \
-    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \
+    !defined(NO_FILESYSTEM)
     SSL*     ssl = NULL;
     SSL_CTX* ctx = NULL;
 
@@ -29355,7 +29357,8 @@ static int test_wolfSSL_EVP_Cipher_extra(void)
 static int test_wolfSSL_X509_get_serialNumber(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM)
     ASN1_INTEGER* a = NULL;
     BIGNUM* bn = NULL;
     X509*   x509 = NULL;
@@ -29489,7 +29492,8 @@ static int test_wolfSSL_X509_ext_get_critical_by_NID(void)
 static int test_wolfSSL_X509_CRL_distribution_points(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM)
     WOLFSSL_X509* x509 = NULL;
     const char* file = "./certs/client-crl-dist.pem";
 

tests/api/test_ossl_bio.c

@@ -255,7 +255,7 @@ int test_wolfSSL_BIO_puts(void)
 int test_wolfSSL_BIO_dump(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM)
     BIO* bio;
     static const unsigned char data[] = {
         0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE,
@@ -1136,7 +1136,7 @@ int test_wolfSSL_BIO_reset(void)
 int test_wolfSSL_BIO_get_len(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_BIO)
+#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) && !defined(NO_FILESYSTEM)
     BIO *bio = NULL;
     const char txt[] = "Some example text to push to the BIO.";
 

tests/api/test_ossl_ec.c

@@ -1237,7 +1237,8 @@ int test_wolfSSL_EC_KEY_set_group(void)
 int test_wolfSSL_EC_KEY_set_conv_form(void)
 {
     EXPECT_DECLS;
-#if defined(HAVE_ECC) && defined(OPENSSL_EXTRA) && !defined(NO_BIO)
+#if defined(HAVE_ECC) && defined(OPENSSL_EXTRA) && !defined(NO_BIO) && \
+    !defined(NO_FILESYSTEM)
     BIO* bio = NULL;
     EC_KEY* key = NULL;
 

tests/api/test_rsa.c

@@ -616,53 +616,100 @@ int test_wc_RsaPSS_VerifyCheckInline(void)
 int test_wc_RsaKeyToDer(void)
 {
     EXPECT_DECLS;
-#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
-    RsaKey genKey;
-    WC_RNG rng;
+#if !defined(NO_RSA) && \
+    (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_KEY_TO_DER))
+    RsaKey key;
     byte*  der = NULL;
+    word32 derSz = 0;
+#if defined(WOLFSSL_KEY_GEN)
+    WC_RNG rng;
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
     (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
-    int     bits = 1024;
-    word32  derSz = 611;
-    /* (2 x 128) + 2 (possible leading 00) + (5 x 64) + 5 (possible leading 00)
-       + 3 (e) + 8 (ASN tag) + 10 (ASN length) + 4 seqSz + 3 version */
+    int    bits = 1024;
+#else
+    int    bits = 2048;
+#endif
 #else
-    int     bits = 2048;
-    word32  derSz = 1196;
-    /* (2 x 256) + 2 (possible leading 00) + (5 x 128) + 5 (possible leading 00)
-       + 3 (e) + 8 (ASN tag) + 17 (ASN length) + 4 seqSz + 3 version */
+    word32 idx = 0;
+    byte* key_der = NULL;
+#if !defined(NO_FILESYSTEM)
+    const char* key_fname = "./certs/client-key.der";
+    XFILE file = XBADFILE;
 #endif
+#endif /* WOLFSSL_KEY_GEN */
 
+#if defined(WOLFSSL_KEY_GEN)
     XMEMSET(&rng, 0, sizeof(rng));
-    XMEMSET(&genKey, 0, sizeof(genKey));
+#endif
+    XMEMSET(&key, 0, sizeof(key));
 
-    ExpectNotNull(der = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
-    /* Init structures. */
-    ExpectIntEQ(wc_InitRsaKey(&genKey, HEAP_HINT), 0);
+    /* Init RSA structure */
+    ExpectIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0);
+
+#if defined(WOLFSSL_KEY_GEN)
+    /* Init RMG */
     ExpectIntEQ(wc_InitRng(&rng), 0);
-    /* Make key. */
-    ExpectIntEQ(MAKE_RSA_KEY(&genKey, bits, WC_RSA_EXPONENT, &rng), 0);
+    /* Make key */
+    ExpectIntEQ(MAKE_RSA_KEY(&key, bits, WC_RSA_EXPONENT, &rng), 0);
+#else
+    /* Import a key */
+#if !defined(NO_FILESYSTEM)
+    ExpectTrue((file = XFOPEN(key_fname, "rb")) != XBADFILE);
+    ExpectIntEQ(XFSEEK(file, 0, XSEEK_END), 0);
+    ExpectIntGT(derSz = (word32)XFTELL(file), 0);
+    ExpectIntEQ(XFSEEK(file, 0, XSEEK_SET), 0);
+    ExpectNotNull(key_der = (byte*)XMALLOC(derSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ((int)XFREAD(key_der, 1, derSz, file), derSz);
+    XFCLOSE(file);
+#elif defined(USE_CERT_BUFFERS_1024) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
+    key_der = (byte*)client_key_der_1024;
+    derSz = (word32)sizeof_client_key_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    key_der = (byte*)client_key_der_2048;
+    derSz = (word32)sizeof_client_key_der_2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    key_der = (byte*)client_key_der_3072;
+    derSz = (word32)sizeof_client_key_der_3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    key_der = (byte*)client_key_der_4096;
+    derSz = (word32)sizeof_client_key_der_4096;
+#endif
 
-    ExpectIntGT(wc_RsaKeyToDer(&genKey, der, derSz), 0);
+    /* Import private key */
+    ExpectIntEQ(wc_RsaPrivateKeyDecode(key_der, &idx, &key, derSz), 0);
+
+#if !defined(NO_FILESYSTEM)
+    XFREE(key_der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+#endif /* WOLFSSL_KEY_GEN */
+
+    /* Get output length */
+    ExpectIntGT((derSz = wc_RsaKeyToDer(&key, NULL, 0)), 0);
+    ExpectNotNull(der = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
+
+    /* Test exporting private key to DER */
+    ExpectIntGT(wc_RsaKeyToDer(&key, der, derSz), 0);
 
     /* Pass good/bad args. */
-    ExpectIntEQ(wc_RsaKeyToDer(NULL, der, FOURK_BUF),
+    ExpectIntEQ(wc_RsaKeyToDer(NULL, der, derSz),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-    /* Get just the output length */
-    ExpectIntGT(wc_RsaKeyToDer(&genKey, NULL, 0), 0);
     /* Try Public Key. */
-    genKey.type = 0;
-    ExpectIntEQ(wc_RsaKeyToDer(&genKey, der, FOURK_BUF),
+    key.type = 0;
+    ExpectIntEQ(wc_RsaKeyToDer(&key, der, derSz),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     #ifdef WOLFSSL_CHECK_MEM_ZERO
         /* Put back to Private Key */
-        genKey.type = 1;
+        key.type = 1;
     #endif
 
     XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    DoExpectIntEQ(wc_FreeRsaKey(&genKey), 0);
-    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+    DoExpectIntEQ(wc_FreeRsaKey(&key), 0);
+    #if defined(WOLFSSL_KEY_GEN)
+        DoExpectIntEQ(wc_FreeRng(&rng), 0);
+    #endif
 #endif
     return EXPECT_RESULT();
 } /* END test_wc_RsaKeyToDer */

wolfcrypt/src/asn.c

@@ -28249,9 +28249,8 @@ int wc_GetFASCNFromCert(struct DecodedCert* cert, byte* fascn, word32* fascnSz)
 }
 #endif /* WOLFSSL_FPKI */
 
-#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \
-    defined(WOLFSSL_KCAPI_RSA) || \
-    ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA))))
+#if !defined(NO_RSA) && \
+    (defined(WOLFSSL_KEY_TO_DER) || defined(WOLFSSL_CERT_GEN))
 /* USER RSA ifdef portions used instead of refactor in consideration for
    possible fips build */
 /* Encode a public RSA key to output.
@@ -28433,13 +28432,10 @@ int wc_RsaKeyToPublicDer_ex(RsaKey* key, byte* output, word32 inLen,
     return SetRsaPublicKey(output, key, (int)inLen, with_header);
 }
 
-#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || WOLFSSL_KCAPI_RSA ||
-            ((OPENSSL_EXTRA || WOLFSSL_KEY_GEN))) */
+#endif /* !NO_RSA && WOLFSSL_KEY_TO_DER */
 #endif /* NO_CERTS */
 
-#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \
-     defined(WOLFSSL_KCAPI_RSA) || defined(WOLFSSL_SE050)) && \
-     !defined(NO_RSA)
+#if !defined(NO_RSA) && defined(WOLFSSL_KEY_TO_DER)
 
 /* Encode private RSA key in DER format.
  *
@@ -28606,7 +28602,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
 #endif
 }
 
-#endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */
+#endif /* !NO_RSA && WOLFSSL_KEY_TO_DER */
 
 #ifndef NO_CERTS