fix: d2i_ECPrivateKey derives public key when absent from DER (ZD-21732)#10362
fix: d2i_ECPrivateKey derives public key when absent from DER (ZD-21732)#10362MarkAtwood wants to merge 2 commits into
Conversation
RFC 5915 makes the publicKey [1] field optional. When it is absent, wc_EccPrivateKeyDecode sets type = ECC_PRIVATEKEY_ONLY and leaves pubkey uninitialised. Any downstream operation (sign, ECDH, export) then runs against uninitialised memory. After decoding, check for ECC_PRIVATEKEY_ONLY and call wc_ecc_make_pub to derive and cache the public point before SetECKeyExternal runs. This matches OpenSSL d2i_ECPrivateKey behaviour. Add test_d2i_ECPrivateKey_no_pubkey: imports a hardcoded private-only P-256 DER (test vector from pyca/cryptography), checks EC_KEY_check_key, verifies public key bytes against oracle, and exercises ECDSA sign/verify. Fixes: Zendesk #21732 Supersedes: wolfSSL#9987
There was a problem hiding this comment.
Pull request overview
Fixes EC private-key import from RFC 5915 DER when the optional publicKey [1] field is omitted, aligning d2i_ECPrivateKey behavior with OpenSSL by deriving the public point after decode so downstream operations don’t operate on an unset/invalid public key.
Changes:
- Derive and cache the EC public key inside
wolfSSL_d2i_ECPrivateKeywhen the decoded key isECC_PRIVATEKEY_ONLY. - Add a new OpenSSL-API test that imports a private-only RFC 5915 EC key and validates derived public key + ECDSA sign/verify.
- Register the new test in the ossl_ec test declarations.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/pk_ec.c |
Derives the public point during d2i_ECPrivateKey import when absent in DER. |
tests/api/test_ossl_ec.c |
Adds coverage for importing private-only RFC 5915 EC keys and validating derived pubkey behavior. |
tests/api/test_ossl_ec.h |
Registers the new test in the ossl_ec test group. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10362
Scan targets checked: wolfssl-bugs, wolfssl-src
No new issues found in the changed files. ✅
|
Please see colpilot reviews. Also you have a note about this superseding #9987 So please make it clear which should be closed or needs to come first? |
|
@dgarske Re: #9987 — the two PRs fix different bugs in the same area:
They're independent fixes — neither supersedes the other. Both should land. #10362 happens to make #9987's reproducer less likely to trigger (because the public point is now derived at import time), but #9987 fixes a separate comparison bug. Copilot feedback addressed in ac0d692 — added |
In builds without HAVE_ECC_MAKE_PUB (e.g. hardware/CB-only), keep the historical import behaviour instead of failing. Gate the test with the same define.
ac0d692 to
1b2a055
Compare
|
retest this please |
1b2a055 to
4046525
Compare
Summary
RFC 5915 makes the
publicKey [1]field optional inECPrivateKeyDERencoding. When a caller imports a private-only DER (produced by OpenSSL,
mbedTLS, an HSM, or any other implementation that omits the field),
wc_EccPrivateKeyDecodesetstype = ECC_PRIVATEKEY_ONLYand leavespubkeyuninitialised. Every downstream operation — ECDSA sign, ECDH,key export — then runs against uninitialised memory, producing wrong
output or a crash.
Fix: after
wc_EccPrivateKeyDecodesucceeds, check forECC_PRIVATEKEY_ONLYand callwc_ecc_make_pub(key, NULL)to deriveand cache the public point before
SetECKeyExternalruns. This matchesOpenSSL's
d2i_ECPrivateKeybehaviour.Relation to existing work
This is the root-cause fix for the same bug addressed at the symptom
level in #9987 ("evp: fix EVP_PKEY_cmp for EC keys after DER
deserialization"). That PR fixed
EVP_PKEY_cmpspecifically by derivingthe public key at comparison time; this PR fixes the import function
itself so all downstream operations work correctly without per-callsite
workarounds. Supersedes #9987.
Also reported as Zendesk support ticket #21732.
Test
New test
test_d2i_ECPrivateKey_no_pubkeyintests/api/test_ossl_ec.c:publicKeyfield),test vector generated by pyca/cryptography and cross-checked with OpenSSL
EC_KEY_check_keypasses (public point on curve, priv/pub consistent)i2o_ECPublicKeyand byte-compares againstoracle-computed expected value — independent of the code under test
Full
./wolfcrypt/test/testwolfcryptand./tests/unit.testpass.