Deprecate and simplify SSL_CTX_check_private_key
It is not actually possible to configure an inconsistent certificate and
private key pair (short of mutating the objects after you've configured
them). The functions that configure certificates and private keys will
refuse to get CERT into an inconsistent state.
SSL_CTX_check_private_key is really just checking that you have a
certificate and private key at all. Some callers (notably pyOpenSSL's
tests) are written as if SSL_CTX_check_private_key does something more,
but that's only because they also configure certificate and private key
in the wrong order. If you configure the key first, configuring the
certificate silently drops the mismatched private key because OpenSSL
thinks you're overwriting an identity. SSL_CTX_check_private_key is
really just detecting this case.
Add tests for all this behavior, document that certificates should be
configured first, and then deprecate SSL_CTX_check_private_key because,
in the correct order, this function is superfluous.
This will get shuffled around with SSL_CREDENTIAL, so add some tests
first.
Bug: 249
Change-Id: I3fcc0f51add1826d581583b43ff003c0dea979dd
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66447
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index 13b97da..9e7a05b 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -3202,7 +3202,6 @@
// message on the error queue.
bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey);
-bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
bool ssl_get_new_session(SSL_HANDSHAKE *hs);
bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out,
const SSL_SESSION *session);
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index d635fb3..dbc4818 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -493,30 +493,6 @@
return false;
}
-bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
- if (privkey == nullptr) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
- return false;
- }
-
- if (cert->chain == nullptr ||
- sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return false;
- }
-
- CBS cert_cbs;
- CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0),
- &cert_cbs);
- UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
- if (!pubkey) {
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
- return false;
- }
-
- return ssl_compare_public_and_private_key(pubkey.get(), privkey);
-}
-
bool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit) {
CBS buf = *in;
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 81a9807..f95cd5d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1724,17 +1724,36 @@
return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty();
}
+static bool has_cert_and_key(const CERT *cert) {
+ // TODO(davidben): If |cert->key_method| is set, that should be fine too.
+ if (cert->privatekey == nullptr) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
+ return false;
+ }
+
+ if (cert->chain == nullptr ||
+ sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return false;
+ }
+
+ return true;
+}
+
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
- return ssl_cert_check_private_key(ctx->cert.get(),
- ctx->cert->privatekey.get());
+ // There is no need to actually check consistency because inconsistent values
+ // can never be configured.
+ return has_cert_and_key(ctx->cert.get());
}
int SSL_check_private_key(const SSL *ssl) {
if (!ssl->config) {
return 0;
}
- return ssl_cert_check_private_key(ssl->config->cert.get(),
- ssl->config->cert->privatekey.get());
+
+ // There is no need to actually check consistency because inconsistent values
+ // can never be configured.
+ return has_cert_and_key(ssl->config->cert.get());
}
long SSL_get_default_timeout(const SSL *ssl) {
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 57116cd..b3bb2c8 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -83,11 +83,21 @@
return false;
}
- if (cert->chain != nullptr &&
- sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) != nullptr &&
- // Sanity-check that the private key and the certificate match.
- !ssl_cert_check_private_key(cert, pkey)) {
- return false;
+ // If the leaf certificate has been configured, check it matches.
+ const CRYPTO_BUFFER *leaf = cert->chain != nullptr
+ ? sk_CRYPTO_BUFFER_value(cert->chain.get(), 0)
+ : nullptr;
+ if (leaf != nullptr) {
+ CBS cert_cbs;
+ CRYPTO_BUFFER_init_CBS(leaf, &cert_cbs);
+ UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
+ if (!pubkey) {
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
+ return false;
+ }
+ if (!ssl_compare_public_and_private_key(pubkey.get(), pkey)) {
+ return false;
+ }
}
cert->privatekey = UpRef(pkey);
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 0b4ad3c..d12d49c 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -4556,6 +4556,82 @@
ERR_clear_error();
}
+TEST(SSLTest, CertThenKeyMismatch) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
+ ASSERT_TRUE(key);
+ bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
+ ASSERT_TRUE(leaf);
+
+ // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+
+ // With only a certificate, |SSL_CTX_check_private_key| still fails.
+ ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+
+ // The private key does not match the certificate, so it should fail.
+ EXPECT_FALSE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
+
+ // Checking the private key fails, but this is really because there is still
+ // no private key.
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+ EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
+}
+
+TEST(SSLTest, KeyThenCertMismatch) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
+ ASSERT_TRUE(key);
+ bssl::UniquePtr<X509> leaf = GetChainTestCertificate();
+ ASSERT_TRUE(leaf);
+
+ // There is no key or certificate, so |SSL_CTX_check_private_key| fails.
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+
+ // With only a key, |SSL_CTX_check_private_key| still fails.
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+
+ // If configuring a certificate that doesn't match the key, configuration
+ // actually succeeds. We just silently drop the private key.
+ ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
+ EXPECT_EQ(nullptr, SSL_CTX_get0_privatekey(ctx.get()));
+
+ // Some callers configure the private key, then the certificate, and then
+ // expect |SSL_CTX_check_private_key| to check consistency. It does, but only
+ // by way of noticing there is no private key. The actual consistency check
+ // happened in |SSL_CTX_use_certificate|.
+ EXPECT_FALSE(SSL_CTX_check_private_key(ctx.get()));
+}
+
+TEST(SSLTest, OverrideCertAndKey) {
+ // It is possible to override an existing certificate by configuring
+ // certificate, then key, due to |SSL_CTX_use_certificate|'s above silent
+ // dropping behavior.
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
+ ASSERT_TRUE(key);
+ bssl::UniquePtr<X509> leaf = GetTestCertificate();
+ ASSERT_TRUE(leaf);
+ bssl::UniquePtr<EVP_PKEY> key2 = GetChainTestKey();
+ ASSERT_TRUE(key2);
+ bssl::UniquePtr<X509> leaf2 = GetChainTestCertificate();
+ ASSERT_TRUE(leaf2);
+
+ ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf.get()));
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
+
+ ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), leaf2.get()));
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key2.get()));
+}
+
TEST(SSLTest, SetChainAndKeyCtx) {
bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
ASSERT_TRUE(client_ctx);
