Teach EVP_PKEYs to say whether they were decoded from explicit params

Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)

2 files changed, 45 insertions, 5 deletions

diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index 216305b952..7e550f81a1 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1680,6 +1680,40 @@ static int get_dh_dsa_payload_g(enum state state,
     return get_payload_bn(state, translation, ctx, bn);
 }
 
+static int get_payload_int(enum state state,
+                           const struct translation_st *translation,
+                           struct translation_ctx_st *ctx,
+                           const int val)
+{
+    if (ctx->params->data_type != OSSL_PARAM_INTEGER)
+        return 0;
+    ctx->p1 = val;
+    ctx->p2 = NULL;
+
+    return default_fixup_args(state, translation, ctx);
+}
+
+static int get_ec_decoded_from_explicit_params(enum state state,
+                                               const struct translation_st *translation,
+                                               struct translation_ctx_st *ctx)
+{
+    int val = 0;
+    EVP_PKEY *pkey = ctx->p2;
+
+    switch (EVP_PKEY_base_id(pkey)) {
+#ifndef OPENSSL_NO_EC
+    case EVP_PKEY_EC:
+        val = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
+        break;
+#endif
+    default:
+        ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE);
+        return 0;
+    }
+
+    return get_payload_int(state, translation, ctx, val);
+}
+
 static int get_rsa_payload_n(enum state state,
                              const struct translation_st *translation,
                              struct translation_ctx_st *ctx)
@@ -2320,6 +2354,11 @@ static const struct translation_st evp_pkey_translations[] = {
     { GET, -1, -1, -1, 0, NULL, NULL,
       OSSL_PKEY_PARAM_RSA_COEFFICIENT9, OSSL_PARAM_UNSIGNED_INTEGER,
       get_rsa_payload_c9 },
+
+    /* EC */
+    { GET, -1, -1, -1, 0, NULL, NULL,
+      OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, OSSL_PARAM_INTEGER,
+      get_ec_decoded_from_explicit_params },
 };
 
 static const struct translation_st *
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ddb3378eee..edf3c51095 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -23,6 +23,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
+#include <openssl/core_names.h>
 #include "internal/dane.h"
 #include "crypto/x509.h"
 #include "x509_local.h"
@@ -3399,7 +3400,6 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
  */
 static int check_curve(X509 *cert)
 {
-#ifndef OPENSSL_NO_EC
     EVP_PKEY *pkey = X509_get0_pubkey(cert);
 
     /* Unsupported or malformed key */
@@ -3407,12 +3407,13 @@ static int check_curve(X509 *cert)
         return -1;
 
     if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-        int ret;
+        int ret, val;
 
-        ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
-        return ret < 0 ? ret : !ret;
+        ret = EVP_PKEY_get_int_param(pkey,
+                                     OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
+                                     &val);
+        return ret < 0 ? ret : !val;
     }
-#endif
 
     return 1;
 }