wolfssl
wolfssl copied to clipboard
wolfSSL
[Bug]: Not all private PKCS#8 keys could be used with WolfSSL
Contact Details
Version
v5.4.0-stable, master latest (7004157869e5445b086045ea9e9f86833fb2e330)
Description
I try to load the private (not encrypted) PKCS#8 key into CTX with wolfSSL_CTX_use_PrivateKey_buffer or just load RsaKey with wc_RsaPrivateKeyDecode but it fails (ToTraditionalInline_ex fails to skip whole sequence while GetAlgoId).
So the main problem is wrong work of the ToTraditionalInline_ex that can't find right position of octet string of private key in PKCS#8 file (AlgorithmIdentifier could have parameters field that could be ANY DEFINED BY algorithm OPTIONAL and the problem is when it is Sequence).
Unsupported key structure:
Reproduction steps
- Download ps256_cert.zip (Archive with RSAssaPSS unencrypted private key and cert chain) and unpack
ps256.derkey file intocertsfolder. - Change
tests/api.clike below:
--- a/tests/api.c
+++ b/tests/api.c
@@ -26737,12 +26737,12 @@ static int test_ToTraditional(void)
defined(OPENSSL_EXTRA_X509_SMALL))
XFILE f;
- byte input[TWOK_BUF];
+ byte input[FOURK_BUF];
word32 sz;
printf(testingFmt, "ToTraditional()");
- f = XFOPEN("./certs/server-keyPkcs8.der", "rb");
+ f = XFOPEN("./certs/ps256.der", "rb");
AssertTrue((f != XBADFILE));
sz = (word32)XFREAD(input, 1, sizeof(input), f);
XFCLOSE(f);
--
- Run unit_test and get fail
Relevant log output
ToTraditional(): failed
test_ToTraditional failed.
ERROR - /tmp/tmp.UavVdGm55a/tests/api.c line 57936 failed with:
expected: ret == 0
result: -132 != 0
Hi @vvvictor07
Support for RSA-PSS certificates is coming! We have had some infrastructure issues of late but the handling of RSA-PSS and the parameters is something I've implemented just recently.
If you would like to try it out the PR is: https://github.com/wolfSSL/wolfssl/pull/5397
Sean
Hi @vvvictor07
Let us know if there is anything more here. Otherwise I'll close the ticket.
Thanks, Sean