Fix i2d_PKCS8PrivateKey_nid_bio() regression.

This method ignores the nid and could end up saving out the private key unencrypted In earlier alpha releases OSSL_num_encoders() returned 0 for this test case, which then meant that the legacy path was run, and the key was then correctly encrypted. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15152)
author: Shane Lontis <shane.lontis@oracle.com> 2021-05-05 16:58:37 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2021-05-10 13:23:50 +1000
commit: d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021 (patch)
tree: 0ccdd13e9d8c5d229523a6317e2ead4568e9a21a /crypto/pem
parent: 333b31e3000ff009cdc48bf45d9af687031f7688 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 86a66b586c..5e28907be3 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -93,7 +93,13 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
         }
     }
 
-    if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
+    /*
+     * NOTE: There is no attempt to do a EVP_CIPHER_fetch() using the nid,
+     * since the nid is a PBE algorithm which can't be fetched currently.
+     * (e.g. NID_pbe_WithSHA1And2_Key_TripleDES_CBC). Just use the legacy
+     * path if the NID is passed.
+     */
+    if (nid == -1 && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
         ret = 1;
         if (enc != NULL) {
             ret = 0;
author	Shane Lontis <shane.lontis@oracle.com>	2021-05-05 16:58:37 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2021-05-10 13:23:50 +1000
commit	d29d7a7ff22e8e3be1c8bbdb8edd3ab9c72ed021 (patch)
tree	0ccdd13e9d8c5d229523a6317e2ead4568e9a21a /crypto/pem
parent	333b31e3000ff009cdc48bf45d9af687031f7688 (diff)