evp: fix EVP_PKEY2PKCS8 returning NULL for private-key-only EC keys

When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.

ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr.  After commit 929dd99 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.

Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated).  This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.

Reproduces the failure seen in SoftHSM's ECDHTests::testPKCS8 and
ECDSATests::testPKCS8 which use exactly this pattern.

Author: Frauschi

tests/api.c

@@ -16265,6 +16265,76 @@ static int test_wolfSSL_BUF(void)
     return EXPECT_RESULT();
 }
 
+/* Regression: EVP_PKEY_keygen for EC must populate pkey->pkey.ptr so that
+ * EVP_PKEY2PKCS8 can encode the key (reported via SoftHSM ECDHTests::testPKCS8
+ * and ECDSATests::testPKCS8 after commit that enabled on-curve validation). */
+static int test_wolfSSL_EVP_PKEY2PKCS8_keygen(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL)) && defined(HAVE_ECC)
+    EVP_PKEY_CTX           *ctx = NULL;
+    EVP_PKEY               *pkey = NULL;
+    PKCS8_PRIV_KEY_INFO    *p8 = NULL;
+
+    ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL));
+    ExpectIntGT(EVP_PKEY_keygen_init(ctx), 0);
+    ExpectIntGT(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx,
+                                                       NID_X9_62_prime256v1), 0);
+    ExpectIntGT(EVP_PKEY_keygen(ctx, &pkey), 0);
+    /* pkey->pkey.ptr must be populated so PKEY2PKCS8 can encode the key */
+    if (pkey != NULL) {
+        ExpectNotNull(pkey->pkey.ptr);
+    }
+    ExpectNotNull(p8 = EVP_PKEY2PKCS8(pkey));
+
+    PKCS8_PRIV_KEY_INFO_free(p8);
+    EVP_PKEY_free(pkey);
+    EVP_PKEY_CTX_free(ctx);
+#endif
+    return EXPECT_RESULT();
+}
+
+/* Regression test for SoftHSM pattern: EC_KEY created with only group and
+ * private scalar set (no public key point), then wrapped in EVP_PKEY and
+ * passed to EVP_PKEY2PKCS8.  Before the fix, ECC_populate_EVP_PKEY would
+ * serialise the zero public-key point that SetECKeyInternal copied from the
+ * uninitialised pub_key EC_POINT, and the subsequent re-decode in
+ * wolfSSL_EVP_PKEY2PKCS8 would fail the on-curve check. */
+static int test_wolfSSL_EVP_PKEY2PKCS8_priv_only(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL)) && defined(HAVE_ECC)
+    EC_KEY              *full = NULL;
+    EC_KEY              *priv_only = NULL;
+    EVP_PKEY            *pkey = NULL;
+    PKCS8_PRIV_KEY_INFO *p8 = NULL;
+    const BIGNUM        *priv_bn = NULL;
+    const EC_GROUP      *grp = NULL;
+
+    /* Generate a full keypair to extract the private scalar from. */
+    ExpectNotNull(full = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+    ExpectIntEQ(EC_KEY_generate_key(full), WOLFSSL_SUCCESS);
+
+    /* Build a key with only group + private scalar — no public point. */
+    ExpectNotNull(grp    = EC_KEY_get0_group(full));
+    ExpectNotNull(priv_bn = EC_KEY_get0_private_key(full));
+    ExpectNotNull(priv_only = EC_KEY_new());
+    ExpectIntEQ(EC_KEY_set_group(priv_only, (EC_GROUP*)grp), WOLFSSL_SUCCESS);
+    ExpectIntEQ(EC_KEY_set_private_key(priv_only, priv_bn), WOLFSSL_SUCCESS);
+
+    /* Wrap in EVP_PKEY and call EVP_PKEY2PKCS8 — must not return NULL. */
+    ExpectNotNull(pkey = EVP_PKEY_new());
+    ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey, priv_only), WOLFSSL_SUCCESS);
+    ExpectNotNull(p8 = EVP_PKEY2PKCS8(pkey));
+
+    PKCS8_PRIV_KEY_INFO_free(p8);
+    EVP_PKEY_free(pkey);
+    EC_KEY_free(priv_only);
+    EC_KEY_free(full);
+#endif
+    return EXPECT_RESULT();
+}
+
 static int test_wolfSSL_PKCS8_Compat(void)
 {
     EXPECT_DECLS;
@@ -34923,6 +34993,8 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_PKCS5),
 
     /* OpenSSL PKCS8 API test */
+    TEST_DECL(test_wolfSSL_EVP_PKEY2PKCS8_keygen),
+    TEST_DECL(test_wolfSSL_EVP_PKEY2PKCS8_priv_only),
     TEST_DECL(test_wolfSSL_PKCS8_Compat),
     TEST_DECL(test_wolfSSL_PKCS8_d2i),
 

wolfcrypt/src/evp.c

@@ -3715,6 +3715,10 @@ int wolfSSL_EVP_PKEY_keygen_init(WOLFSSL_EVP_PKEY_CTX *ctx)
     return WOLFSSL_SUCCESS;
 }
 
+#ifdef HAVE_ECC
+static int ECC_populate_EVP_PKEY(WOLFSSL_EVP_PKEY* pkey, WOLFSSL_EC_KEY *key);
+#endif
+
 int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
   WOLFSSL_EVP_PKEY **ppkey)
 {
@@ -3769,6 +3773,8 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
                 ret = wolfSSL_EC_KEY_generate_key(pkey->ecc);
                 if (ret == WOLFSSL_SUCCESS) {
                     pkey->ownEcc = 1;
+                    if (ECC_populate_EVP_PKEY(pkey, pkey->ecc) != WOLFSSL_SUCCESS)
+                        ret = WOLFSSL_FAILURE;
                 }
             }
             break;
@@ -9521,7 +9527,15 @@ static int ECC_populate_EVP_PKEY(WOLFSSL_EVP_PKEY* pkey, WOLFSSL_EC_KEY *key)
         else
 #endif /* HAVE_PKCS8 */
         {
-            if (ecc->type == ECC_PRIVATEKEY_ONLY) {
+            if (ecc->type == ECC_PRIVATEKEY_ONLY ||
+                    (ecc->type == ECC_PRIVATEKEY &&
+                     mp_iszero(ecc->pubkey.x))) {
+                /* Reconstruct public key from private scalar.  This covers
+                 * both ECC_PRIVATEKEY_ONLY keys and ECC_PRIVATEKEY keys whose
+                 * public-key point was never populated (e.g. when only
+                 * EC_KEY_set_private_key was called, SetECKeyInternal copies
+                 * the zero-initialized pub_key point and marks the type as
+                 * ECC_PRIVATEKEY, leaving pubkey.x == 0). */
                 if (wc_ecc_make_pub(ecc, NULL) != MP_OKAY) {
                     return WOLFSSL_FAILURE;
                 }