server config util UPDATE keep privkey format

Before, whenever a privkey was loaded from a file, its format was always
changed to the SubjectPrivateKeyInfo format. With this change, the
privkeys retain their format from the input file in YANG. Doesn't work
for X509 privkeys when using MbedTLS.

Author: Roytak

src/server_config_util.c

@@ -794,42 +794,37 @@ nc_server_config_util_get_privkey_format(const char *privkey, enum nc_privkey_fo
     return 0;
 }
 
+/**
+ * @brief Get private key using the TLS backend's functions.
+ *
+ * @param[in] privkey_path Path to the private key file.
+ * @param[out] pkey TLS backend's underlying private key structure.
+ * @return 0 on success, 1 on failure.
+ */
 static int
-nc_server_config_util_get_privkey_libtls(const char *privkey_path, char **privkey, void **pkey)
+nc_server_config_util_get_privkey_libtls(const char *privkey_path, void **pkey)
 {
-    void *pkey_tmp;
-    char *privkey_tmp;
-
-    NC_CHECK_ARG_RET(NULL, privkey_path, privkey, pkey, 1);
-
-    *privkey = *pkey = NULL;
-
-    pkey_tmp = nc_tls_import_privkey_file_wrap(privkey_path);
-    if (!pkey_tmp) {
-        return 1;
-    }
-
-    privkey_tmp = nc_tls_export_privkey_pem_wrap(pkey_tmp);
-    if (!privkey_tmp) {
-        nc_tls_privkey_destroy_wrap(pkey_tmp);
-        return 1;
-    }
+    *pkey = NULL;
 
-    *privkey = privkey_tmp;
-    *pkey = pkey_tmp;
-    return 0;
+    *pkey = nc_tls_import_privkey_file_wrap(privkey_path);
+    return *pkey ? 0 : 1;
 }
 
+/**
+ * @brief Get private key using libssh functions.
+ *
+ * @param[in] privkey_path Path to the private key file.
+ * @param[out] pkey TLS backend's underlying private key structure.
+ * @return 0 on success, 1 on failure.
+ */
 static int
-nc_server_config_util_get_privkey_libssh(const char *privkey_path, char **privkey, void **pkey)
+nc_server_config_util_get_privkey_libssh(const char *privkey_path, void **pkey)
 {
     int ret = 0;
     ssh_key key = NULL;
-    void *pkey_tmp = NULL;
-    char *privkey_tmp = NULL;
-
-    NC_CHECK_ARG_RET(NULL, privkey_path, privkey, pkey, 1);
+    char *privkey_buf = NULL;
 
+    /* import the OpenSSH private key using libssh */
     ret = ssh_pki_import_privkey_file(privkey_path, NULL, NULL, NULL, &key);
     if (ret) {
         ERR(NULL, "Importing privkey from file \"%s\" failed.", privkey_path);
@@ -838,45 +833,43 @@ nc_server_config_util_get_privkey_libssh(const char *privkey_path, char **privke
     }
 
     /* export the key in PEM */
-    ret = ssh_pki_export_privkey_base64(key, NULL, NULL, NULL, &privkey_tmp);
+    ret = ssh_pki_export_privkey_base64(key, NULL, NULL, NULL, &privkey_buf);
     if (ret) {
         ERR(NULL, "Exporting privkey to base64 failed.");
         goto cleanup;
     }
 
-    pkey_tmp = nc_tls_pem_to_privkey_wrap(privkey_tmp);
-    if (!pkey_tmp) {
-        free(privkey_tmp);
+    /* convert the base64 PEM to libtls private key representation */
+    *pkey = nc_tls_pem_to_privkey_wrap(privkey_buf);
+    if (!*pkey) {
         ret = 1;
         goto cleanup;
     }
 
-    *privkey = privkey_tmp;
-    *pkey = pkey_tmp;
-
 cleanup:
+    free(privkey_buf);
     ssh_key_free(key);
     return ret;
 }
 
 static int
-nc_server_config_util_pem_strip_header_footer(const char *pem, char **privkey)
+nc_server_config_util_privkey_strip_header_footer(const char *orig_privkey, char **privkey)
 {
     const char *header, *footer;
 
-    if (!strncmp(pem, NC_PKCS8_PRIVKEY_HEADER, strlen(NC_PKCS8_PRIVKEY_HEADER))) {
+    if (!strncmp(orig_privkey, NC_PKCS8_PRIVKEY_HEADER, strlen(NC_PKCS8_PRIVKEY_HEADER))) {
         /* it's PKCS8 (X.509) private key */
         header = NC_PKCS8_PRIVKEY_HEADER;
         footer = NC_PKCS8_PRIVKEY_FOOTER;
-    } else if (!strncmp(pem, NC_OPENSSH_PRIVKEY_HEADER, strlen(NC_OPENSSH_PRIVKEY_HEADER))) {
+    } else if (!strncmp(orig_privkey, NC_OPENSSH_PRIVKEY_HEADER, strlen(NC_OPENSSH_PRIVKEY_HEADER))) {
         /* it's OpenSSH private key */
         header = NC_OPENSSH_PRIVKEY_HEADER;
         footer = NC_OPENSSH_PRIVKEY_FOOTER;
-    } else if (!strncmp(pem, NC_PKCS1_RSA_PRIVKEY_HEADER, strlen(NC_PKCS1_RSA_PRIVKEY_HEADER))) {
+    } else if (!strncmp(orig_privkey, NC_PKCS1_RSA_PRIVKEY_HEADER, strlen(NC_PKCS1_RSA_PRIVKEY_HEADER))) {
         /* it's RSA privkey in PKCS1 format */
         header = NC_PKCS1_RSA_PRIVKEY_HEADER;
         footer = NC_PKCS1_RSA_PRIVKEY_FOOTER;
-    } else if (!strncmp(pem, NC_SEC1_EC_PRIVKEY_HEADER, strlen(NC_SEC1_EC_PRIVKEY_HEADER))) {
+    } else if (!strncmp(orig_privkey, NC_SEC1_EC_PRIVKEY_HEADER, strlen(NC_SEC1_EC_PRIVKEY_HEADER))) {
         /* it's EC privkey in SEC1 format */
         header = NC_SEC1_EC_PRIVKEY_HEADER;
         footer = NC_SEC1_EC_PRIVKEY_FOOTER;
@@ -885,7 +878,7 @@ nc_server_config_util_pem_strip_header_footer(const char *pem, char **privkey)
     }
 
     /* make a copy without the header and footer */
-    *privkey = strndup(pem + strlen(header), strlen(pem) - strlen(header) - strlen(footer));
+    *privkey = strndup(orig_privkey + strlen(header), strlen(orig_privkey) - strlen(header) - strlen(footer));
     NC_CHECK_ERRMEM_RET(!*privkey, 1);
 
     return 0;
@@ -930,13 +923,11 @@ nc_server_config_util_get_privkey(const char *privkey_path, enum nc_privkey_form
     case NC_PRIVKEY_FORMAT_EC:
     case NC_PRIVKEY_FORMAT_X509:
         /* the TLS lib can do this */
-        ret = nc_server_config_util_get_privkey_libtls(privkey_path, &priv, pkey);
+        ret = nc_server_config_util_get_privkey_libtls(privkey_path, pkey);
         break;
     case NC_PRIVKEY_FORMAT_OPENSSH:
         /* need the help of libssh */
-        ret = nc_server_config_util_get_privkey_libssh(privkey_path, &priv, pkey);
-        /* if the function returned successfully, the key is no longer OpenSSH, it was converted to x509 */
-        *privkey_format = NC_PRIVKEY_FORMAT_X509;
+        ret = nc_server_config_util_get_privkey_libssh(privkey_path, pkey);
         break;
     default:
         ERR(NULL, "Private key format not recognized.");
@@ -947,17 +938,26 @@ nc_server_config_util_get_privkey(const char *privkey_path, enum nc_privkey_form
         goto cleanup;
     }
 
-    /* parsing may have changed its type, get it again */
+    /* export the private key to its original format type,
+     * all of this was done to avoid having to parse the private key ourselves
+     * and since we have a "pkey" we can be sure, that the private key is valid */
+    ret = nc_tls_privkey_export_wrap(*pkey, *privkey_format, &priv);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* get the privkey format again from the exported private key,
+     * it should match the previous one, but in case it doesn't,
+     * we can still at least store the 'current' one in YANG and use it */
     ret = nc_server_config_util_get_privkey_format(priv, privkey_format);
     if (ret) {
-        ERR(NULL, "Getting private key format from file \"%s\" failed.", privkey_path);
+        ERR(NULL, "Private key format \"%s\" not supported.", priv);
         goto cleanup;
     }
 
     /* strip private key's header and footer */
-    ret = nc_server_config_util_pem_strip_header_footer(priv, privkey);
+    ret = nc_server_config_util_privkey_strip_header_footer(priv, privkey);
     if (ret) {
-        ERR(NULL, "Stripping header and footer from private key \"%s\" failed.", privkey_path);
         goto cleanup;
     }
 

src/session_mbedtls.c

@@ -38,6 +38,8 @@
 #include "session_p.h"
 #include "session_wrapper.h"
 
+#include <libssh/libssh.h>
+
 #include <mbedtls/base64.h>
 #include <mbedtls/bignum.h>
 #include <mbedtls/ctr_drbg.h>
@@ -1411,28 +1413,79 @@ nc_tls_import_cert_file_wrap(const char *cert_path)
     return c;
 }
 
-char *
-nc_tls_export_privkey_pem_wrap(void *pkey)
+/**
+ * @brief Convert a PKCS#1/SEC1 private key to OpenSSH format.
+ *
+ * @param[in] pk Private key in PKCS#1/SEC1 PEM format.
+ * @param[out] privkey Private key in OpenSSH format.
+ * @return 0 on success, 1 on error.
+ */
+static int
+nc_tls_privkey_export_openssh(const char *pk, char **privkey)
 {
-    int rc;
-    char *pem;
+    int rc = 0;
+    ssh_key sshkey = NULL;
+
+    /* load the SEC1/PKCS#1 using libssh */
+    if (ssh_pki_import_privkey_base64(pk, NULL, NULL, NULL, &sshkey)) {
+        ERR(NULL, "Importing the private key to libssh failed (%s).", ssh_get_error(NULL));
+        rc = 1;
+        goto cleanup;
+    }
+
+    /* export to OpenSSH format */
+    if (ssh_pki_export_privkey_base64_format(sshkey, NULL, NULL, NULL, privkey, SSH_FILE_FORMAT_OPENSSH)) {
+        ERR(NULL, "Exporting the private key to OpenSSH format failed (%s).", ssh_get_error(NULL));
+        rc = 1;
+        goto cleanup;
+    }
+
+cleanup:
+    ssh_key_free(sshkey);
+    return rc;
+}
+
+int
+nc_tls_privkey_export_wrap(void *pkey, enum nc_privkey_format format, char **privkey)
+{
+    int r, rc = 0;
     size_t size = 128;
+    char *pk;
 
-    pem = malloc(size);
-    NC_CHECK_ERRMEM_RET(!pem, NULL);
+    if (format == NC_PRIVKEY_FORMAT_UNKNOWN) {
+        ERRINT;
+        return 1;
+    }
+
+    /* use mbedtls_pk_write_key_pem to write either PKCS#1 or SEC1 format */
+    pk = malloc(size);
+    NC_CHECK_ERRMEM_RET(!pk, 1);
 
-    while ((rc = mbedtls_pk_write_key_pem(pkey, (unsigned char *)pem, size)) == MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
+    /* try to write the key, reallocating if the buffer is too small */
+    while ((r = mbedtls_pk_write_key_pem(pkey,
+            (unsigned char *)pk, size)) == MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
         size <<= 1;
-        pem = nc_realloc(pem, size);
-        NC_CHECK_ERRMEM_RET(!pem, NULL);
+        pk = nc_realloc(pk, size);
+        NC_CHECK_ERRMEM_RET(!pk, 1);
     }
-    if (rc < 0) {
-        nc_mbedtls_strerr(NULL, rc, "Exporting private key to PEM format failed");
-        free(pem);
-        return NULL;
+    if (r < 0) {
+        nc_mbedtls_strerr(NULL, r, "Exporting private key to PEM format failed");
+        rc = 1;
+        goto cleanup;
     }
 
-    return pem;
+    if (format == NC_PRIVKEY_FORMAT_OPENSSH) {
+        /* convert it to OpenSSH format */
+        rc = nc_tls_privkey_export_openssh(pk, privkey);
+    } else {
+        /* return the PEM as is (PKCS#1 or SEC1), mbedtls can not do NC_PRIVKEY_FORMAT_X509 */
+        *privkey = pk;
+        pk = NULL;
+    }
+
+cleanup:
+    free(pk);
+    return rc;
 }
 
 char *