changed comments and reworked behavior for both functions

aws · Apr 25, 2024 · eaef8f4 · eaef8f4
1 parent f270e56
commit eaef8f4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 30 deletions.
diff --git a/crypto/evp_extra/evp_asn1.c b/crypto/evp_extra/evp_asn1.c
@@ -289,10 +289,6 @@ int EVP_PKEY_check(EVP_PKEY_CTX *ctx) {
 
   switch(pkey->type) {
     case EVP_PKEY_EC:
-      if (EC_KEY_get0_private_key(pkey->pkey.ec) == NULL) {
-        OPENSSL_PUT_ERROR(EVP, EC_R_MISSING_PRIVATE_KEY);
-        return 0;
-      }
       return EC_KEY_check_key(pkey->pkey.ec);
     case EVP_PKEY_RSA:
       return RSA_check_key(pkey->pkey.rsa);
@@ -303,27 +299,7 @@ int EVP_PKEY_check(EVP_PKEY_CTX *ctx) {
 }
 
 int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx) {
-  if(ctx == NULL) {
-    OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER);
-    return 0;
-  }
-
-  EVP_PKEY *pkey = ctx->pkey;
-
-  if (pkey == NULL) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);
-    return 0;
-  }
-
-  switch(pkey->type) {
-    case EVP_PKEY_EC:
-      return EC_KEY_check_key(pkey->pkey.ec);
-    case EVP_PKEY_RSA:
-      return RSA_check_key(pkey->pkey.rsa);
-    default:
-      OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
-      return 0;
-  }
+  return EVP_PKEY_check(ctx);
 }
 
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp,

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
@@ -697,13 +697,16 @@ OPENSSL_EXPORT int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
 OPENSSL_EXPORT int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
                                    size_t *out_key_len);
 
-// EVP_PKEY_check validates the key-pair given by |ctx|. If the key type is supported,
-// the corresponding validation function is called. Otherwise, returns 0 for error.
+// EVP_PKEY_check supports EC and RSA keys and wraps the corresponding key check functions.
+// In OpenSSL, this function is meant to validate the key-pair, however, our key checking
+// logic is less restrictive in that it allows keys with only a public component. To avoid introducing
+// inconsistencies in key checking behavior, this function is implemented differently than in OpenSSL.
+// |EVP_PKEY_check| validates the public component of the key and private component if available.
+// Returns one on success and 0 on error.
 int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
 
-// EVP_PKEY_public_check validates the public component of the key-pair given by
-// |ctx|. If the key type is supported, the corresponding validation function is called.
-// Otherwise, returns 0 for error.
+// EVP_PKEY_public_check wraps |EVP_PKEY_check|. Validates the public component of the key and private component if
+// provided. Returns one on success and 0 on error.
 int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx);
 
 // EVP_PKEY_keygen_init initialises an |EVP_PKEY_CTX| for a key generation