pkey: AWS-LC disallows parsing of invalid keys and params

samuel40791765 · samuel40791765 · commit febe50be1bb7 · 2025-02-19T22:54:47.000Z
OpenSSL allows invalid EC keys or DH params to be parsed. The consuming
application can then run parameter/key checks to check the validity of
the parameters. We happen to run tests to verify that this behaves as
expected.
AWS-LC on the other hand, directly raises an error and disallows the
invalid state to be parsed, rather than making it parsable and checking
the validity later. Relevant tests have been adjusted accordingly to
reflect this.
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
@@ -123,11 +123,22 @@ def test_params_ok?
     ]))
     assert_equal(true, dh1.params_ok?)
 
-    dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
-      OpenSSL::ASN1::Integer(dh0.p + 1),
-      OpenSSL::ASN1::Integer(dh0.g)
-    ]))
-    assert_equal(false, dh2.params_ok?)
+    # AWS-LC automatically does parameter checks on the parsed params.
+    if aws_lc?
+      assert_raise(OpenSSL::PKey::DHError) {
+        OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(dh0.p + 1),
+          OpenSSL::ASN1::Integer(dh0.g)
+        ]))
+      }
+    else
+      dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(dh0.p + 1),
+        OpenSSL::ASN1::Integer(dh0.g)
+      ]))
+      assert_equal(false, dh2.params_ok?)
+    end
+
   end
 
   def test_params
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
@@ -89,14 +89,19 @@ def test_check_key
 
     # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
     # The public key does not match the private key
-    key4 = OpenSSL::PKey.read(<<~EOF)
+    ec_key_data = <<~EOF
     -----BEGIN EC PRIVATE KEY-----
     MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
     AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
     jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
     -----END EC PRIVATE KEY-----
     EOF
-    assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
+    if aws_lc? # AWS-LC automatically does key checks on the parsed key.
+      assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(ec_key_data) }
+    else
+      key4 = OpenSSL::PKey.read(ec_key_data)
+      assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
+    end
 
     # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
     if !openssl?(3, 0, 0)
