FIPS key check still needed

Author: justsmth

aws-lc-rs/src/ec.rs

@@ -287,6 +287,7 @@ fn verify_ec_key_nid(
 }
 
 #[inline]
+#[cfg(not(feature = "fips"))]
 pub(crate) fn verify_evp_key_nid(
     evp_pkey: &ConstPointer<EVP_PKEY>,
     expected_curve_nid: i32,
@@ -298,20 +299,20 @@ pub(crate) fn verify_evp_key_nid(
 }
 
 #[inline]
-unsafe fn validate_evp_key(
+fn validate_evp_key(
     evp_pkey: &ConstPointer<EVP_PKEY>,
     expected_curve_nid: i32,
 ) -> Result<(), KeyRejected> {
-    let ec_key = ConstPointer::new(EVP_PKEY_get0_EC_KEY(**evp_pkey))?;
+    let ec_key = ConstPointer::new(unsafe { EVP_PKEY_get0_EC_KEY(**evp_pkey) })?;
     verify_ec_key_nid(&ec_key, expected_curve_nid)?;
 
     #[cfg(not(feature = "fips"))]
-    if 1 != EC_KEY_check_key(*ec_key) {
+    if 1 != unsafe { EC_KEY_check_key(*ec_key) } {
         return Err(KeyRejected::inconsistent_components());
     }
 
     #[cfg(feature = "fips")]
-    if 1 != indicator_check!(EC_KEY_check_fips(*ec_key)) {
+    if 1 != indicator_check!(unsafe { EC_KEY_check_fips(*ec_key) }) {
         return Err(KeyRejected::inconsistent_components());
     }
 
@@ -342,6 +343,7 @@ pub(crate) unsafe fn unmarshal_der_to_private_key(
     nid: i32,
 ) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
     let mut out = null_mut();
+    // `d2i_PrivateKey` -> ... -> `EC_KEY_parse_private_key` -> `EC_KEY_check_key`
     let evp_pkey = LcPtr::new(aws_lc::d2i_PrivateKey(
         EVP_PKEY_EC,
         &mut out,
@@ -351,7 +353,10 @@ pub(crate) unsafe fn unmarshal_der_to_private_key(
             .try_into()
             .map_err(|_| KeyRejected::too_large())?,
     ))?;
+    #[cfg(not(feature = "fips"))]
     verify_evp_key_nid(&evp_pkey.as_const(), nid)?;
+    #[cfg(feature = "fips")]
+    validate_evp_key(&evp_pkey.as_const(), nid)?;
 
     Ok(evp_pkey)
 }

aws-lc-rs/src/ec/key_pair.rs

@@ -12,9 +12,12 @@ use aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_get0_EC_KEY, EVP_PKEY}
 
 use crate::buffer::Buffer;
 use crate::digest::digest_ctx::DigestContext;
-use crate::ec::{
-    evp_key_generate, verify_evp_key_nid, EcdsaSignatureFormat, EcdsaSigningAlgorithm, PublicKey,
-};
+#[cfg(feature = "fips")]
+use crate::ec::validate_evp_key;
+#[cfg(not(feature = "fips"))]
+use crate::ec::verify_evp_key_nid;
+use crate::ec::{evp_key_generate, EcdsaSignatureFormat, EcdsaSigningAlgorithm, PublicKey};
+
 use crate::encoding::{AsBigEndian, AsDer, EcPrivateKeyBin, EcPrivateKeyRfc5915Der};
 use crate::error::{KeyRejected, Unspecified};
 use crate::fips::indicator_check;
@@ -88,9 +91,13 @@ impl EcdsaKeyPair {
         alg: &'static EcdsaSigningAlgorithm,
         pkcs8: &[u8],
     ) -> Result<Self, KeyRejected> {
+        // Includes a call to `EC_KEY_check_key`
         let evp_pkey = LcPtr::try_from(pkcs8)?;
 
+        #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;
+        #[cfg(feature = "fips")]
+        validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
 
         let key_pair = Self::new(alg, evp_pkey)?;
 

aws-lc-rs/src/evp_pkey.rs

@@ -21,7 +21,7 @@ impl TryFrom<&[u8]> for LcPtr<EVP_PKEY> {
     fn try_from(bytes: &[u8]) -> Result<Self, Self::Error> {
         unsafe {
             let mut cbs = cbs::build_CBS(bytes);
-
+            // `EVP_parse_private_key` -> ... -> `eckey_priv_decode` -> ... -> `EC_KEY_check_key`
             LcPtr::new(EVP_parse_private_key(&mut cbs))
                 .map_err(|()| KeyRejected::invalid_encoding())
         }