Fix for edge case ECC/RSA import with raw attributes to wrap/encrypt with TPM.

dgarske · dgarske · commit 23ccf96b16e2 · 2025-07-31T14:48:39.000-07:00
diff --git a/src/internal.c b/src/internal.c
@@ -6702,52 +6702,60 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
 
     key = &object->data.rsaKey;
     ret = wc_InitRsaKey_ex(key, NULL, object->slot->devId);
-    if (ret == 0)
-       ret = SetMPI(&key->d, data[1], (int)len[1]);
-    if (ret == 0)
-       ret = SetMPI(&key->p, data[2], (int)len[2]);
-    if (ret == 0)
-       ret = SetMPI(&key->q, data[3], (int)len[3]);
-    /* If modulus is not provided, calculate it */
     if (ret == 0) {
-        if (data[0] == NULL || len[0] == 0) {
-            ret = mp_mul(&key->p, &key->q, &key->n);
-        } else {
-            ret = SetMPI(&key->n, data[0], (int)len[0]);
+        ret = SetMPI(&key->d, data[1], (int)len[1]);
+        if (ret == 0)
+        ret = SetMPI(&key->p, data[2], (int)len[2]);
+        if (ret == 0)
+        ret = SetMPI(&key->q, data[3], (int)len[3]);
+        /* If modulus is not provided, calculate it */
+        if (ret == 0) {
+            if (data[0] == NULL || len[0] == 0) {
+                ret = mp_mul(&key->p, &key->q, &key->n);
+            } else {
+                ret = SetMPI(&key->n, data[0], (int)len[0]);
+            }
         }
-    }
-    if (ret == 0)
-       ret = SetMPI(&key->dP, data[4], (int)len[4]);
-    if (ret == 0)
-       ret = SetMPI(&key->dQ, data[5], (int)len[5]);
-    if (ret == 0)
-       ret = SetMPI(&key->u, data[6], (int)len[6]);
-    if (ret == 0) {
-        /* Public exponent defaults to 65537 in PKCS11 > 2.11 */
-        if (len[7] > 0)
-            ret = SetMPI(&key->e, data[7], (int)len[7]);
-        else {
-            byte defaultPublic[] = {0x01, 0x00, 0x01};
-            ret = SetMPI(&key->e, defaultPublic, sizeof(defaultPublic));
+        if (ret == 0)
+        ret = SetMPI(&key->dP, data[4], (int)len[4]);
+        if (ret == 0)
+        ret = SetMPI(&key->dQ, data[5], (int)len[5]);
+        if (ret == 0)
+        ret = SetMPI(&key->u, data[6], (int)len[6]);
+        if (ret == 0) {
+            /* Public exponent defaults to 65537 in PKCS11 > 2.11 */
+            if (len[7] > 0)
+                ret = SetMPI(&key->e, data[7], (int)len[7]);
+            else {
+                byte defaultPublic[] = {0x01, 0x00, 0x01};
+                ret = SetMPI(&key->e, defaultPublic, sizeof(defaultPublic));
+            }
         }
-    }
-    if (ret == 0) {
-       if (len[8] == sizeof(CK_ULONG))
-           object->size = (word32)*(CK_ULONG*)data[8];
-       else if (len[8] != 0)
-           ret = BUFFER_E;
-    }
-    if (ret == 0) {
-        if (mp_iszero(&key->d) && mp_iszero(&key->p)) {
-            key->type = RSA_PUBLIC;
+        if (ret == 0) {
+        if (len[8] == sizeof(CK_ULONG))
+            object->size = (word32)*(CK_ULONG*)data[8];
+        else if (len[8] != 0)
+            ret = BUFFER_E;
         }
-        else {
-            key->type = RSA_PRIVATE;
+        if (ret == 0) {
+            if (mp_iszero(&key->d) && mp_iszero(&key->p)) {
+                key->type = RSA_PUBLIC;
+            }
+            else {
+                key->type = RSA_PRIVATE;
+            }
+        }
+
+        if (ret != 0) {
+            wc_FreeRsaKey(key);
         }
     }
 
-    if (ret != 0)
-        wc_FreeRsaKey(key);
+#ifdef WOLFPKCS11_TPM
+    if (ret == 0) {
+        ret = WP11_Object_WrapTpmKey(object);
+    }
+#endif
 
     if (object->onToken)
         WP11_Lock_UnlockRW(object->lock);
@@ -6916,6 +6924,12 @@ int WP11_Object_SetEcKey(WP11_Object* object, unsigned char** data,
             wc_ecc_free(key);
     }
 
+#ifdef WOLFPKCS11_TPM
+    if (ret == 0) {
+        ret = WP11_Object_WrapTpmKey(object);
+    }
+#endif
+
     if (object->onToken)
         WP11_Lock_UnlockRW(object->lock);
 
