TLS failed to load password-protected private key from buffer (#2606)

Fix loading TLS cert from buffer with private key password-protected, adding logs in loading cert/key, updated expired TLS cert in SSL socket unit test.
4 years ago · 580b0f3ef3
parent d3542d9143
commit 580b0f3ef3
7 changed files with 140 additions and 35 deletions
--- a/pjlib/build/cacert.der
+++ b/pjlib/build/cacert.der
--- a/pjlib/build/cacert.pem
+++ b/pjlib/build/cacert.pem
@ -1,14 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIICNDCCAZ2gAwIBAgIJAIa9mZggMk2WMA0GCSqGSIb3DQEBBAUAMDMxEjAQBgNV
-BAMTCXBqc2lwLmxhYjEdMBsGCSqGSIb3DQEJARYOdGVzdEBwanNpcC5sYWIwHhcN
-MTAwMjEwMDkwNTQ0WhcNMjAwMjA4MDkwNTQ0WjAzMRIwEAYDVQQDEwlwanNpcC5s
-YWIxHTAbBgkqhkiG9w0BCQEWDnRlc3RAcGpzaXAubGFiMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQDI9T0Pf+1gKOTOAGEpZ481Q6xfm5vz6n1+6udxzQtfPKlQ
-rPD5x5im2u3tmy6ABxZeY5tCdeikBPiGlc5bRIRng6KM8kidkg3gEhwhRUxHCMWb
-mBpkz7rFERf/pWAOCqYCiy1RT8QrK+XOFoFdJhdF85UPDEUw+pHEsYetTDs9RQID
-AQABo1AwTjBMBgNVHREERTBDgglwanNpcC5sYWKCDXNpcC5wanNpcC5sYWKBDnRl
-c3RAcGpzaXAubGFihhFzaXA6c2lwLnBqc2lwLmxhYocEfwAAATANBgkqhkiG9w0B
-AQQFAAOBgQCLPl/WF1QvjT36kVLH0nxfHwDOJuAzlh6nv9rYBviOLw9FTEMgW6hA
-oG55YSdVjTnMynTMOH/kVp4Vxlk46A8neE+/LI8RPh6lJh52vb+iPAtBpsQoq06T
-+u4DfJcN8Y/jy+QAn78jryKjwKuZWfuWny9gxsLWMUbH5Bc6v6wfQQ==
+MIIFNDCCAxygAwIBAgIUeMZNwp8GnetvaGka8ktFmsvLwbcwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJcGpzaXAubGFiMB4XDTIwMTIxMTEwMTI1M1oXDTMwMTIw
+OTEwMTI1M1owFDESMBAGA1UEAwwJcGpzaXAubGFiMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAp2uZV8GB+s3A2UvBlGbHk5GdONHFXPT1PxZCTP+fsP3j
+A7SxwmCu7rq/oSGygHgkcX+bh7tGRtZDbS5DMzmhfRTUcHegTLFltf+L7JlT/M3O
+wbdssOI+YLlnGAY98qchMs8S9Ij5oaXvGh68PC21epyJHYoaWRqf33Qvndx3Wclo
+hgINHULPnDzT62HlkIeVgdGvgbitAaVwjUqIY2zQYVaKMxqurjeexeiPJpbwVvCy
+6MQ33lw16monU+jbnHHpnHsbEL7RMNDg+950figM8EFLyFMkUtK4ZZyOEWJhrbtS
+v/N692+EG2j2seC/QHkhDqlFYVKRDIYLelwIuR1lPWV5IXPPFX+yHgUcvSJQpsbp
+B/0SG0IbxQIol615MEpBGbeL1T4I6KXilTTdnD8ROIVx3rkvu+9SCD26L1eRfLl9
+N2N7wXScjInCRxMdvbb9Dja5hSjv2VSXJPmtK9b+8BL698XSkK4BfU6G0fYohDFg
+UJVFqDttOc4EhcwvNm5hNgiIgFzEoZ8y0BGtYwmi4B2BVtMud5LJZo/txLWkd/L+
+hdkO9FqPCDvFEIVtmD4xpczNpy4BhSczG7xUuul03qj0aZW94AdrO00fBMOTT8wF
+gyvtPkMP0CRnbyUpaGiv3NdO2AndIdHCE0oi67J5RajD1RGwPMErvfxXBYnek0UC
+AwEAAaN+MHwwHQYDVR0OBBYEFF6rnJ5vs8hTda7vbDQYWmekykW3MB8GA1UdIwQY
+MBaAFF6rnJ5vs8hTda7vbDQYWmekykW3MA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0R
+BCIwIIINc2lwLnBqc2lwLmxhYoIJcGpzaXAubGFihwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4ICAQCXrMnVDhCAIZBduL8yeXOxKwnxDC9OB1GcOESbD3Rxorm2AI/jdbob
+xBG5yhU587NZDpkjZcwjyjAxQOwvuX8b/EXWKqSS1lf/nvLXm5bGwIORpbhpVtac
+UI6lmRPAyAEu59HLUuidqjkerGOeKYN91KSAFuWl78zBEXd58a6RfZ4ALpKO9X+a
+od1jGYLdRaWq8/pwZub/VOcgk/gCifpK/cgST/mg4pUBoPo1w2kR5kccxDMK+6jy
+3xbm18UItoxomLzUfyKNwQ1XTsZor3f9f0vX/hpPjpvcqzgSh0Ei6XiRFRClSaUv
+DrHqny6jOMzt92Nyu804ALpN9gRi5y2ayDYuR4RTZ8dSuEqUbhllfvHgRo1x6MmA
+i5uxVJca4nJwINWpZGkGk4RAeDVbdgHZoSsK3a1sWTqvvt/Dz5Srl6ilvG1ZiHZX
+Tbihc54gpNx5BzLndbaCMJ74MIOCcAvn5pos2CgPaOPUQPcAFG/0+IqIM2kzmr1Z
+LkdSVEOQ96BT4KEHKIEgTSNrv4/hA6XpmN0e/w07cNY3o5besXBfR85VV+nuceKw
+cg9WqbaooDjTLdb7c+lhifHFtZRuKr2YHW7UMEeJO36MLDtj52m5RRMB2T4+wL+V
+YaCSfdNI6I1/ZCY9FlwG+5qdmvJio6ueZDCX5CxcsZb4YraIis460A==
 -----END CERTIFICATE-----
--- a/pjlib/build/privkey.p12
+++ b/pjlib/build/privkey.p12
--- a/pjlib/build/privkey.pem
+++ b/pjlib/build/privkey.pem
@ -1,15 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDI9T0Pf+1gKOTOAGEpZ481Q6xfm5vz6n1+6udxzQtfPKlQrPD5
-x5im2u3tmy6ABxZeY5tCdeikBPiGlc5bRIRng6KM8kidkg3gEhwhRUxHCMWbmBpk
-z7rFERf/pWAOCqYCiy1RT8QrK+XOFoFdJhdF85UPDEUw+pHEsYetTDs9RQIDAQAB
-AoGAGV+1xQY/H7wqH8S2f/begzg3RJ8uUt8R13urm5frTqwnKNOdXbyRDshn8G9+
-sJW0gliLWxnuNP+Xrc6ujqGZIguK/yAxJ3LprAN2Ay1lW2ONyZNMquBeIY5Txhyy
-SnU7U+NQYgA3+w9T7O7YQ575TTDm2gri558jIx8t55Wo9sUCQQDtjfGZ3sYXwpxR
-MvtdtfwDxSKhf6glT6dn7/37KITBZXFy6Eb/tHrEEUuwR46g30vTd2JElCB+QExu
-4sZDt813AkEA2I/WXdGVRXtHzVivf3AnqWyXfrfAAXlBmEkgPyIPwE1+mxeNxkU7
-TRn0MOqAfbQW4+GRIYCKSBLodRnRq2iKIwJBAJLYa8DyNQH7CyYmnbwQAvlRo1ax
-0v89ff6CHD5ljar/SmH9s+XdawZIqsENet13KyhNZDGAX5WrqZPiGy1BMYECQQC1
-FREawfUfdEZF3rJgzVdcxACpZNyYXtwKipr8L28cTbBf3wIdmCZOAjW98VgfxEaf
-pi3E5ca7HZRi1oQL4A4hAkEA5koHCQYl+5PDjbLtxl0VyVCpmT9BrcZ99MS+ZEaW
-2+HpKIhXrEFxePQaWbCaW7gjKmKUwC0qqu0moedqJC3mzg==
-----END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQILwghSQuUF7MCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHKyWOypiKo0BIIJSCS86LhyHmGK
+oXggCF/oKjtnvSU6r29qAw2SU9DaW8/vQP32JdTZE1EEPxRDe4NziSpPeXIJ6Vf9
+MlGHC5RG56Zr/riBdk0nT6opx/2JIpSFzpqZwTuxeFLAAJEoM1DwAjmiU9FDDzPv
+cHUoNBoFrsIRImcuOnsy8i5+uYT3QdIBUAA5w5mXwOdTlJ/F7h83SocgOKTc9xYW
+02A1DecA4OKcrfz6LBC5yFdoPsBXvFrSz78LTFzirbdq2RuI1Ae3oD7hn/8b/Yzc
+NwHZo4m8XMuu1XSQ0z36gmrwlYI0NQiPAL/nknpRCnQgjR8AJsk9n72VU+TfWTtR
+H1wshrBu0RYLX4YQA1uwz44BYgN2YLtQsjrgPdGm7pUhTfVcxc/zL/8bWpOOs04T
+2/oT2Ft/gmvvsHo08QhqzOcnkVxl7qnwuw1UI8TMLwZ1Rppsc1Malakj7s5GDLik
+ayol1RDT2NK+1Oxj1liQOJgx9ojL1Pxu0oBXLfT5P4rCUuShIx7jr6Kxlixg2A8B
+g+MHzcKtFSFHut9Ag5s5Car5JNFWc91zvqNVQXYLq49AqDV/Nl1Q5ulkZZvg1rl5
+PGWNkfRiok++OL8FdFKpmCCRhaUDg3M87iE293CDY/gwKlDXNv8QJZ2OTaDr2f4X
+ASpuZjJHsGhKJzUXMFK4eQT0JYpFzYvLNe84CPuml6IsfRaSuRIZnOnv724Dp6wd
+xdjtAtm0p6L/RRTTapt/TxEvB6aiy4J47ghbMCZvqI1QfCkw+otzbvg4LxcR/Rn8
+OQUhUVcmS+1NOCZPtA1S2vlZVCb97SfpveTSaQp6f1Tka8YBCyhd0OlbA/XnVEDb
+tMGGl4oXhj9P2x57y47eur/2eTXDnGxorMJA4zooLljEucbk5t8r8U2tacUJDsyQ
+K1tcOhY8bnrJudjTGYeewlI0W3pSAiUlBk8CtCNSsfJQr7MBoWcjasp/i6DQDBU1
+/wy7zCo1+2xIhWWw9KCQK5NBpGTvq0tUgkfre0ft+MNlqgWp1L58sNi9xqcb03cv
+F8rOPO24VM7LiJfm6vvSiQJW0+YKFHlQdA0wCyTiRO8Xx98w7Lc04+XunaS2o/25
+1uZ0iK2oYtMlLxALG1FPmAnMAXn/AeAdcYuy2OaztYltnMzeOP4myyh25iRRaSlI
+fuvQkZcn8FnoQYmVxlmWSlbQcJqIxbLlbCRIXCeqxz1jCEVurO9u1lSl5QsmN/Bm
+KYW7wEcQXTxQsu4n7Rh+9ddAEBETf3NuA3XcSNR8EjdMBWz7lyAnzM54A5SEA7rL
+J2YYkr3L05wJL0tWQjXx+bewe5mnDS8sYnQgE+xRvdasDuGYHXA35z7ORM5KatdG
+LTLxbdXjgjVunTrXvyULKyrAAO6knjFHS1SKKm4Qp9i0eyhB65P6Ow3d2A0xSooO
+z+eSiUEiTq1BeqJTLbds5blV/ivPkXIQOMwl2ziE2y4QR3qGlzgzO3uLdFcIWztQ
+Gl+D2sOMPZLJ+z9HgqRsqtXbK+Ne73zW7k52xwC6aqMZ0zuZWcIjpB7GEKuHCauO
+iJu8W7GkSHcfr39cvyVqXRHzYJs6MhVJSAMxaaoy6EL+5rqDD2bSbDjtsYXI4uvA
+mmXOnnBY86A+mDn9AgJpTvY6tnVyD/XnfCBOiV+jKKEXEgXNqoNm9CIzpcK+myl2
+5FpMYcV771ckYFrhe/4ckhs/0vCpiFXviqZwhQZz8CczoJvLIhitCW0/UkUhVM+x
+Y0lu10ju+w7WJsc9FyjdMl5AdCUIiXS10gOEgvW+iY1dIa/Z6jLFtmiPmgbleD+Q
+lqYDZnbMuVz6xUPVkeuJ9s+J2iFQhfLEg5ftKIX71WvXwA1R7CdEasQ5f78CiZiB
+E7hGIe5RcV5XA07lOQrrpJwR0kPsSHOrng/Sy+sYfbs6VkMUDR1gtGG1jXIeL4i3
+1QVTlHhJd5QiDQGCxkCU90ujDy1Syj2YSvMrpP7QJOLezyWHjoHdHEuRbsTlDuyo
+bLx/9AvU8wPdBP1/w2MTWtCCMhIcwA/HJyj7YchLfq4jRuSxBRpJXf1A2pR1zv4+
+0/a1szx/9bWFtgD3ouUxmOHQlXOaqbejUbrHq3JFyisHrew7wjqWXF01JeLQkTXC
+chwMSAKQBp69GpCOANyxjNQNFD6thV/AOoXGHWqwu37WfcKmAGmo39npNRGjd+m3
+nl4rHgXZ1lMtBuOeNLQP48+4HyecwnxRZ2fRQ+fH324vq0/qH4SVIddqcHCIIlsv
+9paiYbXu0igbXjMHsLO+mmER+a1zzyUV/2IlLFbnEfg1BGT+jeGJ872Msgn+r4I7
+WZdjvrhuc21EVqp3LMzciE19+baFPvbRA6pnGfctS2LGwVLEUhMnrUnr6rEvUdez
+auZGeAwkFpqO/HbchTiBsrppD3EhDlqFt7fh/cdJWjoSr4DBsNSbRJJ+txb0S2zr
+yTuSHP74DCxFduoq7gwzZAbzqGAnW2/AWVmb5K5zvKYrrogQiNVsMOF4mr1cAsqI
+jHsXLHIxpMOxN4xI5bgGWZR8RaPO8WxM0fjRm+gPqAxVZoW6mI+zD9pzAm4MTgR/
+JWi1eWQ+gQhRTa3FnZL/2egfafGAJpgGsSKTtN9s+/xWBC3CRzWA20djKxl0WO+7
+2awxrl6mPBsne+fh3QMGqriLtqSfSyp3TicLWp/jjxPAkZd14PxaRC8jUN4pCYIv
+mIMLvHhvMU2TxFRr8kKjNXHgueotU5f+HrJf36ZHBPt8+Ma/q41F9BfC0gB3aGtt
+AU2x5sfFPp4qJ86Pyv1PCMpdF8DTLfJQ18a6C9IPIzV+rQIjRJWtLqNr5EYUi9A
+BL3ZBn6UXp9R9eVKyp0Y4HuzYQdANqyfIK6XpAoPoM81SmAe2ZzpFghUFHVvi8Sr
+Nsb34VBe7kZAnI0KOV752UEROJ1w2OgpBDHqmp4+J69K/zInNaRcmesy/4dCRbah
+5c2AQC9pqONaKV8NOstf5/GNCGB8RWaEBZsJqWfkLVD8kTQN9pfN0piKU0YbsjuO
+qIHczZcJkgh2wcXiNGVErPBvkMhMg5MZSLn9DuitefeVtPF38Er2/l09bflCNVc
+6/95JjcPr4zf2WgDgXWA+uyTTCx+BIaCdZR5Oa3BkToC6nxD/61uGmiSrkNkcNXn
+M6S9qY7zKbxb/Hi8IdUYwA==
+-----END ENCRYPTED PRIVATE KEY-----
--- a/pjlib/src/pj/ssl_sock_ossl.c
+++ b/pjlib/src/pj/ssl_sock_ossl.c
@ -1039,6 +1039,13 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 		}
 		SSL_CTX_free(ctx);
 		return status;
+	    } else {
+		PJ_LOG(4,(ssock->pool->obj_name,
+			  "CA certificates loaded from '%s%s%s'",
+			  cert->CA_file.ptr,
+			  ((cert->CA_file.slen && cert->CA_path.slen)?
+				" + ":""),
+			  cert->CA_path.ptr));
 	    }
 	}
    
@ -1062,6 +1069,10 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 			     cert->cert_file.ptr));
 		SSL_CTX_free(ctx);
 		return status;
+	    } else {
+		PJ_LOG(4,(ssock->pool->obj_name,
+			  "Certificate chain loaded from '%s'",
+			  cert->cert_file.ptr));
 	    }
 	}

@ -1079,6 +1090,10 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 			     cert->privkey_file.ptr));
 		SSL_CTX_free(ctx);
 		return status;
+	    } else {
+		PJ_LOG(4,(ssock->pool->obj_name,
+			  "Private key loaded from '%s'",
+			  cert->privkey_file.ptr));
 	    }

 #if !defined(OPENSSL_NO_DH)
@ -1124,6 +1139,9 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 			BIO_free(cbio);
 			SSL_CTX_free(ctx);
 			return status;
+		    } else {
+			PJ_LOG(4,(ssock->pool->obj_name,
+				  "Certificate chain loaded from buffer"));
 		    }
 		    X509_free(xcert);
 		}
@ -1141,13 +1159,29 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 								  NULL, NULL);

 		if (inf != NULL) {
-		    int i = 0;		    
+		    int i = 0, cnt = 0;
 		    for (; i < sk_X509_INFO_num(inf); i++) {
 			X509_INFO *itmp = sk_X509_INFO_value(inf, i);
-			if (itmp->x509) {
-			    X509_STORE_add_cert(cts, itmp->x509);
+			if (!itmp->x509)
+			    continue;
+
+			rc = X509_STORE_add_cert(cts, itmp->x509);
+			if (rc == 1) {
+			    ++cnt;
+			} else {
+#if PJ_LOG_MAX_LEVEL >= 4
+			    char buf[256];
+			    PJ_LOG(4,(ssock->pool->obj_name,
+				      "Error adding CA cert: %s",
+				      X509_NAME_oneline(
+					X509_get_subject_name(itmp->x509),
+					buf, sizeof(buf))));
+#endif
 			}
 		    }
+		    PJ_LOG(4,(ssock->pool->obj_name,
+			      "CA certificates loaded from buffer (cnt=%d)",
+			      cnt));
 		}
 		sk_X509_INFO_pop_free(inf, X509_INFO_free);
 		BIO_free(cbio);
@ -1161,7 +1195,8 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 	    kbio = BIO_new_mem_buf((void*)cert->privkey_buf.ptr,
 				   cert->privkey_buf.slen);
 	    if (kbio != NULL) {
-		pkey = PEM_read_bio_PrivateKey(kbio, NULL, 0, NULL);
+		pkey = PEM_read_bio_PrivateKey(kbio, NULL, &password_cb,
+					       cert);
 		if (pkey) {
 		    rc = SSL_CTX_use_PrivateKey(ctx, pkey);
 		    if (rc != 1) {
@ -1172,9 +1207,16 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
 			BIO_free(kbio);
 			SSL_CTX_free(ctx);
 			return status;
+		    } else {
+			PJ_LOG(4,(ssock->pool->obj_name,
+				  "Private key loaded from buffer"));
 		    }
 		    EVP_PKEY_free(pkey);
+		} else {
+		    PJ_LOG(1,(ssock->pool->obj_name,
+			      "Error reading private key from buffer"));
 		}
+
 		if (ssock->is_server) {
 		    dh = PEM_read_bio_DHparams(kbio, NULL, NULL, NULL);
 		    if (dh != NULL) {
@ -1319,8 +1361,16 @@ static pj_status_t ssl_create(pj_ssl_sock_t *ssock)
                BIO_free(new_bio);
        }

-        if (ca_dn != NULL)
+	if (ca_dn != NULL) {
 	    SSL_CTX_set_client_CA_list(ctx, ca_dn);
+	    PJ_LOG(4,(ssock->pool->obj_name,
+		      "CA certificates loaded from %s",
+		      (cert->CA_file.slen?cert->CA_file.ptr:"buffer")));
+	} else {
+	    PJ_LOG(1,(ssock->pool->obj_name,
+		      "Error reading CA certificates from %s",
+		      (cert->CA_file.slen?cert->CA_file.ptr:"buffer")));
+	}
    }

    /* Early sensitive data cleanup after OpenSSL context setup. However,
--- a/pjlib/src/pjlib-test/ssl_sock.c
+++ b/pjlib/src/pjlib-test/ssl_sock.c
@ -31,7 +31,7 @@
 #endif
 #define CERT_FILE		    CERT_DIR "cacert.pem"
 #define CERT_PRIVKEY_FILE	    CERT_DIR "privkey.pem"
-#define CERT_PRIVKEY_PASS	    ""
+#define CERT_PRIVKEY_PASS	    "privkeypass"

 #define TEST_LOAD_FROM_FILES 1

--- a/pjnath/src/pjnath-test/server.c
+++ b/pjnath/src/pjnath-test/server.c
@ -27,7 +27,7 @@
 #define CERT_CA_FILE		    CERT_DIR "cacert.pem"
 #define CERT_FILE		    CERT_DIR "cacert.pem"
 #define CERT_PRIVKEY_FILE	    CERT_DIR "privkey.pem"
-#define CERT_PRIVKEY_PASS	    ""
+#define CERT_PRIVKEY_PASS	    "privkeypass"

 #define RETURN_ERROR(rc)	    {app_perror("", rc);return rc;}