Fix loading pkcs#8 encrypted DER-encoded keys in openssl

When we load DER-encoded keys in the openssl-backend we always turn it
into PEM-encoded keys (essentially we prepend and append a header and
footer and use 'toBase64' on the DER data).

The problem comes from the header and footer which is simply chosen
based on which key algorithm was chosen by the user. Which would be
wrong when the key is a PKCS#8 key. This caused OpenSSL to fail when
trying to read it. Surprisingly it still loads correctly for unencrypted
keys with the wrong header, but not for encrypted keys.

This patch adds a small function which checks if a key is an encrypted
PKCS#8 key and then uses this function to figure out if a PKCS#8 header
and footer should be used (note that I only do this for encrypted PKCS#8
keys since, as previously mentioned, unencrypted keys are read correctly
by openssl).

The passphrase is now also passed to the QSslKeyPrivate::decodeDer
function so DER-encoded files can actually be decrypted.

[ChangeLog][QtNetwork][QSslKey] The openssl backend can now load
encrypted PKCS#8 DER-encoded keys.

Task-number: QTBUG-17718
Change-Id: I52eedf19bde297c9aa7fb050e835b3fc0db724e2
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

5 files changed, 113 insertions, 20 deletions

diff --git a/src/network/ssl/qasn1element_p.h b/src/network/ssl/qasn1element_p.h
index 2c5019b4f7..c706c1f321 100644
--- a/src/network/ssl/qasn1element_p.h
+++ b/src/network/ssl/qasn1element_p.h
@@ -58,10 +58,33 @@
 
 QT_BEGIN_NAMESPACE
 
-#define RSA_ENCRYPTION_OID QByteArrayLiteral("1.2.840.113549.1.1.1")
+// General
+#define RSADSI_OID "1.2.840.113549."
+
+#define RSA_ENCRYPTION_OID QByteArrayLiteral(RSADSI_OID "1.1.1")
 #define DSA_ENCRYPTION_OID QByteArrayLiteral("1.2.840.10040.4.1")
 #define EC_ENCRYPTION_OID QByteArrayLiteral("1.2.840.10045.2.1")
 
+// These are mostly from the RFC for PKCS#5
+// PKCS#5: https://tools.ietf.org/html/rfc8018#appendix-B
+#define PKCS5_OID RSADSI_OID "1.5."
+// PKCS#12: https://tools.ietf.org/html/rfc7292#appendix-D)
+#define PKCS12_OID RSADSI_OID "1.12."
+
+// -PBES1
+#define PKCS5_MD2_DES_CBC_OID QByteArrayLiteral(PKCS5_OID "1")
+#define PKCS5_MD2_RC2_CBC_OID QByteArrayLiteral(PKCS5_OID "4")
+#define PKCS5_MD5_DES_CBC_OID QByteArrayLiteral(PKCS5_OID "3")
+#define PKCS5_MD5_RC2_CBC_OID QByteArrayLiteral(PKCS5_OID "6")
+#define PKCS5_SHA1_DES_CBC_OID QByteArrayLiteral(PKCS5_OID "10")
+#define PKCS5_SHA1_RC2_CBC_OID QByteArrayLiteral(PKCS5_OID "11")
+
+// -PBKDF2
+#define PKCS5_PBKDF2_ENCRYPTION_OID QByteArrayLiteral(PKCS5_OID "12")
+
+// -PBES2
+#define PKCS5_PBES2_ENCRYPTION_OID QByteArrayLiteral(PKCS5_OID "13")
+
 class Q_AUTOTEST_EXPORT QAsn1Element
 {
 public:
diff --git a/src/network/ssl/qsslkey_openssl.cpp b/src/network/ssl/qsslkey_openssl.cpp
index aa81b735b9..7c77f5a910 100644
--- a/src/network/ssl/qsslkey_openssl.cpp
+++ b/src/network/ssl/qsslkey_openssl.cpp
@@ -125,10 +125,10 @@ bool QSslKeyPrivate::fromEVP_PKEY(EVP_PKEY *pkey)
     return false;
 }
 
-void QSslKeyPrivate::decodeDer(const QByteArray &der, bool deepClear)
+void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase, bool deepClear)
 {
     QMap<QByteArray, QByteArray> headers;
-    decodePem(pemFromDer(der, headers), QByteArray(), deepClear);
+    decodePem(pemFromDer(der, headers), passPhrase, deepClear);
 }
 
 void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhrase,
diff --git a/src/network/ssl/qsslkey_p.cpp b/src/network/ssl/qsslkey_p.cpp
index e66ec953a0..2957633348 100644
--- a/src/network/ssl/qsslkey_p.cpp
+++ b/src/network/ssl/qsslkey_p.cpp
@@ -61,6 +61,7 @@
 #endif
 #include "qsslsocket.h"
 #include "qsslsocket_p.h"
+#include "qasn1element_p.h"
 
 #include <QtCore/qatomic.h>
 #include <QtCore/qbytearray.h>
@@ -120,6 +121,13 @@ QByteArray QSslKeyPrivate::pemHeader() const
     return QByteArray();
 }
 
+static QByteArray pkcs8Header(bool encrypted)
+{
+    return encrypted
+        ? QByteArrayLiteral("-----BEGIN ENCRYPTED PRIVATE KEY-----")
+        : QByteArrayLiteral("-----BEGIN PRIVATE KEY-----");
+}
+
 /*!
     \internal
 */
@@ -138,6 +146,13 @@ QByteArray QSslKeyPrivate::pemFooter() const
     return QByteArray();
 }
 
+static QByteArray pkcs8Footer(bool encrypted)
+{
+    return encrypted
+        ? QByteArrayLiteral("-----END ENCRYPTED PRIVATE KEY-----")
+        : QByteArrayLiteral("-----END PRIVATE KEY-----");
+}
+
 /*!
     \internal
 
@@ -166,8 +181,14 @@ QByteArray QSslKeyPrivate::pemFromDer(const QByteArray &der, const QMap<QByteArr
         } while (it != headers.constBegin());
         extra += '\n';
     }
-    pem.prepend(pemHeader() + '\n' + extra);
-    pem.append(pemFooter() + '\n');
+
+    if (isEncryptedPkcs8(der)) {
+        pem.prepend(pkcs8Header(true) + '\n' + extra);
+        pem.append(pkcs8Footer(true) + '\n');
+    } else {
+        pem.prepend(pemHeader() + '\n' + extra);
+        pem.append(pemFooter() + '\n');
+    }
 
     return pem;
 }
@@ -179,13 +200,27 @@ QByteArray QSslKeyPrivate::pemFromDer(const QByteArray &der, const QMap<QByteArr
 */
 QByteArray QSslKeyPrivate::derFromPem(const QByteArray &pem, QMap<QByteArray, QByteArray> *headers) const
 {
-    const QByteArray header = pemHeader();
-    const QByteArray footer = pemFooter();
+    QByteArray header = pemHeader();
+    QByteArray footer = pemFooter();
 
     QByteArray der(pem);
 
-    const int headerIndex = der.indexOf(header);
-    const int footerIndex = der.indexOf(footer);
+    int headerIndex = der.indexOf(header);
+    int footerIndex = der.indexOf(footer, headerIndex + header.length());
+    if (type != QSsl::PublicKey) {
+        if (headerIndex == -1 || footerIndex == -1) {
+            header = pkcs8Header(true);
+            footer = pkcs8Footer(true);
+            headerIndex = der.indexOf(header);
+            footerIndex = der.indexOf(footer, headerIndex + header.length());
+        }
+        if (headerIndex == -1 || footerIndex == -1) {
+            header = pkcs8Header(false);
+            footer = pkcs8Footer(false);
+            headerIndex = der.indexOf(header);
+            footerIndex = der.indexOf(footer, headerIndex + header.length());
+        }
+    }
     if (headerIndex == -1 || footerIndex == -1)
         return QByteArray();
 
@@ -225,13 +260,47 @@ QByteArray QSslKeyPrivate::derFromPem(const QByteArray &pem, QMap<QByteArray, QB
     return QByteArray::fromBase64(der); // ignores newlines
 }
 
+bool QSslKeyPrivate::isEncryptedPkcs8(const QByteArray &der) const
+{
+    static const QVector<QByteArray> pbes1OIds {
+        // PKCS5
+        {PKCS5_MD2_DES_CBC_OID},
+        {PKCS5_MD2_RC2_CBC_OID},
+        {PKCS5_MD5_DES_CBC_OID},
+        {PKCS5_MD5_RC2_CBC_OID},
+        {PKCS5_SHA1_DES_CBC_OID},
+        {PKCS5_SHA1_RC2_CBC_OID},
+    };
+    QAsn1Element elem;
+    if (!elem.read(der) || elem.type() != QAsn1Element::SequenceType)
+        return false;
+
+    const QVector<QAsn1Element> items = elem.toVector();
+    if (items.size() != 2
+        || items[0].type() != QAsn1Element::SequenceType
+        || items[1].type() != QAsn1Element::OctetStringType) {
+        return false;
+    }
+
+    const QVector<QAsn1Element> encryptionSchemeContainer = items[0].toVector();
+    if (encryptionSchemeContainer.size() != 2
+        || encryptionSchemeContainer[0].type() != QAsn1Element::ObjectIdentifierType
+        || encryptionSchemeContainer[1].type() != QAsn1Element::SequenceType) {
+        return false;
+    }
+
+    const QByteArray encryptionScheme = encryptionSchemeContainer[0].toObjectId();
+    return encryptionScheme == PKCS5_PBES2_ENCRYPTION_OID
+            || pbes1OIds.contains(encryptionScheme)
+            || encryptionScheme.startsWith(PKCS12_OID);
+}
+
 /*!
     Constructs a QSslKey by decoding the string in the byte array
     \a encoded using a specified \a algorithm and \a encoding format.
     \a type specifies whether the key is public or private.
 
-    If the key is encoded as PEM and encrypted, \a passPhrase is used
-    to decrypt it.
+    If the key is encrypted then \a passPhrase is used to decrypt it.
 
     After construction, use isNull() to check if \a encoded contained
     a valid key.
@@ -243,7 +312,7 @@ QSslKey::QSslKey(const QByteArray &encoded, QSsl::KeyAlgorithm algorithm,
     d->type = type;
     d->algorithm = algorithm;
     if (encoding == QSsl::Der)
-        d->decodeDer(encoded);
+        d->decodeDer(encoded, passPhrase);
     else
         d->decodePem(encoded, passPhrase);
 }
@@ -253,8 +322,7 @@ QSslKey::QSslKey(const QByteArray &encoded, QSsl::KeyAlgorithm algorithm,
     \a device using a specified \a algorithm and \a encoding format.
     \a type specifies whether the key is public or private.
 
-    If the key is encoded as PEM and encrypted, \a passPhrase is used
-    to decrypt it.
+    If the key is encrypted then \a passPhrase is used to decrypt it.
 
     After construction, use isNull() to check if \a device provided
     a valid key.
@@ -269,7 +337,7 @@ QSslKey::QSslKey(QIODevice *device, QSsl::KeyAlgorithm algorithm, QSsl::Encoding
     d->type = type;
     d->algorithm = algorithm;
     if (encoding == QSsl::Der)
-        d->decodeDer(encoded);
+        d->decodeDer(encoded, passPhrase);
     else
         d->decodePem(encoded, passPhrase);
 }
diff --git a/src/network/ssl/qsslkey_p.h b/src/network/ssl/qsslkey_p.h
index c93941c198..d6c5af9d47 100644
--- a/src/network/ssl/qsslkey_p.h
+++ b/src/network/ssl/qsslkey_p.h
@@ -81,9 +81,8 @@ public:
 #ifndef QT_NO_OPENSSL
     bool fromEVP_PKEY(EVP_PKEY *pkey);
 #endif
-    void decodeDer(const QByteArray &der, bool deepClear = true);
-    void decodePem(const QByteArray &pem, const QByteArray &passPhrase,
-                   bool deepClear = true);
+    void decodeDer(const QByteArray &der, const QByteArray &passPhrase = {}, bool deepClear = true);
+    void decodePem(const QByteArray &pem, const QByteArray &passPhrase, bool deepClear = true);
     QByteArray pemHeader() const;
     QByteArray pemFooter() const;
     QByteArray pemFromDer(const QByteArray &der, const QMap<QByteArray, QByteArray> &headers) const;
@@ -93,6 +92,8 @@ public:
     QByteArray toPem(const QByteArray &passPhrase) const;
     Qt::HANDLE handle() const;
 
+    bool isEncryptedPkcs8(const QByteArray &der) const;
+
     bool isNull;
     QSsl::KeyType type;
     QSsl::KeyAlgorithm algorithm;
diff --git a/src/network/ssl/qsslkey_qt.cpp b/src/network/ssl/qsslkey_qt.cpp
index a85fed21ed..0e7702bbeb 100644
--- a/src/network/ssl/qsslkey_qt.cpp
+++ b/src/network/ssl/qsslkey_qt.cpp
@@ -154,8 +154,9 @@ void QSslKeyPrivate::clear(bool deep)
     keyLength = -1;
 }
 
-void QSslKeyPrivate::decodeDer(const QByteArray &der, bool deepClear)
+void QSslKeyPrivate::decodeDer(const QByteArray &der, const QByteArray &passPhrase, bool deepClear)
 {
+    Q_UNUSED(passPhrase);
     clear(deepClear);
 
     if (der.isEmpty())
@@ -272,7 +273,7 @@ void QSslKeyPrivate::decodePem(const QByteArray &pem, const QByteArray &passPhra
         const QByteArray key = deriveKey(cipher, passPhrase, iv);
         data = decrypt(cipher, data, key, iv);
     }
-    decodeDer(data, deepClear);
+    decodeDer(data, passPhrase, deepClear);
 }
 
 int QSslKeyPrivate::length() const