Ensure that ECX keys pass EVP_PKEY_param_check()

RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.

Fixes #14482

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

1 files changed, 12 insertions, 1 deletions

diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 095c713aac..425b6c80f2 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -367,7 +367,18 @@ static int rsa_validate(const void *keydata, int selection, int checktype)
     if (!ossl_prov_is_running())
         return 0;
 
-    if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
+    /*
+     * Although an RSA key has no domain parameters, validating them should
+     * return true.
+     *
+     * RSA_POSSIBLE_SELECTIONS already includes
+     * OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS. We explicitly add
+     * OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS here as well for completeness. In
+     * practice this makes little difference since EVP_PKEY_param_check() always
+     * checks the combination of "other" and "domain" parameters anyway.
+     */
+    if ((selection & (RSA_POSSIBLE_SELECTIONS
+                      | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) != 0)
         ok = 1;
 
     /* If the whole key is selected, we do a pairwise validation */